[TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)
Bryan A Ford <brynosaurus@gmail.com> Tue, 01 December 2015 16:22 UTC
Return-Path: <brynosaurus@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C39161ACDE7 for <tls@ietfa.amsl.com>; Tue, 1 Dec 2015 08:22:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JGg-vxM75rQT for <tls@ietfa.amsl.com>; Tue, 1 Dec 2015 08:22:18 -0800 (PST)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4CD51ACDA2 for <tls@ietf.org>; Tue, 1 Dec 2015 08:22:17 -0800 (PST)
Received: by wmww144 with SMTP id w144so20353910wmw.0 for <tls@ietf.org>; Tue, 01 Dec 2015 08:22:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:references:to:from:message-id:date:user-agent:mime-version :in-reply-to:content-type; bh=aeULmDYm6Dfy69tG8HTKrIpb4oTpOYY49InzjcG7tKE=; b=iWbclNxc7KLx4o8RNmDmI/z2DCWM/Ewm5d3Cx2bDRhE5VLsqSpnLJ+AyU7ReXXIRT3 8DU2/C9rhrdcMl9yiWWe72CF7qvzv8/EJMkoIbW72RIW6LACyvxMUfKoIQyhL6sYevlM P/Jg8NLmVNakWkwH8QISgy8TaGxl1jF2DY4npSWxAnfiMmMi68GWdeWjPN1Uq87NqMm6 DZdRXHncVkGMNT3tEeDCxU2f9Dwcirht7cdLgrhBqHgUQvSyH7pCU+L5U29LV9yqfvro PX0nFy8Bautv2o/7/HcvvHX0qTxutLJ1skndLHPgpZQ1ryzAfW2Qa8Vr80Dqfh7avEhf kt+g==
X-Received: by 10.28.68.133 with SMTP id r127mr37617099wma.71.1448986936052; Tue, 01 Dec 2015 08:22:16 -0800 (PST)
Received: from tsf-476-wpa-4-097.epfl.ch (tsf-476-wpa-4-097.epfl.ch. [128.179.180.97]) by smtp.gmail.com with ESMTPSA id z13sm51675566wjr.47.2015.12.01.08.22.14 for <tls@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Tue, 01 Dec 2015 08:22:14 -0800 (PST)
References: <56586A2F.1070703@gmail.com> <FB2973EF-F16C-404A-980D-CA0042EC4AEB@gmail.com> <565DBC63.5090908@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
From: Bryan A Ford <brynosaurus@gmail.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <565DC935.2040607@gmail.com>
Date: Tue, 01 Dec 2015 17:22:13 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <565DBC63.5090908@gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms070405090005090706030703"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/hF-eBKOpQof1YC_tY1roPT2jm5M>
Subject: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2015 16:22:21 -0000
Some of the parallel discussion on the SSH list - especially comments by Simon Tatham and Niels Möller - made me think of an alternative design that would not only hide TLS headers but also ensure that they are integrity-checked by the receiver *before* the receiver attempts to interpret the record header in any way. This alternative approach already feels to me like an improvement over my last one, and perhaps even those who are skeptical of the need to encrypt TLS headers might appreciate the desirability of closing vulnerabilities to length-fiddling attacks: e.g., where an attacker sets the high bit of the length field in the last TLS record so that the receiver will likely hang on a long read before detecting the change. Proposal: The basic idea is in some respects even simpler than the last one: 1. We move the TLS header from the "additional data" field to the start of the "plaintext" field. That is, the sender encrypts the header along with the payload, and the receiver decrypts and integrity-checks the header along with the payload, using the standard AEAD interface. The "additional data" field now contains *only* the sequence number, which both sender and receiver track and compute implicitly. 2. The 2-byte length field in each record's header no longer indicates the length of the *current* record but instead indicates the length of the *next* record. The length of the first record might be defined in a new field we add to the handshake/key-exchange protocol, or it might simply be set to some well-known standard first record size. That's basically it. The key advantage is that this way the receiver always "knows" the correct size of each record before having to read or interpret any part of it in any way. In fact, because the record is fully encrypted, the receiver implementation is basically forced to use the AEAD to decrypt and integrity-check the record before doing anything at all with it, which closes down not only the well-known length-fiddling attack that has dogged SSH, but a whole class of possible potential implementation bugs regarding the (delicate) handling of cleartext TLS headers before they've been integrity-checked. Basically, this ensures that if the receiver have any bugs in the handling of the TLS header, they can be exploited only by its communication partner, and not by an attacker in the middle of the path. To me this seems like a useful robustness benefit completely independent of the (also desirable) benefits with respect to traffic analysis. Choosing next-record lengths: Of course this approach presents the minor challenge that the sender must always "commit" to the length of the next record before sending the current one. But this challenge is pretty easy to deal with. The easiest way to handle it, of course, is if the sender simply pads all packets to the same record length - a solution I would generally be quite happy with due to its complementary traffic analysis resistance benefits, and I would even favor explicitly encouraging that solution in the TLS RFC. I would love it if the next TLS RFC ended up containing a clause of the form: The TLS sender SHOULD always transmit TLS records of length exactly X, unless this is deemed impractical due to overriding performance or bandwidth-efficiency considerations. ...where "X" is some reasonable value we discuss and decide on. But my (new) proposal does not require all TLS implementations to maintain a fixed record size. If the sender implementation wants to use variable-size records, it can still process batches of records written together normally up until the last record in the batch. But when processing the last record in a write - or in general the last record before "going idle" where it does not yet have a next record to send - the sender simply "picks something." That something might for example be a minimum record size, meaning the next record will be big enough to hold a "next record length" indicating a useful length, but will otherwise be basically a no-op record, so we'll pay the cost of an extra small record and AEAD encryption/decryption each time transmission resumes after being idle. Alternatively the sender of variable-length records might pick a "typical record size" as the next-record-size to transmit in the last record in a burst; that way once transmission resumes the next record can probably carry useful data, but might need padding if its committed size is larger than the amount of data to be transmitted. The (important) existence of the padding mechanism already added in TLS 1.3 makes this alternative possible. DTLS: Now there's still the important question of whether this (new) proposal could be made to work in the context of DTLS. For the DTLS case, my current thinking is that some elements of my earlier proposal is probably more suitable: namely using a stream cipher (or AEAD used as a stream cipher) to encrypt and recognize the explicitly-transmitted sequence numbers that DTLS needs. This could operate basically the same as I described in my earlier E-mail on this topic. Note that the length field is no longer a problem in DTLS as it is in TLS, because the receiver already gets the length of the datagram from UDP. Comments/discussion? Is the above more (or less) palatable than my previous proposal? Cheers Bryan
- [TLS] Encrypting record headers: practical for TL… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Roland Zink
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Roland Zink
- Re: [TLS] Encrypting record headers: practical fo… Tony Arcieri
- Re: [TLS] Encrypting record headers: practical fo… Watson Ladd
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bill Cox
- Re: [TLS] Encrypting record headers: practical fo… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypting record headers: practical fo… Dave Garrett
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Short, Todd
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Viktor Dukhovni
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
- Re: [TLS] Encrypting record headers: practical fo… Jim Schaad
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… John Mattsson
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- [TLS] Fully encrypted and authenticated headers (… Bryan A Ford
- Re: [TLS] Fully encrypted and authenticated heade… Dmitry Belyavsky
- Re: [TLS] Fully encrypted and authenticated heade… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Fully encrypted and authenticated heade… Martin Thomson
- Re: [TLS] Fully encrypted and authenticated heade… Viktor Dukhovni
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Fully encrypted and authenticated heade… Dmitry Belyavsky
- Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
- Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… GUBALLA, JENS (JENS)
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Eric Rescorla
- Re: [TLS] Fully encrypted and authenticated heade… Eric Rescorla
- Re: [TLS] Encrypting record headers: practical fo… Mike Copley
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Watson Ladd
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Martin Rex
- Re: [TLS] Encrypting record headers: practical fo… Stephen Farrell
- Re: [TLS] Fully encrypted and authenticated heade… Eric Rescorla
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Eric Rescorla
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Martin Rex
- Re: [TLS] Encrypting record headers: practical fo… Ilari Liusvaara
- Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
- Re: [TLS] Encrypting record headers: practical fo… Dave Garrett
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Eric Mill
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Martin Thomson
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Viktor Dukhovni
- Re: [TLS] Fully encrypted and authenticated heade… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Watson Ladd
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Martin Rex
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Valery Smyslov
- Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… GUBALLA, JENS (JENS)
- Re: [TLS] Fully encrypted and authenticated heade… Valery Smyslov
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Jeff Burdges
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum