IETF Logo Mail Archive

Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size

Eric Rescorla <ekr@rtfm.com> Tue, 15 August 2017 15:29 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E329E1321D8 for <tls@ietfa.amsl.com>; Tue, 15 Aug 2017 08:29:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.617
X-Spam-Level:
X-Spam-Status: No, score=-1.617 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QHYuvJneFuQX for <tls@ietfa.amsl.com>; Tue, 15 Aug 2017 08:29:04 -0700 (PDT)
Received: from mail-yw0-x232.google.com (mail-yw0-x232.google.com [IPv6:2607:f8b0:4002:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD7A1132332 for <tls@ietf.org>; Tue, 15 Aug 2017 08:29:03 -0700 (PDT)
Received: by mail-yw0-x232.google.com with SMTP id u207so6717356ywc.3 for <tls@ietf.org>; Tue, 15 Aug 2017 08:29:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zIsIV9wrny+Wmm7e3qCDQSjVr80S+EvgWYMsya20WCI=; b=MCNqeHNluQLgD09Fl/TUoOWbeOI/yB5N7mek9koSDb+3u4O0GwGv5UaGA0YHRvZ67D XEhPrpvaRA7ebdPcLomyUD+E5FYbyl8Qt+NLIP7Gl9fort3Rl1N7D4ycGUtsKytypNkL GhrekEaThPo6hcLfMA/iy0aj1XyLFsNrCs2G46T+06R5pX0uNKI6IPy68Iyu/OJHQcgX E23hv1f7eqoPjbL9weHMybKXjeyQgtYPCpIi86oXTEOCoItGkf2S1rv+XmjongByZwnL 8JE6VXXBwWMwo8K5UdgSUbRXXyw3CjjdJK61CuuetL0bjnuNBhdulE3siQqXlNwvcf9k apJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zIsIV9wrny+Wmm7e3qCDQSjVr80S+EvgWYMsya20WCI=; b=AZ5Z1WY94FOEgk9a68/1rsavURAjYYbvy8DKKCiSkos/5rTGJDeBe0ZhxsTUhjFSOR xiYZL34/YfnLjYi/hINwLtqg0MKrsQtgxfmA6QyYUP/Phg5ma1htF8QZI16HNb7WsYSw bZZZeIQsW2DiJKXuZ9lWbYIlGdyT2umffNE3c1qAMb3s9Unfg5fu47Up67oHvIA6EDZP 6vha7QgQzGaifaUfuK9Km7iEAKgpvbDfBcvrfcP4Ywn/EgAjFsifBTiSF9YtLMavzXUX QSR7QtDVZeBm6i1FT/tt+VtIH6m7ZP9f6mLAznLn5xSRLJdipADeiRlmpfkiCFEb0pag p8ug==
X-Gm-Message-State: AHYfb5jUzz6uSHDLtaIVkICYeTFQMoBAS9ClkRwZ1k2OIru0iCeQatJw 6jnjc3tfqahFcRnwb/7IPvyFDKgxpD5F
X-Received: by 10.37.248.12 with SMTP id u12mr23211449ybd.248.1502810943077; Tue, 15 Aug 2017 08:29:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.218.130 with HTTP; Tue, 15 Aug 2017 08:28:22 -0700 (PDT)
In-Reply-To: <20170815135415.rxupa7zixqs3tt7c@LK-Perkele-VII>
References: <1502460670.3202.8.camel@redhat.com> <1853204.q6hYlzKLln@pintsize.usersys.redhat.com> <20170815135415.rxupa7zixqs3tt7c@LK-Perkele-VII>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 15 Aug 2017 08:28:22 -0700
Message-ID: <CABcZeBN=t8nWW9bhCgNst=of5uwHWrLWtadN00RCnJ=MnSzfuQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Hubert Kario <hkario@redhat.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045db8666d487f0556cc70e6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/he2cuWtTEOTETAl-amnTaFUu63c>
Subject: Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 15:29:07 -0000

I generally agree with Ilari. To recap what I said on the PR:
I think it would be fine to sharpen the point about padding leaking
information and I'd take a short PR for that. I don't believe it's
necessary either to require that it be constant time (for the reasons I
indicated on-list and already documented in the spec) or to describe a
specific algorithm, especially at this point on the document life cycle.

-Ekr



On Tue, Aug 15, 2017 at 6:54 AM, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Tue, Aug 15, 2017 at 03:31:56PM +0200, Hubert Kario wrote:
> > I've created a Pull Request that introduces requirement for constant time
> > processing of padding and an example on how to do it:
> >
> > https://github.com/tlswg/tls13-spec/pull/1073
>
> -1
>
> Except doing the depad in constant-time is useless if you just re-
> introduce the timing leaks at the next step. Actually not introducing
> timing leaks in TLS library requires special API for passing the data
> to application... API that has had no reason to exist so far, and is
> more complicated to use than current read or zerocopy callback APIs.
>
> And even if you have such special API, it is extremely doubtful how
> many applications could use it correctly. Constant-time processing of
> variable-length data is extremely hard (LUCKY13 anyone?)
>
> Oh, and then there are timing leaks when sending data too...
>
>
> -Ilari
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email