Re: [TLS] proposal to encrypt ContentType for TLS 1.3

Fabrice Gautier <fabrice.gautier@gmail.com> Mon, 07 July 2014 20:30 UTC

Return-Path: <fabrice.gautier@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF4201B28E3 for <tls@ietfa.amsl.com>; Mon, 7 Jul 2014 13:30:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5llo98vSiQqH for <tls@ietfa.amsl.com>; Mon, 7 Jul 2014 13:30:03 -0700 (PDT)
Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49C031B28F3 for <tls@ietf.org>; Mon, 7 Jul 2014 13:30:03 -0700 (PDT)
Received: by mail-wg0-f47.google.com with SMTP id l18so2305812wgh.30 for <tls@ietf.org>; Mon, 07 Jul 2014 13:30:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=hcyBhTgBLmJ301wsSiLXOqK49Qse06/bVdH1zeSxy4s=; b=MT81n0K5ayyu8wlEvbyq3AAS9VDRBbq+LXfXDVHg4YVem5aHgmA2kMdDUY/GAa7prw VS7PB4I757av9Al+7jFlXZveR1ViCmKIZel+9vc1uckbDn3+VStJTSB0eFLd/bRxKk+b zDI0zXn0mxYBQY0ah1bixr0OTG1YQEtTdbwU3tI59+L1Qi5L0aA7AuLaDJhcZqDd40Dh FWVuhm2IEad8r4JxAcmj/51N5hdmHLzw8Tfu7lilCH/pN9EMD0IGG+q3sIK3ifmGezw6 Zyz/hN2gbIbyQMp1eIOAMlkjotLSdIeavl40X54wpp03aJc33Ibgc+zid1zYoPpzTfIg AnIQ==
X-Received: by 10.180.75.75 with SMTP id a11mr77146601wiw.3.1404765001885; Mon, 07 Jul 2014 13:30:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.217.38.82 with HTTP; Mon, 7 Jul 2014 13:29:41 -0700 (PDT)
In-Reply-To: <53B331A5.2040908@fifthhorseman.net>
References: <53B331A5.2040908@fifthhorseman.net>
From: Fabrice Gautier <fabrice.gautier@gmail.com>
Date: Mon, 7 Jul 2014 13:29:41 -0700
Message-ID: <CANOyrg-_xTvdrCdJDhttNMNL=LFPPsC4e_aKWnaJKWbaNDgp+A@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/hxYua4IjWzOjz6POXzX6ieWq9d0
Cc: IETF TLS WG <tls@ietf.org>
Subject: Re: [TLS] proposal to encrypt ContentType for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jul 2014 20:30:12 -0000

If I'm reading this properly, there would be two types of records on
the wire: TLSCiphertext and TLSPlaintext.
However, I don't see a very reliable, documented way to distinguish
between the two on the wire.

I assume that the intention is to distinguish based on the state of
the TLS handshake. i.e.: the record until the first CCS (included) are
TLSPlaintext records, the ones after that are TLSCiphertext records.

I can see a couple scenario where this could be a problem:
- In some case, the piece of code that does the parsing has no
knowledge of the state of the TLS handshake (this is similar to Martin
Rex objection, I think)
- In DTLS, records maybe dropped, received out of order, received
multiple times, etc, so TLSPlaintext and TLSCiphertext records aybe
intermixed, without a clear switchover point. This would make
efficient DTLS difficult.

In practice, I note that, if the ProtocolVersion field stays, it would
be fairly easy to disambiguate TLSCiphertext from TLSPlaintext based
on the first byte, as long as the first byte of the version stays 0x3,
and 0x3 is never a valid ContentType. Except in situations where the
first byte is already overloaded (i.e.:  RFC 5764).

If the ProtocolVersion field is also removed, then there will be
ambiguity between a TLSPlaintext record and a TLSCiphertext of a
specific size.

If the record format needs to change, I suggest allocating a new
reserved ContentType to indicate TLS 1.3 records of all type, and have
the actual content type in the encrypted portion.

I guess that the resulting implementations would not be that different
from what implementations have to do today to support SSL2 ClientHello
records on the server side. (In that case you can tell SSL2 records
because the first byte is 0x80 for SSL2)


In any case, whatever the final TLS 1.3 record format(s) look like, I
hope someone spend some time explaining how an implementer is supposed
to reliably distinguish between the various types of records (SSL2,
TLS 1.2, TLS 1.3) in both the TLS and DTLS scenarios.



On Tue, Jul 1, 2014 at 3:09 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> hey folks--
>
> i just opened a pull request to propose that the TLS ContentType (when
> actually using a proper cipher) should itself be encrypted, rather than
> in the clear:
>
>  https://github.com/tlswg/tls13-spec/pull/51
>
> As the main commit in this request says:
>
>>     Move Content Type inside encryption
>>
>>     Previous versions of TLS have left the Content Type in the clear
>>     without justifying the exposure of this piece of information.
>>
>>     This change moves the Content Type inside the encryption to protect
>>     its confidentiality.
>>
>>     For backward compatibility during the initial handshake negotiation,
>>     we need to keep the type field at its original location on the wire
>>     for cleartext packets.  This means redefining the NULL_NULL case to
>>     not simply be an pseudo-cipher that implements the identity
>>     transformation, but to explicitly state it as sending the TLSPlaintext
>>     struct directly over the wire.
>
> I'd be interested in feedback on this suggestion.
>
> Having the content-type encrypted would mean that TLS alerts,
> handshakes, and application data would be indistinguishable from one
> another to an observer, once a ChangeCipherSpec had taken place.
>
> This also opens the way to consider the creation of other content types
> (e.g. "padded application data") without having to decide whether the
> exposure of a novel ContentType to an observer is itself a risk.
>
> If this change is made, it's also relatively easy to just drop the TLS
> version field for each encrypted TLS record layer fragment.
>
> All the best,
>
>         --dkg
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>