IETF Logo Mail Archive

Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)

Jacob Appelbaum <jacob@appelbaum.net> Thu, 03 December 2015 16:15 UTC

Return-Path: <jacob@appelbaum.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E05CE1A8AFB for <tls@ietfa.amsl.com>; Thu, 3 Dec 2015 08:15:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5YIS7rnaiz1p for <tls@ietfa.amsl.com>; Thu, 3 Dec 2015 08:15:42 -0800 (PST)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95D481A88C8 for <tls@ietf.org>; Thu, 3 Dec 2015 08:15:42 -0800 (PST)
Received: by ioir85 with SMTP id r85so86109745ioi.1 for <tls@ietf.org>; Thu, 03 Dec 2015 08:15:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=appelbaum-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=b7nJcXc0TaSClG4M3KBe2RehcOVR5QwzXpoFzCOB8Sc=; b=usXCrBz7CWDQizud/22yHv5jK9OmSCieoGOv2abbZkUQEo/s6u19tGJmu2VsFbadHo k0W37RWvHUzaZzwzg514766dEsh8+EVMylYyXbQ9aRTGM5V6tdilqTz1uLyV/lBG4IsB EoStSGysO5Sg9o9UXcRMjQpSW4fezYVpoI+Egzmgqt0sUIlvQsmy14TReIeYUQXcrWwd oRZZc4XS8gcdKH3mzbnPKF15iLigaxZqpLMd48Li/DAQGbz2+dyj2+3pKBDM/OVnoVcH 7j3yvg0mTNno1Ug2DiGjj7x7G6wvkyV4BJTICx6m16YQOUdxLDUOHut7O0sD+N0G8Ixg EPJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=b7nJcXc0TaSClG4M3KBe2RehcOVR5QwzXpoFzCOB8Sc=; b=PPwLDfWR9VY/5ywj+DWnngdOWAT4W7qmKFzNwJNHL2KKkUwmiMfKFaSGueYeYsZIw9 HZv53erUehRo7ehwmfA7/SkhwayCBCSrUixKdc4mdu1hfctWRsJTq3XXPS0ckzTc3bJj RpMClEyg1W4uPXNGewtmNhjA++ICPxLx4SjytjxdEjcgKVwW5170H3yuC5M8FChqqWcb YiO7z7c2M8Swh7Od7dDg6VsevFQWpxxgpeCHPXkKnEiU11vKzU7lzmGCVjZlZ997KCZ7 Ou6j/gJp0FnfFlk4ad7TX/Mf7v5vWO0awJE9o7ky+NHfkeSFeXA5s4Az+DedC/4uPYbm o4EA==
X-Gm-Message-State: ALoCoQlirLFdMHyDtxKuBd+Y+4UqwlF9VZNFYJEZ2cNFJJaVGgatdKMZrskPBS3lkItDF2V0KPDJ
MIME-Version: 1.0
X-Received: by 10.107.137.19 with SMTP id l19mr8512449iod.138.1449159342080; Thu, 03 Dec 2015 08:15:42 -0800 (PST)
Received: by 10.79.70.71 with HTTP; Thu, 3 Dec 2015 08:15:41 -0800 (PST)
X-Originating-IP: [185.10.71.107]
In-Reply-To: <CACsn0cmHyP5SvngFXBx=Ne9z7aAshneH4NK4PXYM+GxMWiroaA@mail.gmail.com>
References: <56586A2F.1070703@gmail.com> <FB2973EF-F16C-404A-980D-CA0042EC4AEB@gmail.com> <565DBC63.5090908@gmail.com> <565DC935.2040607@gmail.com> <CABkgnnUoyVPC5QVc=ErzAm6DR8usjBw5scc==o4=-XaBoK5AWQ@mail.gmail.com> <9BFA68AB-9677-4BE7-8F5E-D1A66EF95BA5@gmail.com> <CABcZeBMuSeis6KNQ-D_ZAfKmWb7Ts_Lq=QM0z6YWVSSUwueZmg@mail.gmail.com> <CAFggDF1SHzU_w30Rk469G2ypTx-pRVsFexv9JHSQdAMJTf5xLQ@mail.gmail.com> <CABcZeBP2eyncPVkRMMbBk7ysco++-E9oiiu7JHOjs73wS=R5og@mail.gmail.com> <CAFggDF17f4N=+x9hf1RFFjwcnG9j2XKLia659KUuFmXVhsDZKg@mail.gmail.com> <CACsn0cmHyP5SvngFXBx=Ne9z7aAshneH4NK4PXYM+GxMWiroaA@mail.gmail.com>
Date: Thu, 03 Dec 2015 16:15:41 +0000
Message-ID: <CAFggDF0mqMo8tBEUnwJ_c1_T6B7M6bVj6L2fsm_v_6tT-c1fiw@mail.gmail.com>
From: Jacob Appelbaum <jacob@appelbaum.net>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/k1x03tRAIdKo_BMo6p-5coUBm1M>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2015 16:15:45 -0000

On 12/3/15, Watson Ladd <watsonbladd@gmail.com> wrote:
> On Thu, Dec 3, 2015 at 6:36 AM, Jacob Appelbaum <jacob@appelbaum.net>
> wrote:
>> On 12/2/15, Eric Rescorla <ekr@rtfm.com> wrote:
>>> On Wed, Dec 2, 2015 at 7:34 AM, Jacob Appelbaum <jacob@appelbaum.net>
>>> wrote:
>>>
>>>> On 12/2/15, Eric Rescorla <ekr@rtfm.com> wrote:
>>>> > On Wed, Dec 2, 2015 at 1:07 AM, Bryan Ford <brynosaurus@gmail.com>
>>>> wrote:
>>>> >
>>>> >> On 02 Dec 2015, at 06:02, Martin Thomson <martin.thomson@gmail.com>
>>>> >> wrote:
>>>> >> > On 1 December 2015 at 08:22, Bryan A Ford <brynosaurus@gmail.com>
>>>> >> > wrote:
>>>> >> >> The 2-byte length field in each record's header no longer
>>>> >> >> indicates
>>>> >> >> the length of the *current* record but instead indicates the
>>>> >> >> length
>>>> of
>>>> >> >> the *next* record.
>>>> >> >
>>>> >> > Ensuring that you know the length of the *next* record is
>>>> >> > difficult
>>>> >> > and could dramatically degrade latency, or adding extra bogus
>>>> >> > padding
>>>> >> > or extra bogus records.  For instance, I can always send in bursts
>>>> >> > of
>>>> >> > two packets, a one octet packet that promises the remainder of the
>>>> >> > burst and one that promises a single octet packet.  At that point,
>>>> >> > I
>>>> >> > get to do what I've always done and you have gained little other
>>>> >> > than
>>>> >> > an increase in packet size of around 19 octets (best case).
>>>> >>
>>>> >> That type of inefficiency is extremely easy to avoid; please read
>>>> >> the
>>>> >> rest
>>>> >> of my proposal where I discussed exactly that at length.  Yes, a
>>>> >> particularly stupid implementation could send everything in bursts
>>>> >> of
>>>> two
>>>> >> packets, but it’s ridiculously easy for a slightly smarter
>>>> implementation
>>>> >> to avoid doing that.  And what you’ve gained is complete encryption
>>>> >> and
>>>> >> integrity-checking of the whole TLS record before any part is
>>>> >> interpreted,
>>>> >> which seems like a nontrivial security improvement.
>>>> >
>>>> >
>>>> > It's not really clear to me what the anti-traffic-analysis benefit of
>>>> your
>>>> > proposal
>>>> > is over and above just padding everything to a fixed size. That's
>>>> certainly
>>>> > far
>>>> > easier for the implementation to do, especially in typical stacks
>>>> > where
>>>> the
>>>> > application just calls SSL_Write (or whatever) and so there's no
>>>> > obvious
>>>> > API point to provide the "next length", so as a practical matter the
>>>> stack
>>>> > will very often if not always be in "last block" mode.
>>>> >
>>>>
>>>> I think that it eliminates all static distinguisher in the protocol
>>>> for all data covered by the encryption. That is a fantastically
>>>> wonderful benefit.
>>>
>>>
>>> Wouldn't that benefit be equally achieved by simply padding all records
>>> to a fixed length? You could do this with no protocol change and, as I
>>> said, it's far easier for the implementation.
>>>
>>
>> Padding is potentially useful but has two issues that come to mind
>> which are both non-issues in most cases. The first is the economic
>> cost for extra bytes and the second is the security of the padding
>> scheme.
>>
>> Padding strategies are a complement super encryption but probably not
>> a replacement. Padding protects against one set of attackers (bean
>> counters) and super encryption provides confidentiality against
>> another set of attackers (GPA/APA).
>
> But as several people have noted, encrypting record lengths doesn't
> actually protect the lengths of the records
> as well as you think it does.

I think it protects the length data exactly as much as it does. :-)

It doesn't solve the problem that for a given TCP flow, we'll have a
byte counter, of course. That is also why I'm quite interested in DTLS
with super encryption. Especially with users roaming across networks,
I'm hopeful that we'll blind partial view attackers even more than
ever.

> Timing packets is not some exotic and
> unavailable technology. I don't understand what
> attacks padding and introduction of dummy packets doesn't defend
> against that encryption of record lengths does.

We should also ensure that we have padding and dummy packets, of course.

Still I don't see that we'll turn TLS into ATM nor do I believe that
we understand an optimal padding strategy. I think you are correct
that an attacker with a clock and a bean counter is a valid problem. I
also think that the more state we force an attacker to hold, the more
expensive it becomes to perform correlated traffic analysis across
global networks.

Super encryption of records also means that accidents at one layer may
not be as catastrophic at another layer.

All the best,
Jacob

v2.23.0 | Report a Bug | By Email