[TLS] Analysis of encrypting the headers - what is the length
"Jim Schaad" <ietf@augustcellars.com> Fri, 04 December 2015 20:59 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D1291A1B20 for <tls@ietfa.amsl.com>; Fri, 4 Dec 2015 12:59:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id beIW6R_V9Z_Z for <tls@ietfa.amsl.com>; Fri, 4 Dec 2015 12:59:18 -0800 (PST)
Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 290441A007C for <tls@ietf.org>; Fri, 4 Dec 2015 12:59:18 -0800 (PST)
Received: from hebrews (winery.augustcellars.com [206.212.239.129]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id 61FDF38F00 for <tls@ietf.org>; Fri, 4 Dec 2015 12:59:17 -0800 (PST)
From: Jim Schaad <ietf@augustcellars.com>
To: tls@ietf.org
Date: Fri, 04 Dec 2015 12:56:31 -0800
Message-ID: <11f501d12ed6$41150270$c33f0750$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AdEu0JalwPblztfJSXu/VFHTM/aR9A==
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/lQ5MNj9uKE9yUZnipvc_f0qCg1s>
Subject: [TLS] Analysis of encrypting the headers - what is the length
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 20:59:20 -0000
I will start by re-iterating my initial position that I would prefer that the DTLS and TLS analysis is going to be the same in terms of masking the header information. So I decided to do some thought experiments about what happens if the length were to be encrypted and how many different situations does this not appear to help the situation. DTLS - Given that most DTLS situations are going to want to keep the block of data sent small, there is no to little incentive to send multiple DTLS blocks in a single UDP packet. This means that the length of the encrypted data is going to be easily found based on the length of the UDP packet. One can probably make some significantly accurate guesses about what the header fields are going to be for a DTLS packet, but I would assume that even if the key could be determined it would not compromise the keys used in protecting the D/TLS content itself. TLS w/ lock step protocol - Think about using TLS with a lock step protocol such as exists for POP where you always have a situation where the client sends a request and the server sends a response. Even with the length field encrypted a traffic analysis is going to be able to determine the length of all of many of the messages based on the amount of data that is flowing from each of the end-points. Thus with POP I can make a good guess about the length your password just by looking at the traffic being sent in terms of raw byte counts even without the length being directly available. TLS w/ time breaks between operations - Think about doing browsing on a web site. I read a page, which takes time, and then I click a link. Looking just at the traffic flow I can make a really good guess about the length of the link that you just sent to the server based on the number of bytes that are sent from the client to the server before the server starts chattering. Any protocol where there are going to be times where there is silence followed by a request and then responses is going to all for a relatively easy guess about the length of the request based just on the number of bytes in the stream. These are all situations where if one say - My attack model is that exposing the length of the encrypted data allows the attacker to obtain significant information about what I am sending - then the simple expedient of encrypting the header information is clearly insufficient to deal with the attack proposed. Additional steps need to be taken as well. For example sending all of the randomly updating adware back on the same TLS channel to prevent time breaks from occurring. (What a horrid idea of using adware as a method of preventing attacks.) I believe that this is the type of analysis that Peter is looking for in terms of what is the attack you are trying to prevent, what does the proposed remedy actually do what you think it does. The situations above would all appear to be better dealt with padding of the plain text in some manner rather than encrypting the length field. Jim
- [TLS] Analysis of encrypting the headers - what i… Jim Schaad
- Re: [TLS] Analysis of encrypting the headers - wh… Christian Huitema
- Re: [TLS] Analysis of encrypting the headers - wh… Bryan A Ford
- Re: [TLS] Analysis of encrypting the headers - wh… Jim Schaad