Re: [TLS] potential attack on TLS cert compression
Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 22 March 2018 17:20 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 820EF126B6D for <tls@ietfa.amsl.com>; Thu, 22 Mar 2018 10:20:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F2g0ka0kwjcG for <tls@ietfa.amsl.com>; Thu, 22 Mar 2018 10:20:05 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B5C4126579 for <tls@ietf.org>; Thu, 22 Mar 2018 10:20:04 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 6C7B481837; Thu, 22 Mar 2018 19:20:03 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id pl5ufqBR5N8M; Thu, 22 Mar 2018 19:20:03 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 1C18A79; Thu, 22 Mar 2018 19:20:00 +0200 (EET)
Date: Thu, 22 Mar 2018 19:19:59 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Subodh Iyengar <subodh@fb.com>
Cc: David Benjamin <davidben@chromium.org>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20180322171959.GA23663@LK-Perkele-VII>
References: <MWHPR15MB1821D5D75667B3C8F4132A1EB6A90@MWHPR15MB1821.namprd15.prod.outlook.com> <CAF8qwaBgpMnQ=dNgMOZrQRGwQUEswQiz6hDkyNiDVJXvh36X6A@mail.gmail.com> <MWHPR15MB18214B1DCADF9369915DCE0CB6A90@MWHPR15MB1821.namprd15.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <MWHPR15MB18214B1DCADF9369915DCE0CB6A90@MWHPR15MB1821.namprd15.prod.outlook.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nXX9qS0lI6bSyB-kmlYa8naRTag>
Subject: Re: [TLS] potential attack on TLS cert compression
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 17:20:06 -0000
On Thu, Mar 22, 2018 at 05:11:33PM +0000, Subodh Iyengar wrote: > Ya I think you have the right idea. The former attack is the one > that I'm more concerned about, i.e. compression libraries almost > always provide streaming interfaces. Another case is that TLS > implementations which are the users of some decompression api > might also provide the frames to the decompression library in > non-deterministic order. I could understand bugs like that in DTLS (and those are unlikely even there), but not TLS 1.3. The TLS 1.3 datastream is always processed in-order. > With draft-25 we've authenticated the record header so the > attacker can't force the data to be processed in a different > chunking than the server which is why I mentioned that the only > leverage the attacker has is timing. We missed the draft-23 > bus on pointing out the attack 😊 The fixes in draft-25 only concern changing the ignored parts of the record header. The implicit sequence numbers prevent reordering in TLS 1.3 (and have for a long time). > Compression libraries can get complicated especially ones > that use multiple cores do speed up decompression. Multithreading with language that can not reason about multithreading (or other forms of concurrency) is hard. And very few languages can reason about multithreading. > I admit this depends on the implementation and various other magic > factors, however it seems unfortunate to base the security of TLS > on the security of the decompression function and the way that an > implementation might use the decompression function, when there > seems to be a simple? way to solve it. AFAIK, Altering handshake messages for handshake transcript in the middle of it is unprecidented in TLS. -Ilari
- [TLS] potential attack on TLS cert compression Subodh Iyengar
- Re: [TLS] potential attack on TLS cert compression David Benjamin
- Re: [TLS] potential attack on TLS cert compression Ilari Liusvaara
- Re: [TLS] potential attack on TLS cert compression Subodh Iyengar
- Re: [TLS] potential attack on TLS cert compression Subodh Iyengar
- Re: [TLS] potential attack on TLS cert compression Ilari Liusvaara
- Re: [TLS] potential attack on TLS cert compression Thomas Pornin
- Re: [TLS] potential attack on TLS cert compression Victor Vasiliev
- Re: [TLS] potential attack on TLS cert compression Alex C
- Re: [TLS] potential attack on TLS cert compression Salz, Rich