Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size
Eric Rescorla <ekr@rtfm.com> Fri, 11 August 2017 15:58 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F14E127601 for <tls@ietfa.amsl.com>; Fri, 11 Aug 2017 08:58:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KwfDNK8bUUbx for <tls@ietfa.amsl.com>; Fri, 11 Aug 2017 08:58:39 -0700 (PDT)
Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6983713201A for <tls@ietf.org>; Fri, 11 Aug 2017 08:58:39 -0700 (PDT)
Received: by mail-yw0-x233.google.com with SMTP id l82so24688454ywc.2 for <tls@ietf.org>; Fri, 11 Aug 2017 08:58:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+G23g2pGx5brUoYS80MDZR7UkPGWBO5WXkuQb3eaITo=; b=pw2s2nJ92ekE8D9QhdWMut7RtRy5TqlBEwHfyv9gNOy//aNMTmgaYSVZIRhs4/cvzB meE6HZpQ+rnhyxuP4cWXKsmC1/QIa2nV8JaPphm9fWw+fR0W3j3nhIJ5y51QmXi//nlf Y8sl3/206sYgvZcFB0IqmzpAmLRjSI212SbZ5WKBgVkEnWVrHAIMsXgMyTdx1wpLLU1Q IGOhhKHpYM0K9ySvr5VFZCzz8Ig3bVvJrVo4kU320PyaS6Qz7nsMo+9fQmE3UWKkoBcI s/57FTeLGZUz+gAJoCCncoa8fXVeBESC45/KQQP6XdNUID/pyu+18+WcWoHuxRgtHvcV cVEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+G23g2pGx5brUoYS80MDZR7UkPGWBO5WXkuQb3eaITo=; b=evGUgN41OTxj6kV62AtprZXh7lvqm+kIhZ2S9mYSD6c6J7yHvCs7caQw0mrIN6DPqt HiAEiod5aKzaNdEMfiajDvZgRLTtBNMakFLE/WlyVPxh3eUlpPqSeB78U0Dhdg1y/cYh odqiX1T0gVWAcJR6FokzOHuCp6iNgMqLyajqDyYW4TCNYukOVr084DVru+xhc/ZMIyP2 gK12TGNLNHNVXvj9Og36YBqDo7qjCU2REPHIrNFMz3TjIInOuUZAtVU5Tao+pG+ze0CR yYRSJtLSgKBYewkVMJOyI+/ijJelNYhqdp9mhH3tBgrfRmwxMF1PV9yDDHUc+g09jJND bl3A==
X-Gm-Message-State: AHYfb5g5khyHT1Hv5z/nFwetnA5uiLrCeia4QyPtzLObU1iHbIB5G9rd 9HlOYuZbEBAHd94uzObjamC2UP98DEsS
X-Received: by 10.37.248.12 with SMTP id u12mr12848436ybd.248.1502467118650; Fri, 11 Aug 2017 08:58:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.218.130 with HTTP; Fri, 11 Aug 2017 08:57:58 -0700 (PDT)
In-Reply-To: <1502460670.3202.8.camel@redhat.com>
References: <1502460670.3202.8.camel@redhat.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 11 Aug 2017 08:57:58 -0700
Message-ID: <CABcZeBOmFTrCEmV20XZe9hO5owdv1SsWaWkZHhQFfpNmfou4VQ@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045db866e5234805567c62ed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nfYuasMTPWVFi-oG4Vl1DBADr8E>
Subject: Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Aug 2017 15:58:41 -0000
On Fri, Aug 11, 2017 at 7:11 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote: > Imagine the following scenario, where the server and client have this > repeated communication N times per day: > > client server > --X--> > <--Y-- > > > the client puts in X a message A of 1 byte or B of 1024 bytes, and pads > it to the maximum size of TLS record. The server replies with the > message "ok" (same every time), padded to the maximum size just after > it reads X. > > However, TLS 1.3 detects the message size by iterating through all the > padding bytes, and thus there is a timing leak observed by the time > difference between receiving X and sending Y. Thus as an adversary I > could take enough measurements and be able to distinguish between X > having the value A or B. > > While I'd expect these iterations to be unmeasurable in desktop or > server hardware, I am not sure about the situation in low-end IoT > hardware. Is the design choice for having the padding removal depending > on padding length intentional? Yes, we're aware of this, and it's an intentional design choice. The reasoning was that once you have the padding removed, you'll need to operate on/copy the unpadded content somewhere, and that's timing dependent anyway. > There is mentioning of possible timing channels in: > https://tools.ietf.org/html/draft-ietf-tls-tls13-21#appendix-E.3 > However I don't quite understand how is this section intended to be > read. The sentence for example: "Because the padding is encrypted > alongside the actual content, an attacker cannot directly determine the > length of the padding, but may be able to measure it indirectly by the > use of timing channels exposed during record processing", what is its > intention? Is it to acknowledge the above timing leak? > Yes. -Ekr > Shouldn't instead be guidance in section 'Implementation Pitfalls' on > how to remove padding in a way that there are no timing leaks? (the > timing leak here is not in crypto algorithms, but TLS itself). Ideally > TLS 1.3 itself shouldn't use data-size depending calculations itself > such as the one described here. > > > regards, > Nikos > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record pad… Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Short, Todd
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Ted Lemon
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Andrei Popov
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Short, Todd
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Short, Todd
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Daniel Kahn Gillmor
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Nikos Mavrogiannopoulos
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Colm MacCárthaigh
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Ilari Liusvaara
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Eric Rescorla
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Colm MacCárthaigh
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario
- Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record… Hubert Kario