[TLS] TLV vs Compression

James Cloos <cloos@jhcloos.com> Sat, 12 July 2014 01:49 UTC

Return-Path: <cloos@jhcloos.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 275AD1B27AB for <tls@ietfa.amsl.com>; Fri, 11 Jul 2014 18:49:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.652
X-Spam-Status: No, score=-2.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id v-L7bkUFBnq0 for <tls@ietfa.amsl.com>; Fri, 11 Jul 2014 18:49:30 -0700 (PDT)
Received: from ore.jhcloos.com (ore.jhcloos.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A8C31A0190 for <tls@ietf.org>; Fri, 11 Jul 2014 18:49:30 -0700 (PDT)
Received: by ore.jhcloos.com (Postfix, from userid 10) id 357F91DFE6; Sat, 12 Jul 2014 01:49:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=ore14; t=1405129769; bh=0JpBaLK3D94w96PEijaH9cfY66bLwl31237woxDC5Jo=; h=From:To:Subject:Date:From; b=ph/21qgsKXqolNT4MZHJKE0y5xnmBN1yd2zYbS0JgVt/TPFGH7G0K1TlP1iJMawiZ 4uwMF8JdKANj732Z67i1CJCZt2eibaxr9Oaz0LNkSrUg/nRIMnpMN2TcJ+6mvUOxNX TFouKdJ1Q1SYNnZe8CCbS0ua1atKuW9BdyT3VT4c=
Received: by carbon.jhcloos.org (Postfix, from userid 500) id 554BB6002D; Sat, 12 Jul 2014 01:36:53 +0000 (UTC)
From: James Cloos <cloos@jhcloos.com>
To: cfrg@irtf.org, tls@ietf.org
User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/24.4.50 (gnu/linux)
Copyright: Copyright 2014 James Cloos
OpenPGP: 0x997A9F17ED7DAEA6; url=https://jhcloos.com/public_key/0x997A9F17ED7DAEA6.asc
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Fri, 11 Jul 2014 21:36:53 -0400
Message-ID: <m3pphbwe6i.fsf@carbon.jhcloos.org>
Lines: 18
MIME-Version: 1.0
Content-Type: text/plain
X-Hashcash: 1:30:140712:cfrg@irtf.org::ZqQLepdbwgqFozmb:000yJE9v
X-Hashcash: 1:30:140712:tls@ietf.org::ICdn1RQwSVqZOZTV:0000aY1Zg
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/nt4dbjvgjgWRhxvznwpWSlPMHZ4
Subject: [TLS] TLV vs Compression
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jul 2014 01:49:32 -0000

My understanding is that tls with compression is vulnerable due to
allowing unauthenticated initiators, which permits an oracle attack.

If so, does it follow that a tls-like protocol, which enables
compression only when symetric key negotiation uses temporal secrets
(ie, the pfs concept), when mutual authentication is done, and only for
application-level data, would be safe from compression-specific attacks?

Or posed differently, if an application knows that the tls socket uses
pfs and is mutually authenticated, is it ever safe for *it* to compress
the data it sends over said socket?

And for sockets which are only half-authenticated, can it be secure for
the side which authenticated its peer to compress its own outgoing data?

James Cloos <cloos@jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6