Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS

mrex@sap.com (Martin Rex) Fri, 15 December 2017 23:30 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FA8A126D73 for <tls@ietfa.amsl.com>; Fri, 15 Dec 2017 15:30:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Level:
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J8vRVZn2b1Zq for <tls@ietfa.amsl.com>; Fri, 15 Dec 2017 15:30:09 -0800 (PST)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 072951241FC for <tls@ietf.org>; Fri, 15 Dec 2017 15:30:08 -0800 (PST)
Received: from mail07.wdf.sap.corp (mail04.sap.corp [194.39.131.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 3yz69C0Wztz26HX; Sat, 16 Dec 2017 00:30:07 +0100 (CET)
X-purgate-ID: 152705::1513380607-00000805-4996A440/0/0
X-purgate-size: 1252
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail07.wdf.sap.corp (Postfix) with ESMTP id 3yz69B6WJ1zGpFj; Sat, 16 Dec 2017 00:30:06 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id CF046404B; Sat, 16 Dec 2017 00:30:06 +0100 (CET)
In-Reply-To: <20171215195529.GA20237@LK-Perkele-VII>
References: <20171215174628.GA17601@LK-Perkele-VII> <CABcZeBOsL0a0xHvVWEus_EY3mUNioaV9fsz89Gt+HeqdHpoyDw@mail.gmail.com> <CACsn0ckYPpp5nD2jj4Zmx=ZJvqWzHW0tmmXo-9JeKL45+pRUqw@mail.gmail.com> <CABcZeBPPozOsTxxJO63RmHwTr56Wucx6OYW=kvvhosRUHR1ctA@mail.gmail.com> <20171215183424.GA17780@LK-Perkele-VII> <MWHPR21MB01893A20A8D0812E880926568C0B0@MWHPR21MB0189.namprd21.prod.outlook.com> <20171215184951.GB17780@LK-Perkele-VII> <DM5PR14MB1289FA656DB8D87DCA0B355F830B0@DM5PR14MB1289.namprd14.prod.outlook.com> <MWHPR21MB0189419E69BD53F735C55FFC8C0B0@MWHPR21MB0189.namprd21.prod.outlook.com> <DM5PR14MB1289D532FD2C60EFA1B02F7A830B0@DM5PR14MB1289.namprd14.prod.outlook.com> <20171215195529.GA20237@LK-Perkele-VII>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Date: Sat, 16 Dec 2017 00:30:06 +0100 (CET)
CC: Tim Hollebeek <tim.hollebeek@digicert.com>, "tls@ietf.org" <tls@ietf.org>
Reply-To: mrex@sap.com
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20171215233006.CF046404B@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/o8HXgrRNnrHzGHEHzQlROSGXZ1g>
Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2017 23:30:10 -0000

Ilari Liusvaara <ilariliusvaara@welho.com>; wrote:
> On Fri, Dec 15, 2017 at 07:33:44PM +0000, Tim Hollebeek wrote:
>> 
>> However, servers are easier to upgrade than clients, which is why you see
>> some of the server side support you mention.  I know CloudFlare in
>> particular helped a lot of people cope with communicating with clients who
>> had different certificate capabilities.  It isn't a bad thing that both
>> approaches exist.
> 
> Also, it should be noted that the past two migrations needed to be
> compatible with TLS 1.0 and 1.1, which have much less advanced
> signature negotiation than TLS 1.2 (and 1.3).

There is an awfully large installed base of borked TLSv1.2 servers.

If those servers are equipped with a sha256WithRsaEncryption server cert,
the handshake results are:

  - TLSv1.0 for SSLv3 ClientHello w/ client_version = (3,1) 
  - TLSv1.1 for SSLv3 ClientHello w/ client_version = (3,2) 
  - TLSv1.1 for SSL VERSION 2 CLIENT-HELLO offering (3,3)
  - chokes and drops network connection
           for SSLv3 ClientHello w/ client_version = (3,3)

i.e. there exists a serious interop problem for TLSv1.2 with such servers,
but there is no problem interoperating with TLSv1.0 or TLSv1.1

-Martin