IETF Logo Mail Archive

Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 28 November 2015 11:16 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CD171ACDD6 for <tls@ietfa.amsl.com>; Sat, 28 Nov 2015 03:16:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.385
X-Spam-Level:
X-Spam-Status: No, score=-3.385 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XT-Bc_lylc4Y for <tls@ietfa.amsl.com>; Sat, 28 Nov 2015 03:16:01 -0800 (PST)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47B051ACDD5 for <tls@ietf.org>; Sat, 28 Nov 2015 03:16:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1448709361; x=1480245361; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=MMHghR63fMAOWVPUDhlFXRmO/rOtlfRwE6xABg57L4A=; b=DQSuP7TnFg+Q6MgjYfahWYFGqUCQXEvenUeeJgNV46aDOLO82jvjiPca 2S8vQHeRjnq+9aWlYFhg5lDyqGcrnczE0WA5PhgCng17go6Cgn9uNns1k WLD1C7tn/+ZeNIp+i6lAAJIsmqnINDWD2bfuLHau5hq9mMjkRI3bCcMy3 lbaKaOsL8y4q3+/kWCNcXjibPkM/toBuxO4LWB+kHj/8+GHVSw0r2EgSV Aj+PgMOtnW+603uac0jYEMT4kr6hag8Ep4ipk9qbPaKphjUgW23ezls7S rmu9ECAmPFncZJ/IIbRB55ZdmYubjQox0KCjst+3V4peSmzsXJggaYDZH w==;
X-IronPort-AV: E=Sophos;i="5.20,356,1444647600"; d="scan'208";a="56518119"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.125 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxchange10-fe3.UoA.auckland.ac.nz) ([130.216.4.125]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 29 Nov 2015 00:15:58 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.153]) by uxchange10-fe3.UoA.auckland.ac.nz ([169.254.143.234]) with mapi id 14.03.0266.001; Sun, 29 Nov 2015 00:15:58 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Bryan A Ford <brynosaurus@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
Thread-Index: AQHRKSDnEzBCXT12GkOsH7hTugsdcp6xSade
Date: Sat, 28 Nov 2015 11:15:57 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73F4B8DA2A@uxcn10-5.UoA.auckland.ac.nz>
References: <56586A2F.1070703@gmail.com>
In-Reply-To: <56586A2F.1070703@gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/o8iNeROVLvbDMKTwo8EsZwCbznc>
Subject: Re: [TLS] Encrypting record headers: practical for TLS 1.3 after all?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Nov 2015 11:16:05 -0000

Bryan A Ford <brynosaurus@gmail.com> writes:

>The idea of encrypting TLS record headers has come up before, the most
>important purpose being to hide record lengths and boundaries and make
>fingerprinting and traffic analysis harder.

Argh, no!  I sent the following to the SSH list a few days ago in support of
someone else's suggestion to finally abandon this misguided idea:

-- Snip --

SSL/TLS have used unencrypted lengths for twenty years without there being any
(known) attack or weakness based on this.  OTOH SSH has used encrypted lengths
for nearly the same period, and there have been several attacks/weaknesses
based on that.  Security-wise, it has the opposite effect of the one intended,
it makes the protocol weaker, not stronger.

My real issue with it though is that, as you've pointed out, it makes it
impossible to create an efficient streaming implementation.  With TLS you read
the length at the start, stream the rest into the target memory location, and
decrypt in place.  With SSH you have to read a single block, decrypt it, make
sure you're not providing an oracle for the attacker, copy what's left around,
read more encrypted data onto the end, decrypt the remainder, ugh.

-- Snip --

Encrypting the length information is a serious step backwards both in terms of
security and processing efficiency.

Peter.

v2.14.0 | Report a Bug | By Email