[TLS] dealing with AEAD partial delivery [was: Re: Comments on]
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 18 February 2014 16:06 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73AEF1A069B for <tls@ietfa.amsl.com>; Tue, 18 Feb 2014 08:06:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CY9_gaB_0OUd for <tls@ietfa.amsl.com>; Tue, 18 Feb 2014 08:06:14 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id E63001A06A5 for <tls@ietf.org>; Tue, 18 Feb 2014 08:06:13 -0800 (PST)
Received: from [10.70.10.63] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 13E94F984 for <tls@ietf.org>; Tue, 18 Feb 2014 11:06:08 -0500 (EST)
Message-ID: <530384E4.3050705@fifthhorseman.net>
Date: Tue, 18 Feb 2014 11:05:56 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <r422Ps-1075i-5AFD3810B4C14FA493B915BB14B4E0F6@Williams-MacBook-Pro.local> <nnlhx8inp2.fsf@bacon.lysator.liu.se>
In-Reply-To: <nnlhx8inp2.fsf@bacon.lysator.liu.se>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="q8tB0Ge1K5wc7gXnDBALsIQhbIm2JEmGk"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/py8U2D_ecTB_og6qql24bQlpcQk
Subject: [TLS] dealing with AEAD partial delivery [was: Re: Comments on]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2014 16:06:19 -0000
On 02/18/2014 07:56 AM, Niels Möller wrote: > I think there's a difference between on one hand, truncation due to > random failures of your own, reasonably trusted, hardware. And on the > other hand, truncation caused the enemy attacking the communication > channel for some evil purpose. I agree that there is a difference between those cases in the abstract sense. But from the recipient's point of view, these cases are often indistinguishable from one another. I'm not sure that any AEAD api should try to distinguish between them. > If we really want to make progress with this discussion, I guess we must > also distinguish between file types where appending data doesn't change > the meaning of earlier data (e.g, a typical log file), and file types > where appending data can change the meaning radically (e.g., consider a > document format where you can add data at the end of the file which adds > a mark "this document is fake" on top of every page when the file is > displayed or printed). I think this distinction is also likely to be hard for generic tools (tools which want to be context-independent) to make. But, just going with a non-exhaustive, first-pass comparison approach, there are some unsettling results: text/html is a content-type that meets the "sensitive-append/risky-truncation" definition, since new html elements (not to mention javascript) can effectively obscure or override previous html elements, at least in common visual renderers; text/plain arguably meets the "insensitive-append/safe-truncation" definition, since new elements never directly collide with old elements (though a postscript to a human-drafted document that says "PS ha ha just kidding" changes the semantics of the earlier content significantly). Looking at the behavior of modern browsers using https with GCM (ECDHE-RSA-AES128-GCM-SHA256), they render both text/html and text/plain data streams as they receive them, and they do not provide any indication to the user that they believe the data to be truncated, even when receiving an early TCP connection termination, or when a Content-Length: header is not satisfied, or when (in the case of text/html) the html document is not properly closed. So content truncation attacks appear to be already possible in current implementations, despite any guarantees provided by AEAD. Note that I haven't tried to attack the AEAD itself at the TLS record layer, but i'm observing that common utilities like browsers don't propagate truncation errors up to the user already. :( Perhaps this angle on the issue is best moved over to the uta working group, since it's about what to do in the application layer with certain kinds of TLS failures. --dkg
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Wan-Teh Chang
- [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Dr Stephen Henson
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Niels Möller
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Nikos Mavrogiannopoulos
- Re: [TLS] Comments on Watson Ladd
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Adam Langley
- Re: [TLS] Comments on Watson Ladd
- Re: [TLS] Comments on Bill Frantz
- Re: [TLS] Comments on Watson Ladd
- Re: [TLS] Comments on Bill Frantz
- Re: [TLS] Comments on Alfredo Pironti
- Re: [TLS] Comments on Niels Möller
- [TLS] dealing with AEAD partial delivery [was: Re… Daniel Kahn Gillmor
- Re: [TLS] Comments on Bill Frantz
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Adam Langley
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Adam Langley
- Re: [TLS] Comments on draft-nir-cfrg-chacha20-pol… Niels Möller