IETF Logo Mail Archive

[TLS] dealing with AEAD partial delivery [was: Re: Comments on]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 18 February 2014 16:06 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73AEF1A069B for <tls@ietfa.amsl.com>; Tue, 18 Feb 2014 08:06:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CY9_gaB_0OUd for <tls@ietfa.amsl.com>; Tue, 18 Feb 2014 08:06:14 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id E63001A06A5 for <tls@ietf.org>; Tue, 18 Feb 2014 08:06:13 -0800 (PST)
Received: from [10.70.10.63] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 13E94F984 for <tls@ietf.org>; Tue, 18 Feb 2014 11:06:08 -0500 (EST)
Message-ID: <530384E4.3050705@fifthhorseman.net>
Date: Tue, 18 Feb 2014 11:05:56 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <r422Ps-1075i-5AFD3810B4C14FA493B915BB14B4E0F6@Williams-MacBook-Pro.local> <nnlhx8inp2.fsf@bacon.lysator.liu.se>
In-Reply-To: <nnlhx8inp2.fsf@bacon.lysator.liu.se>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="q8tB0Ge1K5wc7gXnDBALsIQhbIm2JEmGk"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/py8U2D_ecTB_og6qql24bQlpcQk
Subject: [TLS] dealing with AEAD partial delivery [was: Re: Comments on]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2014 16:06:19 -0000

On 02/18/2014 07:56 AM, Niels Möller wrote:
> I think there's a difference between on one hand, truncation due to
> random failures of your own, reasonably trusted, hardware. And on the
> other hand, truncation caused the enemy attacking the communication
> channel for some evil purpose.

I agree that there is a difference between those cases in the abstract
sense.  But from the recipient's point of view, these cases are often
indistinguishable from one another.  I'm not sure that any AEAD api
should try to distinguish between them.

> If we really want to make progress with this discussion, I guess we must
> also distinguish between file types where appending data doesn't change
> the meaning of earlier data (e.g, a typical log file), and file types
> where appending data can change the meaning radically (e.g., consider a
> document format where you can add data at the end of the file which adds
> a mark "this document is fake" on top of every page when the file is
> displayed or printed).

I think this distinction is also likely to be hard for generic tools
(tools which want to be context-independent) to make.  But, just going
with a non-exhaustive, first-pass comparison approach, there are some
unsettling results:

text/html is a content-type that meets the
"sensitive-append/risky-truncation" definition, since new html elements
(not to mention javascript) can effectively obscure or override previous
html elements, at least in common visual renderers; text/plain arguably
meets the "insensitive-append/safe-truncation" definition, since new
elements never directly collide with old elements (though a postscript
to a human-drafted document that says "PS ha ha just kidding" changes
the semantics of the earlier content significantly).

Looking at the behavior of modern browsers using https with GCM
(ECDHE-RSA-AES128-GCM-SHA256), they render both text/html and text/plain
data streams as they receive them, and they do not provide any
indication to the user that they believe the data to be truncated, even
when receiving an early TCP connection termination, or when a
Content-Length: header is not satisfied, or when (in the case of
text/html) the html document is not properly closed.

So content truncation attacks appear to be already possible in current
implementations, despite any guarantees provided by AEAD.  Note that I
haven't tried to attack the AEAD itself at the TLS record layer, but i'm
observing that common utilities like browsers don't propagate truncation
errors up to the user already. :(

Perhaps this angle on the issue is best moved over to the uta working
group, since it's about what to do in the application layer with certain
kinds of TLS failures.

	--dkg

v2.23.0 | Report a Bug | By Email