Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 20 December 2017 21:50 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0661D1205D3 for <tls@ietfa.amsl.com>; Wed, 20 Dec 2017 13:50:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1j4uCJKb8-pS for <tls@ietfa.amsl.com>; Wed, 20 Dec 2017 13:50:50 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE3CD1200C5 for <tls@ietf.org>; Wed, 20 Dec 2017 13:50:50 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id A8974B5258; Wed, 20 Dec 2017 23:50:48 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id BF_nQMf7hBWk; Wed, 20 Dec 2017 23:50:48 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 3EB6C2308; Wed, 20 Dec 2017 23:50:45 +0200 (EET)
Date: Wed, 20 Dec 2017 23:50:44 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Colm =?utf-8?Q?MacC=C3=A1rthaigh?= <colm@allcosts.net>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20171220215044.GA10711@LK-Perkele-VII>
References: <CAAF6GDeeo2xjv1Xu7SFXVZ_zM=XUVJHT=eqH4_-G3+4UHsfvgg@mail.gmail.com> <1513784265636.74656@cs.auckland.ac.nz>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <1513784265636.74656@cs.auckland.ac.nz>
User-Agent: Mutt/1.9.2 (2017-12-15)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sa3XkLy4w5AGohxZCdnFD_7IdVk>
Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Dec 2017 21:50:53 -0000

On Wed, Dec 20, 2017 at 03:37:46PM +0000, Peter Gutmann wrote:

> The reason I ask is a combination of two things, firstly I've done timing
> measurements on my own code to try and detect differences in behaviour and
> couldn't find anything among the general noise of code execution, and secondly
> any constant-time code is a tradeoff between readability/auditability and
> (near) constant-time operation ("near" because you have no control over what a
> compiler will do to optimise your code, so it may not be anywhere near
> constant-time once it's in binary form).  Something like
> s2n_constant_time_copy_or_dont() is barely passable, but I've seen constant-
> time PKCS #1 decoding and similar that's essentially incomprehensible, there's
> no way to look at it and see that it's correct. 

Just for fun I tried to implement decoding raw decrypted PKCS#1 encoded
RSA premaster secret and then checking the finished MAC. In way not
vulernable to ROBOT.

I started with code already implementing (EC)DHE key derivation and
finished check. It was like 25-30 (depends on how one counts) lines of
(not very hairy) code to implement, including modifications to existing
code. And this was without any fancy libraries (including random number
generation). Of course, just removing static RSA is much easier way
of eliminate ROBOT.

I never hooked it up to TLS proper, because that would have been
hundreds of lines of code at the very least. Plus, the code is not
up to my quality standards to publish, even as a hack (ocassionally
absolutely incredible things make to "production").


-Ilari