Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)
Eric Rescorla <ekr@rtfm.com> Wed, 02 December 2015 17:34 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A59741ACC8F for <tls@ietfa.amsl.com>; Wed, 2 Dec 2015 09:34:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id veA8PVkaS7vc for <tls@ietfa.amsl.com>; Wed, 2 Dec 2015 09:34:18 -0800 (PST)
Received: from mail-yk0-x229.google.com (mail-yk0-x229.google.com [IPv6:2607:f8b0:4002:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3B001ACC87 for <tls@ietf.org>; Wed, 2 Dec 2015 09:34:17 -0800 (PST)
Received: by ykfs79 with SMTP id s79so55578167ykf.1 for <tls@ietf.org>; Wed, 02 Dec 2015 09:34:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=xywpkH4V2K9w01Uk11Gb+2I+Sd/aQyWPIAbvO2zKMAM=; b=Sbl4eARfi9TK/GAVzOC+m/tNFKofbjSx0oSYrjasL2DCKqOi/QFtZX9igjhPW2J7yS pry12sSwdXhJqOUfX6Q34RkJ18Ti5SxNRcM3x5BEVZtJ5gNzfA4+UAYn6AdrjN5FkdI9 o2VJxGGTw+4Lj/CzaohLLb7c1QeVx4PYUrtFutt3xYsm15ZZiB4XP00+XkJxHpMtkp3F i0P2qdfHm4+rxX7tBMS9Ii02lbaX4gK2T9GoyMMWrBAwtBylKpht+r9NjoXVXd3a4gaa JXR2xBIv33VV6QHxk6mpIVv7XZsnF3IG7bjrFrnAN6oLxiHEeJ171wCs8q58bKtqkOeP ZaJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=xywpkH4V2K9w01Uk11Gb+2I+Sd/aQyWPIAbvO2zKMAM=; b=kVOqvHcsmJbCG+aIde4PO0YO7YOWrsvvv6M/ujXKdGE9VGZ9fxQB+4LpbxTp63hVKW 6oB3/WKXNTiPhGFyhSsWKehC0A5nEr1EGcvyMktzCbYO6CJnsVYcRjFGClpiMeAzcRl8 7WERMzu27pSFkS+7xPuTKbsK4nzWqfe4J0BZlgpH/Oy2E9gtYh/FPLhGM4ecpvKo54rc I+j9caNwWJ814BVXfOWIDQkulWNSszOYiJKi8EO3yAnQaH8dhDOt0OFKsQBOUPuLTjBG Npgvh5ozuXaiLHGrySw7NKQRDEYb+31DYgPIP9rEjUSbwXcvy6mSt8JVCDFt74kNEx+M a6LA==
X-Gm-Message-State: ALoCoQlVYxDcwR1m/IlXKBaVUgp4bPHjmLkv1Wgaq1Dhk2rHLtCcddmERYwu60G9sQtJ5CfSJave
X-Received: by 10.13.197.194 with SMTP id h185mr3124735ywd.12.1449077657208; Wed, 02 Dec 2015 09:34:17 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Wed, 2 Dec 2015 09:33:37 -0800 (PST)
In-Reply-To: <CAFggDF1SHzU_w30Rk469G2ypTx-pRVsFexv9JHSQdAMJTf5xLQ@mail.gmail.com>
References: <56586A2F.1070703@gmail.com> <FB2973EF-F16C-404A-980D-CA0042EC4AEB@gmail.com> <565DBC63.5090908@gmail.com> <565DC935.2040607@gmail.com> <CABkgnnUoyVPC5QVc=ErzAm6DR8usjBw5scc==o4=-XaBoK5AWQ@mail.gmail.com> <9BFA68AB-9677-4BE7-8F5E-D1A66EF95BA5@gmail.com> <CABcZeBMuSeis6KNQ-D_ZAfKmWb7Ts_Lq=QM0z6YWVSSUwueZmg@mail.gmail.com> <CAFggDF1SHzU_w30Rk469G2ypTx-pRVsFexv9JHSQdAMJTf5xLQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 02 Dec 2015 09:33:37 -0800
Message-ID: <CABcZeBP2eyncPVkRMMbBk7ysco++-E9oiiu7JHOjs73wS=R5og@mail.gmail.com>
To: Jacob Appelbaum <jacob@appelbaum.net>
Content-Type: multipart/alternative; boundary="001a114edd4a02c1d10525edaf56"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ssQY7hls-418tI9N8-H__GHe3H4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 17:34:19 -0000
On Wed, Dec 2, 2015 at 7:34 AM, Jacob Appelbaum <jacob@appelbaum.net> wrote: > On 12/2/15, Eric Rescorla <ekr@rtfm.com> wrote: > > On Wed, Dec 2, 2015 at 1:07 AM, Bryan Ford <brynosaurus@gmail.com> > wrote: > > > >> On 02 Dec 2015, at 06:02, Martin Thomson <martin.thomson@gmail.com> > >> wrote: > >> > On 1 December 2015 at 08:22, Bryan A Ford <brynosaurus@gmail.com> > >> > wrote: > >> >> The 2-byte length field in each record's header no longer indicates > >> >> the length of the *current* record but instead indicates the length > of > >> >> the *next* record. > >> > > >> > Ensuring that you know the length of the *next* record is difficult > >> > and could dramatically degrade latency, or adding extra bogus padding > >> > or extra bogus records. For instance, I can always send in bursts of > >> > two packets, a one octet packet that promises the remainder of the > >> > burst and one that promises a single octet packet. At that point, I > >> > get to do what I've always done and you have gained little other than > >> > an increase in packet size of around 19 octets (best case). > >> > >> That type of inefficiency is extremely easy to avoid; please read the > >> rest > >> of my proposal where I discussed exactly that at length. Yes, a > >> particularly stupid implementation could send everything in bursts of > two > >> packets, but it’s ridiculously easy for a slightly smarter > implementation > >> to avoid doing that. And what you’ve gained is complete encryption and > >> integrity-checking of the whole TLS record before any part is > >> interpreted, > >> which seems like a nontrivial security improvement. > > > > > > It's not really clear to me what the anti-traffic-analysis benefit of > your > > proposal > > is over and above just padding everything to a fixed size. That's > certainly > > far > > easier for the implementation to do, especially in typical stacks where > the > > application just calls SSL_Write (or whatever) and so there's no obvious > > API point to provide the "next length", so as a practical matter the > stack > > will very often if not always be in "last block" mode. > > > > I think that it eliminates all static distinguisher in the protocol > for all data covered by the encryption. That is a fantastically > wonderful benefit. Wouldn't that benefit be equally achieved by simply padding all records to a fixed length? You could do this with no protocol change and, as I said, it's far easier for the implementation. > -Ekr > > > > [0] This issue doesn't apply to DTLS because the stack will just move > onto > > the next UDP datagram. > > An off-path attacker can't do much with DTLS, if designed correctly. > Especially if they only see some packets - they'd only get the UDP > headers and then the rest should be uniformly distributed random data, > no? DTLS records do in fact contain a length field because it's possible to pack >1 record into a single UDP datagram. In practice, I think that most stacks do 1:1 except perhaps during the handshake. They also contain a sequence number to aid in reconstruction (important in this case because TLS 1.3 uses the sequence number to form the AEAD nonce). However, as you suggest, an attacker can't DoS DTLS connections by injecting a small number of packets because the DTLS stack will just reject bogus packets. -Ekr
- [TLS] Encrypting record headers: practical for TL… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Roland Zink
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Roland Zink
- Re: [TLS] Encrypting record headers: practical fo… Tony Arcieri
- Re: [TLS] Encrypting record headers: practical fo… Watson Ladd
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bill Cox
- Re: [TLS] Encrypting record headers: practical fo… Nikos Mavrogiannopoulos
- Re: [TLS] Encrypting record headers: practical fo… Dave Garrett
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Short, Todd
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Viktor Dukhovni
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
- Re: [TLS] Encrypting record headers: practical fo… Jim Schaad
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… John Mattsson
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- [TLS] Fully encrypted and authenticated headers (… Bryan A Ford
- Re: [TLS] Fully encrypted and authenticated heade… Dmitry Belyavsky
- Re: [TLS] Fully encrypted and authenticated heade… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Fully encrypted and authenticated heade… Martin Thomson
- Re: [TLS] Fully encrypted and authenticated heade… Viktor Dukhovni
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Fully encrypted and authenticated heade… Dmitry Belyavsky
- Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
- Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… GUBALLA, JENS (JENS)
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
- Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
- Re: [TLS] Encrypting record headers: practical fo… Eric Rescorla
- Re: [TLS] Fully encrypted and authenticated heade… Eric Rescorla
- Re: [TLS] Encrypting record headers: practical fo… Mike Copley
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Watson Ladd
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Martin Rex
- Re: [TLS] Encrypting record headers: practical fo… Stephen Farrell
- Re: [TLS] Fully encrypted and authenticated heade… Eric Rescorla
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Eric Rescorla
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Martin Rex
- Re: [TLS] Encrypting record headers: practical fo… Ilari Liusvaara
- Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
- Re: [TLS] Encrypting record headers: practical fo… Dave Garrett
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Eric Mill
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Martin Thomson
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Viktor Dukhovni
- Re: [TLS] Fully encrypted and authenticated heade… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Watson Ladd
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
- Re: [TLS] Encrypting record headers: practical fo… Martin Rex
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Valery Smyslov
- Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
- Re: [TLS] Encrypting record headers: practical fo… GUBALLA, JENS (JENS)
- Re: [TLS] Fully encrypted and authenticated heade… Valery Smyslov
- Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
- Re: [TLS] Fully encrypted and authenticated heade… Jeff Burdges
- Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
- Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum