Re: [TLS] Fwd: New Version Notification for draft-sheffer-tls-bcp-00.txt

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Sun, 08 September 2013 10:12 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C91B21F9DB4 for <tls@ietfa.amsl.com>; Sun, 8 Sep 2013 03:12:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.467
X-Spam-Level:
X-Spam-Status: No, score=-1.467 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1bbx4waXjb69 for <tls@ietfa.amsl.com>; Sun, 8 Sep 2013 03:12:48 -0700 (PDT)
Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe003.messaging.microsoft.com [207.46.163.26]) by ietfa.amsl.com (Postfix) with ESMTP id 477BE21F9DA9 for <tls@ietf.org>; Sun, 8 Sep 2013 03:12:48 -0700 (PDT)
Received: from mail79-co9-R.bigfish.com (10.236.132.239) by CO9EHSOBE023.bigfish.com (10.236.130.86) with Microsoft SMTP Server id 14.1.225.22; Sun, 8 Sep 2013 10:12:47 +0000
Received: from mail79-co9 (localhost [127.0.0.1]) by mail79-co9-R.bigfish.com (Postfix) with ESMTP id C690D340200 for <tls@ietf.org>; Sun, 8 Sep 2013 10:12:47 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:134.219.208.107; KIP:(null); UIP:(null); IPV:NLI; H:EXCH-HUB01.cc.rhul.local; RD:exch-hub01.rhul.ac.uk; EFVD:NLI
X-SpamScore: -28
X-BigFish: VPS-28(zf7Izbb2dI98dI936eI148cI542I1432I4015Idb82hzz1f42h208ch1ee6h1de0h1d18h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1de098h1033IL17326ah1de097h186068h8275bh8275dhz2dh2a8h683h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1b0ah1d0ch1d2eh1d3fh1dc1h1dfeh1dffh1e1dh1fe8h1ff5h209eh1155h)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.248.133; KIP:(null); UIP:(null); (null); H:AMXPRD0310HT004.eurprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail79-co9 (localhost.localdomain [127.0.0.1]) by mail79-co9 (MessageSwitch) id 1378635165482161_31259; Sun, 8 Sep 2013 10:12:45 +0000 (UTC)
Received: from CO9EHSMHS022.bigfish.com (unknown [10.236.132.252]) by mail79-co9.bigfish.com (Postfix) with ESMTP id 67D1DA020A for <tls@ietf.org>; Sun, 8 Sep 2013 10:12:45 +0000 (UTC)
Received: from EXCH-HUB01.cc.rhul.local (134.219.208.107) by CO9EHSMHS022.bigfish.com (10.236.130.32) with Microsoft SMTP Server (TLS) id 14.16.227.3; Sun, 8 Sep 2013 10:12:44 +0000
Received: from co1outboundpool.messaging.microsoft.com (134.219.208.67) by hybrid.rhul.ac.uk (134.219.208.107) with Microsoft SMTP Server (TLS) id 14.2.328.9; Sun, 8 Sep 2013 11:12:42 +0100
Received: from mail79-co1-R.bigfish.com (10.243.78.240) by CO1EHSOBE039.bigfish.com (10.243.66.104) with Microsoft SMTP Server id 14.1.225.22; Sun, 8 Sep 2013 10:12:41 +0000
Received: from mail79-co1 (localhost [127.0.0.1]) by mail79-co1-R.bigfish.com (Postfix) with ESMTP id 541247C00F4 for <tls@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Sun, 8 Sep 2013 10:12:41 +0000 (UTC)
Received: from mail79-co1 (localhost.localdomain [127.0.0.1]) by mail79-co1 (MessageSwitch) id 1378635159509823_22143; Sun, 8 Sep 2013 10:12:39 +0000 (UTC)
Received: from CO1EHSMHS025.bigfish.com (unknown [10.243.78.230]) by mail79-co1.bigfish.com (Postfix) with ESMTP id 78F254C005D; Sun, 8 Sep 2013 10:12:39 +0000 (UTC)
Received: from AMXPRD0310HT004.eurprd03.prod.outlook.com (157.56.248.133) by CO1EHSMHS025.bigfish.com (10.243.66.35) with Microsoft SMTP Server (TLS) id 14.16.227.3; Sun, 8 Sep 2013 10:12:39 +0000
Received: from AMXPRD0310MB377.eurprd03.prod.outlook.com ([169.254.2.78]) by AMXPRD0310HT004.eurprd03.prod.outlook.com ([10.255.55.39]) with mapi id 14.16.0353.003; Sun, 8 Sep 2013 10:12:37 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Fwd: New Version Notification for draft-sheffer-tls-bcp-00.txt
Thread-Index: AQHOrG1AVeDBKKwhJkSxbZHifQ8YWJm7r8UA
Date: Sun, 8 Sep 2013 10:12:36 +0000
Message-ID: <CE520750.A409%kenny.paterson@rhul.ac.uk>
In-Reply-To: <522C3497.9020301@gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.6.130613
x-originating-ip: [10.255.40.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <B501FBFC2D7B0B40839B00FFD800E491@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%36694$Dn%GMAIL.COM$RO%2$TLS%5$FQDN%hybrid.rhul.ac.uk$TlsDn%hybrid.rhul.ac.uk
X-FOPE-CONNECTOR: Id%36694$Dn%IETF.ORG$RO%2$TLS%5$FQDN%hybrid.rhul.ac.uk$TlsDn%hybrid.rhul.ac.uk
X-OriginatorOrg: rhul.ac.uk
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Subject: Re: [TLS] Fwd: New Version Notification for draft-sheffer-tls-bcp-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Sep 2013 10:12:53 -0000

Dear Yaron, 

Thanks for sharing this draft.

Some quick points of feedback:

* Firstly, you asked:

[[Is it possible to affect some length hiding using TLS 1.2 as
   specified today, i.e. without draft-pironti-tls-length-hiding-01, and
   using available APIs?]]


The answer is "yes, to some extent, and for some cipher suites, but it
does not help much against compression attacks".

Expanding: variable length padding is available for CBC-mode ciphersuites
in TLS 1.0 and higher (but not widely implemented). This allows an
implementation to "disguise" the underlying message size to some extent,
and it can be proven to be secure providing you avoid short MAC tags as in
RFC 6066 (see my paper with Ristenpart and Shrimpton from Asiacrypt 2011:
http://www.isg.rhul.ac.uk/~kp/mee-comp.pdf).

Such padding is not available for RC4-based ciphersuites, nor for AES-GCM,
nor AES-CCM. 

The amount of variability this feature introduces into ciphertext lengths
is not sufficient to prevent CRIME/BREACH, but only slows them down a bit
(I have not quantified this; that would require a more detailed analysis
which is not justified given the apparent benefit).

 
* Secondly, concerning attacks on RC4:

You mention the work of Isobe et al. from FSE 13 (as citation
[RC4-Attack]). I've also been involved in parallel work which goes more
deeply into the practical applications of RC4 weaknesses to breaking TLS
and which includes more powerful attacks, making the case for abandoning
RC4 even stronger:

N.J. AlFardan, D.J. Bernstein, K.G. Paterson, B. Poettering and J.C.N.
Schuldt. On the Security of RC4 in TLS. In USENIX Security Symposium 2013.

https://www.usenix.org/conference/usenixsecurity13/security-rc4-tls

http://www.isg.rhul.ac.uk/tls


* Thirdly, a technical point concerning CRIME/BREACH:

You write: "The attack is a consequence of the TLS MAC-then-encrypt
approach."


This is incorrect. The attacks would apply equally well to AES-GCM
ciphersuites (which do not adopt the MAC-then-ecnrypt approach).


Regards

Kennt


On 08/09/2013 09:25, "Yaron Sheffer" <yaronf.ietf@gmail.com> wrote:

>This is an early version of my proposal for a BCP-like document, to
>inform the industry on what can be done with existing implementations,
>while TLS 1.3 is still not ready.
>
>I would appreciate your comments of course. Specifically,
>I would like to fill in the Implementation Status table (Sec. 5) and
>would be glad to receive solid information (dates, planned dates,
>version numbers) from implementers.
>
>Thanks,
>	Yaron
>
>-------- Original Message --------
>Subject: New Version Notification for draft-sheffer-tls-bcp-00.txt
>Date: Sat, 07 Sep 2013 15:46:38 -0700
>From: internet-drafts@ietf.org
>To: Yaron Sheffer <yaronf.ietf@gmail.com>
>
>
>A new version of I-D, draft-sheffer-tls-bcp-00.txt
>has been successfully submitted by Yaron Sheffer and posted to the
>IETF repository.
>
>Filename:	 draft-sheffer-tls-bcp
>Revision:	 00
>Title:		 Recommendations for Secure Use of TLS and DTLS
>Creation date:	 2013-09-08
>Group:		 Individual Submission
>Number of pages: 8
>URL: 
>http://www.ietf.org/internet-drafts/draft-sheffer-tls-bcp-00.txt
>Status:          http://datatracker.ietf.org/doc/draft-sheffer-tls-bcp
>Htmlized:        http://tools.ietf.org/html/draft-sheffer-tls-bcp-00
>
>
>Abstract:
>    Over the last few years there have been several serious attacks on
>    TLS, including attacks on its most commonly used ciphers and modes of
>    operation.  This document offers recommendations on securely using
>    the TLS and DTLS protocols, given existing standards and
>    implementations.
>
> 
>
>
>
>Please note that it may take a couple of minutes from the time of
>submission
>until the htmlized version and diff are available at tools.ietf.org.
>
>The IETF Secretariat
>
>
>
>_______________________________________________
>TLS mailing list
>TLS@ietf.org
>https://www.ietf.org/mailman/listinfo/tls
>
>
>