Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)

Bryan A Ford <brynosaurus@gmail.com> Thu, 03 December 2015 08:50 UTC

To: tls@ietf.org
References: <56586A2F.1070703@gmail.com> <FB2973EF-F16C-404A-980D-CA0042EC4AEB@gmail.com> <565DBC63.5090908@gmail.com> <565DC935.2040607@gmail.com> <CABkgnnUoyVPC5QVc=ErzAm6DR8usjBw5scc==o4=-XaBoK5AWQ@mail.gmail.com> <9BFA68AB-9677-4BE7-8F5E-D1A66EF95BA5@gmail.com> <CABcZeBMuSeis6KNQ-D_ZAfKmWb7Ts_Lq=QM0z6YWVSSUwueZmg@mail.gmail.com> <CAFggDF1SHzU_w30Rk469G2ypTx-pRVsFexv9JHSQdAMJTf5xLQ@mail.gmail.com> <CACsn0c=F5PUcXu=Sw5eubeZspaj_jGn3ohuryGMrjwW=e=wvaQ@mail.gmail.com>
From: Bryan A Ford <brynosaurus@gmail.com>
Message-ID: <56600243.2010308@gmail.com>
Date: Thu, 03 Dec 2015 09:50:11 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <CACsn0c=F5PUcXu=Sw5eubeZspaj_jGn3ohuryGMrjwW=e=wvaQ@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms070900040107050009020609"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ulnZQZIjQ2WsJaSEy2XgRoGCeT4>
Subject: Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)
Precedence: list

On 12/2/15 4:45 PM, Watson Ladd wrote:
> On Wed, Dec 2, 2015 at 10:34 AM, Jacob Appelbaum <jacob@appelbaum.net> wrote:
>> On 12/2/15, Eric Rescorla <ekr@rtfm.com> wrote:
>>> It's not really clear to me what the anti-traffic-analysis benefit of your
>>> proposal
>>> is over and above just padding everything to a fixed size. That's certainly
>>> far
>>> easier for the implementation to do, especially in typical stacks where the
>>> application just calls SSL_Write (or whatever) and so there's no obvious
>>> API point to provide the "next length", so as a practical matter the stack
>>> will very often if not always be in "last block" mode.
>>>
>>
>> I think that it eliminates all static distinguisher in the protocol
>> for all data covered by the encryption. That is a fantastically
>> wonderful benefit.
> 
> What's a "static distinguisher"? Padding solves this problem as well,
> but it also solves problems resulting from TCP segmentation down the
> stack, which header encryption doesn't. What does header encryption
> offer that padding does not?

Once again (for the n'th time in this thread):  Padding is great and we
should encourage implementations to do it, but it may be impractical to
mandate (a) that *every* TLS 1.3 implementation use padding all the
time, and (b) that *every* implementation that does use padding uses the
*same* padded record size as every other TLS implementation.

If TLS 1.3 did mandate that all implementations always pad to the same
standard-defined record length (to echo Viktor Dukhovni, GO ATM! GO ATM!
:) ), then it might be arguably the case that encrypting headers
wouldn't add any further benefit.

But short of that, encrypting TLS headers makes it strictly harder for a
passive adversary - or an active adversary who can only inject but not
block traffic - to distinguish between padded or unpadded TLS 1.3
streams, or to distinguish between TLS 1.3 streams padded to different
block sizes.

In particular, with encrypted records, we get a guarantee that nothing
in the transmitted TCP stream content itself leaks information about the
internal pattern of records, even if it's un-padded or differently
padded from other streams.  The attacker has to use other side-channels
to perform such distinguishing attacks, and other side-channels are
often lower-bandwidth (e.g., the total length of whole streams or bursts
rather than individual records), and/or more noisy (e.g., the lengths
and timings of TCP segments, which may get retimed and/or resegmented by
all sorts of activities both at the endpoints and in the network).

B

> 
> Sincerely,
> Watson
>

Attachment: smime.p7s

[TLS] Encrypting record headers: practical for TL… Bryan A Ford
Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
Re: [TLS] Encrypting record headers: practical fo… Roland Zink
Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
Re: [TLS] Encrypting record headers: practical fo… Roland Zink
Re: [TLS] Encrypting record headers: practical fo… Tony Arcieri
Re: [TLS] Encrypting record headers: practical fo… Watson Ladd
Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
Re: [TLS] Encrypting record headers: practical fo… Henrick Hellström
Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
Re: [TLS] Encrypting record headers: practical fo… Bill Cox
Re: [TLS] Encrypting record headers: practical fo… Nikos Mavrogiannopoulos
Re: [TLS] Encrypting record headers: practical fo… Dave Garrett
Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
Re: [TLS] Encrypting record headers: practical fo… Short, Todd
Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Viktor Dukhovni
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
Re: [TLS] Encrypting record headers: practical fo… Jim Schaad
Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
Re: [TLS] Encrypting record headers: practical fo… John Mattsson
Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
[TLS] Fully encrypted and authenticated headers (… Bryan A Ford
Re: [TLS] Fully encrypted and authenticated heade… Dmitry Belyavsky
Re: [TLS] Fully encrypted and authenticated heade… Bryan A Ford
Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
Re: [TLS] Fully encrypted and authenticated heade… Martin Thomson
Re: [TLS] Fully encrypted and authenticated heade… Viktor Dukhovni
Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
Re: [TLS] Fully encrypted and authenticated heade… Dmitry Belyavsky
Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
Re: [TLS] Encrypting record headers: practical fo… Bryan Ford
Re: [TLS] Encrypting record headers: practical fo… Bryan Ford
Re: [TLS] Encrypting record headers: practical fo… GUBALLA, JENS (JENS)
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Hubert Kario
Re: [TLS] Encrypting record headers: practical fo… Yoav Nir
Re: [TLS] Encrypting record headers: practical fo… Eric Rescorla
Re: [TLS] Fully encrypted and authenticated heade… Eric Rescorla
Re: [TLS] Encrypting record headers: practical fo… Mike Copley
Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Fully encrypted and authenticated heade… Watson Ladd
Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
Re: [TLS] Encrypting record headers: practical fo… Martin Rex
Re: [TLS] Encrypting record headers: practical fo… Stephen Farrell
Re: [TLS] Fully encrypted and authenticated heade… Eric Rescorla
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
Re: [TLS] Encrypting record headers: practical fo… Eric Rescorla
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
Re: [TLS] Encrypting record headers: practical fo… Martin Rex
Re: [TLS] Encrypting record headers: practical fo… Ilari Liusvaara
Re: [TLS] Encrypting record headers: practical fo… Fabrice Gautier
Re: [TLS] Encrypting record headers: practical fo… Dave Garrett
Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
Re: [TLS] Encrypting record headers: practical fo… Eric Mill
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Martin Thomson
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Viktor Dukhovni
Re: [TLS] Fully encrypted and authenticated heade… Bryan A Ford
Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
Re: [TLS] Encrypting record headers: practical fo… Bryan A Ford
Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
Re: [TLS] Encrypting record headers: practical fo… Salz, Rich
Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Fully encrypted and authenticated heade… Watson Ladd
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
Re: [TLS] Encrypting record headers: practical fo… Aaron Zauner
Re: [TLS] Encrypting record headers: practical fo… Martin Rex
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum
Re: [TLS] Fully encrypted and authenticated heade… Valery Smyslov
Re: [TLS] Fully encrypted and authenticated heade… Bryan Ford
Re: [TLS] Encrypting record headers: practical fo… GUBALLA, JENS (JENS)
Re: [TLS] Fully encrypted and authenticated heade… Valery Smyslov
Re: [TLS] Fully encrypted and authenticated heade… Jacob Appelbaum
Re: [TLS] Fully encrypted and authenticated heade… Jeff Burdges
Re: [TLS] Encrypting record headers: practical fo… Peter Gutmann
Re: [TLS] Encrypting record headers: practical fo… Jacob Appelbaum

Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)

Attachment: smime.p7s