[TLS] the perils of padding
Benjamin Kaduk <bkaduk@akamai.com> Fri, 07 April 2017 17:05 UTC
Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45D5F129514 for <tls@ietfa.amsl.com>; Fri, 7 Apr 2017 10:05:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UASob0y2mKqT for <tls@ietfa.amsl.com>; Fri, 7 Apr 2017 10:05:51 -0700 (PDT)
Received: from prod-mail-xrelay08.akamai.com (prod-mail-xrelay08.akamai.com [96.6.114.112]) by ietfa.amsl.com (Postfix) with ESMTP id 125761296D4 for <tls@ietf.org>; Fri, 7 Apr 2017 10:05:44 -0700 (PDT)
Received: from prod-mail-xrelay08.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 8E258200043 for <tls@ietf.org>; Fri, 7 Apr 2017 17:05:43 +0000 (GMT)
Received: from prod-mail-relay08.akamai.com (prod-mail-relay08.akamai.com [172.27.22.71]) by prod-mail-xrelay08.akamai.com (Postfix) with ESMTP id 76872200042 for <tls@ietf.org>; Fri, 7 Apr 2017 17:05:43 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1491584743; bh=O8IDdpgZfZJnYsrq6mAS5qMoge3KZ9nRsyrlsQfBRlU=; l=5352; h=To:From:Date:From; b=QYpVdwgSw7P+JSL7cRJ0ppyukHZ4lK4al6rDz0Qa3pw9MuT7X54J+OM9cFKGQvw5+ HFv4oEBJmDN3avMOnAetMmEGd1yVl4m7xnPpMu0+agj0HCg+OUS+pmhYKcIXuTyeay 9JH1Dn30xtv+fN/W4BjJhLQCi5tqAQ+xka8WtXd8=
Received: from [172.19.17.86] (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay08.akamai.com (Postfix) with ESMTP id 3F9F898084 for <tls@ietf.org>; Fri, 7 Apr 2017 17:05:43 +0000 (GMT)
To: "<tls@ietf.org>" <tls@ietf.org>
From: Benjamin Kaduk <bkaduk@akamai.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <e0714b0b-edc9-16e0-1448-c33b5a6f0fa5@akamai.com>
Date: Fri, 07 Apr 2017 12:05:42 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------9760DA881F022835E0C2688F"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/upKzROFu3xWo4MZ9jKyiGuBDRw0>
Subject: [TLS] the perils of padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2017 17:05:54 -0000
With TLS 1.3 we have this new padding scheme for encrypted records, and
even allow for padding-only records (of nominal internal content type
"application data"). This is generally a good thing, in that it gives a
lot of degrees of freedom to introduce countermeasures to traffic
analysis, but perhaps we are overgenerous. There doesn't seem to be
anything preventing a peer from sending only padding records and never
any application data, whether that is in the client's early data or in
regular data after the handshake. Now, in some situations you may want
to do just that, if you want to keep a channel open and it will only
ever send one legitimate signal ("fire the missiles!") but you want to
avoid revealing when that happens via traffic analysis. In other cases,
it just uses resources without giving an event to the application so as
to let the application say "enough of this".
I first noticed this in the context of early data, where a malicious
client can chew up a server's resources indefinitely at the TLS layer
during the handshake, by negotiating early data and then trickling (or
spewing) 0-length application data records with padding and never
finishing the handshake. We have the max_early_data_size limit that
intends to limit how much early data can be sent; the original
motivation for this was to limit how much trial decryption a server must
do if it doesn't have the key material needed for it, but it also looks
like it should serve as a bound on finishing the handshake.
In some sense this is not new, as a malicious peer could always string
things out by sending highly fragmented records slowly, but the padding
allows a way to string things out while making absolutely no progress at
all, which seems to be qualitatively different, and worth spending some
time considering whether countermeasures are appropriate.
One simple and easy option is to have a new extension to indicate the
maximum consecutive padding that will be accepted by an endpoint, and
abort the connection if too much padding is received in a row without
any non-padding content. But that might be too complicated, and we
could just note that implementations may get grumpy if they see too much
padding and abort the connection; peers are basically allowed to abort
the connection at will already, so it's not really a new thing.
-Ben
- Re: [TLS] the perils of padding Hubert Kario
- [TLS] the perils of padding Benjamin Kaduk
- Re: [TLS] the perils of padding Nico Williams
- Re: [TLS] the perils of padding Benjamin Kaduk