[TLS] the perils of padding
Benjamin Kaduk <bkaduk@akamai.com> Fri, 07 April 2017 17:05 UTC
Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45D5F129514 for <tls@ietfa.amsl.com>; Fri, 7 Apr 2017 10:05:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UASob0y2mKqT for <tls@ietfa.amsl.com>; Fri, 7 Apr 2017 10:05:51 -0700 (PDT)
Received: from prod-mail-xrelay08.akamai.com (prod-mail-xrelay08.akamai.com [96.6.114.112]) by ietfa.amsl.com (Postfix) with ESMTP id 125761296D4 for <tls@ietf.org>; Fri, 7 Apr 2017 10:05:44 -0700 (PDT)
Received: from prod-mail-xrelay08.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 8E258200043 for <tls@ietf.org>; Fri, 7 Apr 2017 17:05:43 +0000 (GMT)
Received: from prod-mail-relay08.akamai.com (prod-mail-relay08.akamai.com [172.27.22.71]) by prod-mail-xrelay08.akamai.com (Postfix) with ESMTP id 76872200042 for <tls@ietf.org>; Fri, 7 Apr 2017 17:05:43 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1491584743; bh=O8IDdpgZfZJnYsrq6mAS5qMoge3KZ9nRsyrlsQfBRlU=; l=5352; h=To:From:Date:From; b=QYpVdwgSw7P+JSL7cRJ0ppyukHZ4lK4al6rDz0Qa3pw9MuT7X54J+OM9cFKGQvw5+ HFv4oEBJmDN3avMOnAetMmEGd1yVl4m7xnPpMu0+agj0HCg+OUS+pmhYKcIXuTyeay 9JH1Dn30xtv+fN/W4BjJhLQCi5tqAQ+xka8WtXd8=
Received: from [172.19.17.86] (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay08.akamai.com (Postfix) with ESMTP id 3F9F898084 for <tls@ietf.org>; Fri, 7 Apr 2017 17:05:43 +0000 (GMT)
To: "<tls@ietf.org>" <tls@ietf.org>
From: Benjamin Kaduk <bkaduk@akamai.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <e0714b0b-edc9-16e0-1448-c33b5a6f0fa5@akamai.com>
Date: Fri, 07 Apr 2017 12:05:42 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------9760DA881F022835E0C2688F"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/upKzROFu3xWo4MZ9jKyiGuBDRw0>
Subject: [TLS] the perils of padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2017 17:05:54 -0000
With TLS 1.3 we have this new padding scheme for encrypted records, and even allow for padding-only records (of nominal internal content type "application data"). This is generally a good thing, in that it gives a lot of degrees of freedom to introduce countermeasures to traffic analysis, but perhaps we are overgenerous. There doesn't seem to be anything preventing a peer from sending only padding records and never any application data, whether that is in the client's early data or in regular data after the handshake. Now, in some situations you may want to do just that, if you want to keep a channel open and it will only ever send one legitimate signal ("fire the missiles!") but you want to avoid revealing when that happens via traffic analysis. In other cases, it just uses resources without giving an event to the application so as to let the application say "enough of this". I first noticed this in the context of early data, where a malicious client can chew up a server's resources indefinitely at the TLS layer during the handshake, by negotiating early data and then trickling (or spewing) 0-length application data records with padding and never finishing the handshake. We have the max_early_data_size limit that intends to limit how much early data can be sent; the original motivation for this was to limit how much trial decryption a server must do if it doesn't have the key material needed for it, but it also looks like it should serve as a bound on finishing the handshake. In some sense this is not new, as a malicious peer could always string things out by sending highly fragmented records slowly, but the padding allows a way to string things out while making absolutely no progress at all, which seems to be qualitatively different, and worth spending some time considering whether countermeasures are appropriate. One simple and easy option is to have a new extension to indicate the maximum consecutive padding that will be accepted by an endpoint, and abort the connection if too much padding is received in a row without any non-padding content. But that might be too complicated, and we could just note that implementations may get grumpy if they see too much padding and abort the connection; peers are basically allowed to abort the connection at will already, so it's not really a new thing. -Ben
- Re: [TLS] the perils of padding Hubert Kario
- [TLS] the perils of padding Benjamin Kaduk
- Re: [TLS] the perils of padding Nico Williams
- Re: [TLS] the perils of padding Benjamin Kaduk