IETF Logo Mail Archive

Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size

"Short, Todd" <tshort@akamai.com> Fri, 11 August 2017 18:33 UTC

Return-Path: <tshort@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D0AF131C9F for <tls@ietfa.amsl.com>; Fri, 11 Aug 2017 11:33:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.711
X-Spam-Level:
X-Spam-Status: No, score=-0.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YYsNi1TKth6g for <tls@ietfa.amsl.com>; Fri, 11 Aug 2017 11:33:04 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [67.231.149.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BDC6131CCF for <tls@ietf.org>; Fri, 11 Aug 2017 11:33:02 -0700 (PDT)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id v7BIWK6H009947; Fri, 11 Aug 2017 19:33:01 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=NkZg3GoquYKGssT6lhGdhG7WaiS2pDXkW1vhQ2CQD9g=; b=BYt4HWLEiKYaBCmiGhdshMxVIMP7QblfCXmXwMH9r6W9JikXX7AOXQhgYzEvbLNV0dZD ths1GeE+98BcdCV9FjDGXAWULxVV5V6eSiRwUIA2vilX64wckcFt89ZbOBKjHIdkt4wy 5xkFnHC3xVsl3IklKgXg+KH1346LTItOaJCqT3Q8up7t+6rCWmWdOrqJPxeGJjnGqPqj oGw9tp4FQw/pSu5TyLMRFcW+YNjjRt+ZBD2hveyDW/XTZ0tJ6fQlfXgIedbIC4hm/b48 UavMTilrYNyTlfxFmgV2rG07d8JVoHnHAbwZlSiOYCbUkWq7HgJsvqcVjovOuQ1hRCaH Xg==
Received: from prod-mail-ppoint4 ([96.6.114.87]) by mx0a-00190b01.pphosted.com with ESMTP id 2c7yd0rst3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 11 Aug 2017 19:33:00 +0100
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v7BIUxQD023655; Fri, 11 Aug 2017 14:32:59 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint4.akamai.com with ESMTP id 2c59bv9h52-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 11 Aug 2017 14:32:59 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 11 Aug 2017 14:32:58 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com ([172.27.123.105]) by usma1ex-dag1mb5.msg.corp.akamai.com ([172.27.123.105]) with mapi id 15.00.1263.000; Fri, 11 Aug 2017 14:32:58 -0400
From: "Short, Todd" <tshort@akamai.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: Nikos Mavrogiannopoulos <nmav@redhat.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size
Thread-Index: AQHTEqu4UDB35x1gLEG+JKMOxcPabqJ/kuoAgAANtICAAAlUAIAAFEWA
Date: Fri, 11 Aug 2017 18:32:57 +0000
Message-ID: <14329E27-DBCC-4A6F-BB4C-7CFAFD7ADF53@akamai.com>
References: <1502460670.3202.8.camel@redhat.com> <CABcZeBOmFTrCEmV20XZe9hO5owdv1SsWaWkZHhQFfpNmfou4VQ@mail.gmail.com> <CADh2w8Trp-7WiVCDzQ6OLiHqE_Fw530bp0gZeRKCJiaGkLfb3w@mail.gmail.com> <CABcZeBNpJ5_03VZot_3hj7KHnJ8609HX-MY62n0+HLXoRg-+=Q@mail.gmail.com>
In-Reply-To: <CABcZeBNpJ5_03VZot_3hj7KHnJ8609HX-MY62n0+HLXoRg-+=Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.32.244]
Content-Type: multipart/alternative; boundary="_000_14329E27DBCC4A6FBB4C7CFAFD7ADF53akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-08-11_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1708110289
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-08-11_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1708110290
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wcj0aIz40qsswiicc-LPIUwlaJs>
Subject: Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Aug 2017 18:33:07 -0000

If the plaintext length indicates a message type, then this could lead to the issue the original query posted. In that an observer might know what message type was passed. TLS padding is supposed to prevent this (but it doesn’t necessarily).

However, I argue that having TLS do significant padding for a protocol is bad design for that protocol. It’s one thing if it’s a few padding bytes, but the example given was 1023 bytes of padding.

Also as pointed out by Andrei Popov, the application needs to tell TLS how much padding to apply, so either way, the application has to deal with determining the padding length. Why not just make it part of the protocol in the first place?

OpenSSL has a callback scheme, and a block-based scheme for determining the amount of padding. Either way, the application is involved.

But my final point is that we are ignoring the amount of non-TLS processing that must be done on various message types (before the response is sent), and THAT might be even more of a giveaway than the minuscule timing difference due to counting padding in TLS.

--
-Todd Short
// tshort@akamai.com<mailto:tshort@akamai.com>
// "One if by land, two if by sea, three if by the Internet."

On Aug 11, 2017, at 1:20 PM, Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:



On Fri, Aug 11, 2017 at 9:47 AM, Nikos Mavrogiannopoulos <nmav@redhat.com<mailto:nmav@redhat.com>> wrote:
On Fri, Aug 11, 2017 at 5:57 PM, Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:

On Fri, Aug 11, 2017 at 7:11 AM, Nikos Mavrogiannopoulos <nmav@redhat.com<mailto:nmav@redhat.com>> wrote:
Imagine the following scenario, where the server and client have this
repeated communication N times per day:

client     server
    --X-->
    <--Y--


the client puts in X a message A of 1 byte or B of 1024 bytes, and pads
it to the maximum size of TLS record. The server replies with the
message "ok" (same every time), padded to the maximum size just after
it reads X.

However, TLS 1.3 detects the message size by iterating through all the
padding bytes, and thus there is a timing leak observed by the time
difference between receiving X and sending Y. Thus as an adversary I
could take enough measurements and be able to distinguish between X
having the value A or B.

While I'd expect these iterations to be unmeasurable in desktop or
server hardware, I am not sure about the situation in low-end IoT
hardware. Is the design choice for having the padding removal depending
on padding length intentional?

Yes, we're aware of this, and it's an intentional design choice. The reasoning
was that once you have the padding removed, you'll need to operate on/copy
the unpadded content somewhere, and that's timing dependent anyway.

That is certainly an incorrect assumption. gnutls for example provides a zero-copy API, and I guess it is not the only implementation to have that.

And then the next thing that will happen is that the application will read the data, which is length-dependent. The problem is that the plaintext is variable length.


There is mentioning of possible timing channels in:
https://tools.ietf.org/html/draft-ietf-tls-tls13-21#appendix-E.3<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dtls-2Dtls13-2D21-23appendix-2DE.3&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=QBEcQsqoUDdk1Q26CzlzNPPUkKYWIh1LYsiHAwmtRik&m=XJYxN2Gf0rNXPl3yadis8utHDuyRetUCeYdF-OmwAcQ&s=CJUfP5OPl4Uy3Igpm9hvAvuLiJlWdRLxSnagqfNZEZM&e=>
However I don't quite understand how is this section intended to be
read. The sentence for example: "Because the padding is encrypted
alongside the actual content, an attacker cannot directly determine the
length of the padding, but may be able to measure it indirectly by the
use of timing channels exposed during record processing", what is its
intention? Is it to acknowledge the above timing leak?

Yes.

I am not sure if that text is sufficient to cover that issue. It seems as if the cbc timing attack is re-introduced here and pushing the fix to implementers. It may be better no to provide padding functionality with this "feature", as unfortunately it will be used by applications.

I don't believe that this is analysis is correct. This timing channel only applies to the data after message integrity has been established (i.e., after AEAD processing), which is different from the situation in Lucky 13. It seems like what leaks here is the length of the plaintext, which is also what would be leaked if we simply did not have padding.

-Ekr


regards,
Nikos


_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email