Re: [TLS] TLV vs Compression

Martin Thomson <martin.thomson@gmail.com> Sat, 12 July 2014 02:56 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5CBE1B27AB for <tls@ietfa.amsl.com>; Fri, 11 Jul 2014 19:56:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id skPBcKn08PLX for <tls@ietfa.amsl.com>; Fri, 11 Jul 2014 19:56:25 -0700 (PDT)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32FA01A0190 for <tls@ietf.org>; Fri, 11 Jul 2014 19:56:25 -0700 (PDT)
Received: by mail-wi0-f177.google.com with SMTP id ho1so111013wib.16 for <tls@ietf.org>; Fri, 11 Jul 2014 19:56:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=m8OrsSYk656zlmiLXoqGhW9scu8qd8jN5LHkYkytBAY=; b=Iz3nRjARMMu0WMQgxlSpnRrDOKxmB+3KngzG+si08rT0aoUEAipjkxYR1ubPFTEytd vVCIej2nN4U/PumR8x0f/I4AcCB6OCETnNEPYktl4ftrCsi5hT/9zXLimHtwGwi8QjQC lgT2Nv+Hey/Io26YPgvZqmnbQbbtZh0LemKvUa31R52UUPnTBrYVl8c0/9yFKlIhhyHr tIpdZsjSifTt30A5v6lUYR9S08ocQG+ANqaIxW8Jrw2fcGnn2oUc5rRyB5UiqYic1w11 RDo77QGy3qQBEW0aKb31oLd+dzpYUPDYxKaPDI5bCTNvrRRtu9KMJy8nL9EfbN4KV5UP hRtQ==
MIME-Version: 1.0
X-Received: by 10.194.91.228 with SMTP id ch4mr3567628wjb.59.1405133783802; Fri, 11 Jul 2014 19:56:23 -0700 (PDT)
Received: by 10.194.110.6 with HTTP; Fri, 11 Jul 2014 19:56:23 -0700 (PDT)
In-Reply-To: <m3pphbwe6i.fsf@carbon.jhcloos.org>
References: <m3pphbwe6i.fsf@carbon.jhcloos.org>
Date: Fri, 11 Jul 2014 19:56:23 -0700
Message-ID: <CABkgnnXY5VE8-Uia1QosoCTLeE9mq0ieBqbB_E1UsecKp2mVkg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: James Cloos <cloos@jhcloos.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/yPY64FR21g38a9j0oeY0-lC8OIs
Cc: cfrg@irtf.org, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLV vs Compression
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jul 2014 02:56:27 -0000

On 11 July 2014 18:36, James Cloos <cloos@jhcloos.com> wrote:
> Or posed differently, if an application knows that the tls socket uses
> pfs and is mutually authenticated, is it ever safe for *it* to compress
> the data it sends over said socket?

Tying this to authentication works only to the extent that the
authenticated actor is solely responsible for content.  The concern is
largely based on where the data comes from.  Attacks shared so far
[CRIME/BEAST] rely on compression that includes a mix of attacker
controlled content and content the attacker wants to learn about.

If you can guarantee single origin, then the length of an encrypted
packet can reveal information, but it's pretty low in signal.  An
attack might still be able to attack low entropy secrets that use
compression techniques that don't suit this use.  Besides,
guaranteeing that data is free from attacker influence is not that
easy to do.

The only technique that I think stands any chance here is to avoid
generic compression, and rely on content-aware compression mechanisms
that can be adjusted to deal with cases where content is controlled by
mutually distrustful actors.

Look here to the decisions made in HPACK, which is far worse than the
state of the art in terms of compression efficiency at best.  And
HPACK will rarely reach optimum compression in practice due to the
need for numerous safeguards against these sorts of attacks.