[TLS] TLS 1.3 - Just ditch compression
Scott Arciszewski <scott@paragonie.com> Fri, 09 October 2015 02:10 UTC
Return-Path: <scott@paragonie.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 381001A877F for <tls@ietfa.amsl.com>; Thu, 8 Oct 2015 19:10:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.522
X-Spam-Level:
X-Spam-Status: No, score=0.522 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_71=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j5y1WLRXooBU for <tls@ietfa.amsl.com>; Thu, 8 Oct 2015 19:10:54 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B81FC1A8773 for <tls@ietf.org>; Thu, 8 Oct 2015 19:10:53 -0700 (PDT)
Received: by lbbwt4 with SMTP id wt4so66080004lbb.1 for <tls@ietf.org>; Thu, 08 Oct 2015 19:10:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=OXZwG0EBIV1vTMufX0DDYs9AkmkbdUn+1ZdmSK3d8lk=; b=W/5Hwr43p0o+6B+8OsEcWz8Ma5HTfMukVRdLg3nMr+jvmKBDMp60Toeq7zCApo4H8B bf4ztA2sq/IRvIvLdp/VjTXpQgfvE9MRyxVGskTSCoCZaMzF6o6+PGTA+FTMW5M1I66u SYfxcCAB0C4hyQwIQpLanApg9i7TRMJIq5UPQOY1ZKDUsnZ5JGP+r+yz47vh7tBIFwQ4 KhNry9jtn6Bnscp57WPxqUpxfBatG3xFWW5QnV7Maqavj7vK5Pj31n02nuW0nXNBX7mi 3Ccd/FbkW+3VIVYIuUtjG9LLIleKTluF/WMah8jUWsRtqlNGKODcjkEa5ibmqUE+5bP1 GI/Q==
X-Gm-Message-State: ALoCoQmPVdF0ypxKURB/EREHF9ABS2PVkpDLDLQak8o9fCCydtuqwWriF6KKnVxmrqtPuYl7bjFL
MIME-Version: 1.0
X-Received: by 10.112.200.202 with SMTP id ju10mr5090387lbc.97.1444356651851; Thu, 08 Oct 2015 19:10:51 -0700 (PDT)
Received: by 10.114.79.105 with HTTP; Thu, 8 Oct 2015 19:10:51 -0700 (PDT)
Message-ID: <CAKws9z0GLPF5=x0wOfJLW6Pncgc0ksY=U87h-Lsw+w-wLsX=DQ@mail.gmail.com>
From: Scott Arciszewski <scott@paragonie.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="001a11c386c629b70a0521a27d3e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ydyh6rJL3BmYZvrX9FDmtWrZMtg>
X-Mailman-Approved-At: Sun, 01 Nov 2015 16:50:23 -0800
Subject: [TLS] TLS 1.3 - Just ditch compression
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Date: Fri, 09 Oct 2015 02:12:51 -0000
X-Original-Date: Thu, 8 Oct 2015 22:10:51 -0400
X-List-Received-Date: Fri, 09 Oct 2015 02:12:51 -0000
Based on CRIME and BREACH we know that this construction is not secure: C = encrypt(compress(A || B)) If you control B and A contains sensitive information, strlen(C) tells you information about A. Vice versa if you control A and B contains sensitive information. In the context of a web application, this can lead to the compromise the contents of HTTP-Only cookies. This is known to be safe: C = encrypt(A || B). (No compression.) This might be safe: C = encrypt(A || compress(B) ). If an application needs to compress data before encryption, it shouldn't be a Transport Layer protocol's job to do so. Compression has no place in Transport Layer Security. Please nix it until we can, in a provably secure manner, make C = encrypt(compress(A || B)) not leak information about A when an attacker controls B. I await your IACR papers that prove the contrary, or a swift and decisive vote to kill TLS encryption in 1.3. Further bikeshedding is just embarrassing. Just my $0.02. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com>
- [TLS] TLS 1.3 - Just ditch compression Scott Arciszewski
- Re: [TLS] TLS 1.3 - Just ditch compression Russ Housley
- Re: [TLS] TLS 1.3 - Just ditch compression Dave Garrett
- Re: [TLS] TLS 1.3 - Just ditch compression Sean Turner