Re: [TLS] Analysis of encrypting the headers - what is the length
Christian Huitema <huitema@microsoft.com> Sat, 05 December 2015 01:45 UTC
Return-Path: <huitema@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99C781B3518 for <tls@ietfa.amsl.com>; Fri, 4 Dec 2015 17:45:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id saAClnX0_H0w for <tls@ietfa.amsl.com>; Fri, 4 Dec 2015 17:45:07 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0750.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::750]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B49911A1AFB for <tls@ietf.org>; Fri, 4 Dec 2015 17:45:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xadr/Jw8XlmbgzlVEODK3ySwuDW8PayyArMQkpFETrE=; b=PRm5MaiWjMKp8SMzgx5+jaw1Z2aYhbi9ZARcnCa5OwYZTf9/IfM9V7vA1EITkjCasApYqr6vqZQZ6H1md8H+5C09EXCYdUKLHdxBcaAv53sT9bIpz6Bmb++cn926XSHNh84YT2tUtg9fIl9ovVhRZ4+patvACDyUpH/WI5xrGtw=
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com (10.160.96.17) by DM2PR0301MB0656.namprd03.prod.outlook.com (10.160.96.18) with Microsoft SMTP Server (TLS) id 15.1.337.19; Sat, 5 Dec 2015 01:44:47 +0000
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) by DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) with mapi id 15.01.0331.023; Sat, 5 Dec 2015 01:44:48 +0000
From: Christian Huitema <huitema@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Analysis of encrypting the headers - what is the length
Thread-Index: AdEu0JalwPblztfJSXu/VFHTM/aR9AALH1yg
Date: Sat, 05 Dec 2015 01:44:47 +0000
Message-ID: <DM2PR0301MB0655145FE6A0C95CAC9E25A7A80B0@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <11f501d12ed6$41150270$c33f0750$@augustcellars.com>
In-Reply-To: <11f501d12ed6$41150270$c33f0750$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=huitema@microsoft.com;
x-originating-ip: [131.107.147.15]
x-microsoft-exchange-diagnostics: 1; DM2PR0301MB0656; 5:ZY7defFSWvWwv/e+CyYXhqmXHj4hiqlZgszmdg81EZf0+onYWqeg1qyBbpbmZKUba0DBe9CBp2dTMvuNWq64RWWjjKZhUy18UG7fZRu9Q1KjAQ2bl4qocoSq26MVaPEV/sFkSKEUxhyjo+hPcUG91g==; 24:STlFBcXRlu21E2SoqPKm0frN7nIhY5L6L8pYpesjaJ2GgCKEDpl6FtEPp8YJbbfcCpvXPLEZP7QzAS/32uH0br4aDqQasVJzRPrzguYY8nA=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0656;
x-o365eop-header: O365_EOP: Allow for Unauthenticated Relay
x-o365ent-eop-header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
x-microsoft-antispam-prvs: <DM2PR0301MB06560FA6F723E907B49CA634A80B0@DM2PR0301MB0656.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(189930954265078);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(520078)(8121501046)(3002001)(10201501046)(61426038)(61427038); SRVR:DM2PR0301MB0656; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0656;
x-forefront-prvs: 07817FCC2D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(76104003)(24454002)(199003)(377454003)(10400500002)(5005710100001)(86362001)(5002640100001)(5008740100001)(10290500002)(1220700001)(5003600100002)(8990500004)(10090500001)(1096002)(19580395003)(19580405001)(86612001)(74316001)(6116002)(102836003)(3846002)(586003)(76176999)(50986999)(54356999)(5004730100002)(87936001)(5001960100002)(66066001)(106356001)(2900100001)(101416001)(122556002)(33656002)(105586002)(2950100001)(40100003)(2501003)(99286002)(15975445007)(92566002)(77096005)(81156007)(189998001)(97736004)(5001770100001)(551544002)(107886002)(76576001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0656; H:DM2PR0301MB0655.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Dec 2015 01:44:47.9054 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0656
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/yoOdvzCeKcwVo8Ox0isa7Swpy0k>
Subject: Re: [TLS] Analysis of encrypting the headers - what is the length
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Dec 2015 01:45:09 -0000
On Friday, December 4, 2015 12:57 PM, Jim Schaad wrote: > To: tls@ietf.org > Subject: [TLS] Analysis of encrypting the headers - what is the length > ... > > DTLS - Given that most DTLS situations are going to want to keep the block > of data sent small, there is no to little incentive to send multiple DTLS blocks > in a single UDP packet. This means that the length of the encrypted data is > going to be easily found based on the length of the UDP packet. > One can probably make some significantly accurate guesses about what the > header fields are going to be for a DTLS packet, but I would assume that > even if the key could be determined it would not compromise the keys used > in protecting the D/TLS content itself. Some DTLS applications that care about privacy. An example is DPRIVE -- DNS over DTLS, or over TLS. The length of the packets matter. The length of cipher-texts for query and responses can enable guesses on the length of the name being looked at, and that's precisely what DPRIVE is trying to prevent. But then the answer is not to encrypt the length, because as Jim says it can be deduced from the size of the UDP packets, or even the patterns of the TCP stream. The solution instead is padding, either using the TLS 1.3 mechanism, or using the DNS padding option that DPRIVE is standardizing. There are debates on how much to pad exactly, e.g. to the max MTU or to some logarithmic scale. Will probably take some time to assess the best strategy. But it is going to happen. -- Christian Huitema > TLS w/ lock step protocol - Think about using TLS with a lock step protocol > such as exists for POP where you always have a situation where the client > sends a request and the server sends a response. Even with the length field > encrypted a traffic analysis is going to be able to determine the length of all > of many of the messages based on the amount of data that is flowing from > each of the end-points. Thus with POP I can make a good guess about the > length your password just by looking at the traffic being sent in terms of raw > byte counts even without the length being directly available. > > TLS w/ time breaks between operations - Think about doing browsing on a > web site. I read a page, which takes time, and then I click a link. Looking just > at the traffic flow I can make a really good guess about the length of the link > that you just sent to the server based on the number of bytes that are sent > from the client to the server before the server starts chattering. > Any protocol where there are going to be times where there is silence > followed by a request and then responses is going to all for a relatively easy > guess about the length of the request based just on the number of bytes in > the stream. > > These are all situations where if one say - My attack model is that exposing > the length of the encrypted data allows the attacker to obtain significant > information about what I am sending - then the simple expedient of > encrypting the header information is clearly insufficient to deal with the > attack proposed. Additional steps need to be taken as well. For example > sending all of the randomly updating adware back on the same TLS channel > to prevent time breaks from occurring. (What a horrid idea of using adware > as a method of preventing attacks.) > > I believe that this is the type of analysis that Peter is looking for in terms of > what is the attack you are trying to prevent, what does the proposed remedy > actually do what you think it does. The situations above would all appear to > be better dealt with padding of the plain text in some manner rather than > encrypting the length field. > > Jim > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ie > tf.org%2fmailman%2flistinfo%2ftls&data=01%7c01%7chuitema%40microsof > t.com%7c329977d637c04d729a5708d2fcedcbc2%7c72f988bf86f141af91ab2 > d7cd011db47%7c1&sdata=cNl1i6bnNSNrsPR%2bZ9JHOiepttgz6nRmoIQn7en > Exto%3d
- [TLS] Analysis of encrypting the headers - what i… Jim Schaad
- Re: [TLS] Analysis of encrypting the headers - wh… Christian Huitema
- Re: [TLS] Analysis of encrypting the headers - wh… Bryan A Ford
- Re: [TLS] Analysis of encrypting the headers - wh… Jim Schaad