Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size

On Tuesday, 15 August 2017 00:55:50 CEST Colm MacCárthaigh wrote: > On Mon, Aug 14, 2017 at 8:16 PM, Hubert Kario wrote: > > the difference in processing that is equal to just few clock cycles is > > detectable over network[1] > > The post you reference actually says the opposite; "20 CPU cycles

Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size

I've created a Pull Request that introduces requirement for constant time processing of padding and an example on how to do it: https://github.com/tlswg/tls13-spec/pull/1073 On Friday, 11 August 2017 16:11:10 CEST Nikos Mavrogiannopoulos wrote: > Imagine the following scenario, where the server

Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size

On Tue, Aug 15, 2017 at 03:31:56PM +0200, Hubert Kario wrote: > I've created a Pull Request that introduces requirement for constant time > processing of padding and an example on how to do it: > > https://github.com/tlswg/tls13-spec/pull/1073 -1 Except doing the depad in constant-time is usele

Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size

On Tuesday, 15 August 2017 15:54:15 CEST Ilari Liusvaara wrote: > On Tue, Aug 15, 2017 at 03:31:56PM +0200, Hubert Kario wrote: > > I've created a Pull Request that introduces requirement for constant time > > processing of padding and an example on how to do it: > > > > https://github.com/tlswg/t

Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size

I generally agree with Ilari. To recap what I said on the PR: I think it would be fine to sharpen the point about padding leaking information and I'd take a short PR for that. I don't believe it's necessary either to require that it be constant time (for the reasons I indicated on-list and already

Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size

On Tue, Aug 15, 2017 at 1:55 PM, Hubert Kario wrote: > On Tuesday, 15 August 2017 00:55:50 CEST Colm MacCárthaigh wrote: >> On Mon, Aug 14, 2017 at 8:16 PM, Hubert Kario wrote: >> > the difference in processing that is equal to just few clock cycles is >> > detectable over network[1] >> >> The po

Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size

On Tuesday, 15 August 2017 18:27:27 CEST Colm MacCárthaigh wrote: > On Tue, Aug 15, 2017 at 1:55 PM, Hubert Kario wrote: > > On Tuesday, 15 August 2017 00:55:50 CEST Colm MacCárthaigh wrote: > >> On Mon, Aug 14, 2017 at 8:16 PM, Hubert Kario wrote: > >> ... and even today with very low > >> laten

Re: [TLS] OCSP status_request_v2 extension

On 08/14/2017 01:26 PM, Ilari Liusvaara wrote: > On Mon, Aug 14, 2017 at 08:03:08PM +0200, Hubert Kario wrote: >> Current (21) draft references RFC 6961 in multiple places, in particular >> * Section 4.4.2: >> Valid extensions >> include OCSP Status extensions ([RFC6066] and [RFC6961]) >

Re: [TLS] draft-ietf-tls-tls13-21: TLS 1.3 record padding removal leaks padding size

On Tuesday, 15 August 2017 17:28:22 CEST Eric Rescorla wrote: > I generally agree with Ilari. To recap what I said on the PR: > I think it would be fine to sharpen the point about padding leaking > information and I'd take a short PR for that. I've prepared https://github.com/tlswg/tls13-spec/pull