Re: [TLS] RFC 7457, Lucky 13, mitigation, DTLS 1.2

Mon, 09 Sep 2019 01:46:20 -0700 

Hi Achim,

See below for a comment on your analysis.

-----Original Message-----
From: TLS <tls-boun...@ietf.org> on behalf of Achim Kraus <achimkr...@gmx.net>
Date: Monday, 9 September 2019 at 09:24
To: "tls@ietf.org" <tls@ietf.org>
Subject: [TLS] RFC 7457, Lucky 13, mitigation, DTLS 1.2

    RFC 7457, Lucky 13, mitigation, DTLS 1.2
    
    Dear List,
    
    currently I try to do some investigation about the simplest way to
    mitigate the “lucky 13” attack without using RFC 7366.
    
    Therefore I read the slides in [1] and also the recommended mitigation
    in [2], which is cited in RFC 7457.
    
     From the slides, my impression is, that the “defined padding & padding
    check” was used to reduce the “timing side channel” of MAC depending on
    the data fragment size. Lucky 13 demonstrates, that this “defined
    padding” could be tricked out.
    
    The recommended mitigation in [2] describes on page 539 to do,
    a) the padding check “time side channel” free by using always “256 compares”
    b) and the MAC check “time side channel” free, by adjust the number of
    compression function evaluations with extra evaluations on dummy data to
    achieve always the same number of evaluations.
    
    FMPOV b) is the one, which closes the “time side channel”.
    But a) seems to be more a left over. It doesn’t protect enough, as lucky
    13 shows, and complicated algorithms, as “always 256 compares” even on
    shorter messages, may harm more.
    
    So, why should that “defined padding” check be done, if b) is applied?
    
    Wouldn’t a simple check, if the padding length exceeds the amount of
    data, and on failure, set it to 0, simplify the mitigation?
    
That would still leave a timing side channel which would reveal whether the 
padding length exceeds the amount of data. I'd need to dig into it more to be 
certain, but my sense is that such a side channel could be turned into at least 
a partial plaintext recovery attack, and possibly a full plaintext recovery 
attack. 

You might want to read Adam Langley's account of how L13 was addressed in 
OpenSSL:

https://www.imperialviolet.org/2013/02/04/luckythirteen.html

Regards,

Kenny 

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to