Hi Kenny,
> That would still leave a timing side channel which would reveal
whether the padding length exceeds the amount of data.
Maybe I was not precise:
Regardless of the content of the padding length byte and the result of
it's overflow check, I would always apply b), as you (and others)
recommended in the document. My impression of that "defined padding and
check" was a optimization to skip the MAC calculations. But as lucky13
shows, the MAC must always be calculated and filled up with extra
evaluations!
But, if b) is always applied, the intensive padding check in a) should
be possibly replaced by a simple overflow check without drawback.
> I'd need to dig into it more to be certain, but my sense is that such
a side channel could be turned into at least a partial plaintext
recovery attack, and possibly a full plaintext recovery attack.
That would be great!
Just one additional question, but if it's too far/deep, just ignore it:
My impression is, that the "plaintext recovery" requires the same
plaintext payload "serveral" times. Then the recover is from the end,
starting with 2 bytes, adding more bytes toward the start of the message
(here it comes, that it must be the same plaintext). With that, I'm
wondering, if such an approach could pass the MAC part (as plaintext
recovery), because this seems to be changing from session to session or
with the record sequence number. Assuming, that therefore the MAC part
must be cut of efficiently, but leave enough for still have an MAC check
on the truncated message, lead to a conclusion, that at least very short
messages are not affected. Does this match your assumptions?
best regards
Achim Kraus
Am 09.09.19 um 10:45 schrieb Paterson Kenneth:
Hi Achim,
See below for a comment on your analysis.
-----Original Message-----
From: TLS <tls-boun...@ietf.org> on behalf of Achim Kraus <achimkr...@gmx.net>
Date: Monday, 9 September 2019 at 09:24
To: "tls@ietf.org" <tls@ietf.org>
Subject: [TLS] RFC 7457, Lucky 13, mitigation, DTLS 1.2
RFC 7457, Lucky 13, mitigation, DTLS 1.2
Dear List,
currently I try to do some investigation about the simplest way to
mitigate the “lucky 13” attack without using RFC 7366.
Therefore I read the slides in [1] and also the recommended mitigation
in [2], which is cited in RFC 7457.
From the slides, my impression is, that the “defined padding & padding
check” was used to reduce the “timing side channel” of MAC depending on
the data fragment size. Lucky 13 demonstrates, that this “defined
padding” could be tricked out.
The recommended mitigation in [2] describes on page 539 to do,
a) the padding check “time side channel” free by using always “256
compares”
b) and the MAC check “time side channel” free, by adjust the number of
compression function evaluations with extra evaluations on dummy data to
achieve always the same number of evaluations.
FMPOV b) is the one, which closes the “time side channel”.
But a) seems to be more a left over. It doesn’t protect enough, as lucky
13 shows, and complicated algorithms, as “always 256 compares” even on
shorter messages, may harm more.
So, why should that “defined padding” check be done, if b) is applied?
Wouldn’t a simple check, if the padding length exceeds the amount of
data, and on failure, set it to 0, simplify the mitigation?
That would still leave a timing side channel which would reveal whether the
padding length exceeds the amount of data. I'd need to dig into it more to be
certain, but my sense is that such a side channel could be turned into at least
a partial plaintext recovery attack, and possibly a full plaintext recovery
attack.
You might want to read Adam Langley's account of how L13 was addressed in
OpenSSL:
https://www.imperialviolet.org/2013/02/04/luckythirteen.html
Regards,
Kenny
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
