Re: [TLS] RFC 7457, Lucky 13, mitigation, DTLS 1.2

[Paterson Kenneth]

Hi Achim,

Let's take this off the list, as the details are probably not too interesting 
to many folks these days?

Cheers

Kenny

-----Original Message-----
From: Achim Kraus <achimkr...@gmx.net>
Date: Monday, 9 September 2019 at 11:49
To: Paterson  Kenneth <kenny.pater...@inf.ethz.ch>, "tls@ietf.org" 
<tls@ietf.org>
Subject: Re: [TLS] RFC 7457, Lucky 13, mitigation, DTLS 1.2

    Hi Kenny,
    
     > That would still leave a timing side channel which would reveal
    whether the padding length exceeds the amount of data.
    
    Maybe I was not precise:
    Regardless of the content of the padding length byte and the result of
    it's overflow check, I would always apply b), as you (and others)
    recommended in the document. My impression of that "defined padding and
    check" was a optimization to skip the MAC calculations. But as lucky13
    shows, the MAC must always be calculated and filled up with extra
    evaluations!
    But, if b) is always applied, the intensive padding check in a) should
    be possibly replaced by a simple overflow check without drawback.
    
     > I'd need to dig into it more to be certain, but my sense is that such
    a side channel could be turned into at least a partial plaintext
    recovery attack, and possibly a full plaintext recovery attack.
    
    That would be great!
    
    Just one additional question, but if it's too far/deep, just ignore it:
    My impression is, that the "plaintext recovery" requires the same
    plaintext payload "serveral" times. Then the recover is from the end,
    starting with 2 bytes, adding more bytes toward the start of the message
    (here it comes, that it must be the same plaintext). With that, I'm
    wondering, if such an approach could pass the MAC part (as plaintext
    recovery), because this seems to be changing from session to session or
    with the record sequence number. Assuming, that therefore the MAC part
    must be cut of efficiently, but leave enough for still have an MAC check
    on the truncated message, lead to a conclusion, that at least very short
    messages are not affected. Does this match your assumptions?
    
    best regards
    Achim Kraus
    
    Am 09.09.19 um 10:45 schrieb Paterson  Kenneth:
    > Hi Achim,
    >
    > See below for a comment on your analysis.
    >
    > -----Original Message-----
    > From: TLS <tls-boun...@ietf.org> on behalf of Achim Kraus 
<achimkr...@gmx.net>
    > Date: Monday, 9 September 2019 at 09:24
    > To: "tls@ietf.org" <tls@ietf.org>
    > Subject: [TLS] RFC 7457, Lucky 13, mitigation, DTLS 1.2
    >
    >      RFC 7457, Lucky 13, mitigation, DTLS 1.2
    >
    >      Dear List,
    >
    >      currently I try to do some investigation about the simplest way to
    >      mitigate the “lucky 13” attack without using RFC 7366.
    >
    >      Therefore I read the slides in [1] and also the recommended 
mitigation
    >      in [2], which is cited in RFC 7457.
    >
    >       From the slides, my impression is, that the “defined padding & 
padding
    >      check” was used to reduce the “timing side channel” of MAC depending 
on
    >      the data fragment size. Lucky 13 demonstrates, that this “defined
    >      padding” could be tricked out.
    >
    >      The recommended mitigation in [2] describes on page 539 to do,
    >      a) the padding check “time side channel” free by using always “256 
compares”
    >      b) and the MAC check “time side channel” free, by adjust the number 
of
    >      compression function evaluations with extra evaluations on dummy 
data to
    >      achieve always the same number of evaluations.
    >
    >      FMPOV b) is the one, which closes the “time side channel”.
    >      But a) seems to be more a left over. It doesn’t protect enough, as 
lucky
    >      13 shows, and complicated algorithms, as “always 256 compares” even 
on
    >      shorter messages, may harm more.
    >
    >      So, why should that “defined padding” check be done, if b) is 
applied?
    >
    >      Wouldn’t a simple check, if the padding length exceeds the amount of
    >      data, and on failure, set it to 0, simplify the mitigation?
    >
    > That would still leave a timing side channel which would reveal whether 
the padding length exceeds the amount of data. I'd need to dig into it more to 
be certain, but my sense is that such a side channel could be turned into at 
least a partial plaintext recovery attack, and possibly a full plaintext 
recovery attack.
    >
    > You might want to read Adam Langley's account of how L13 was addressed in 
OpenSSL:
    >
    > https://www.imperialviolet.org/2013/02/04/luckythirteen.html
    >
    > Regards,
    >
    > Kenny
    >
    
    

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls