| < draft-pironti-tls-length-hiding-01.txt | draft-pironti-tls-length-hiding-02.txt > | |||
|---|---|---|---|---|
| Network Working Group A. Pironti | Network Working Group A. Pironti | |||
| Internet-Draft INRIA Paris-Rocquencourt | Internet-Draft INRIA Paris-Rocquencourt | |||
| Expires: January 30, 2014 N. Mavrogiannopoulos | Expires: March 15, 2014 N. Mavrogiannopoulos | |||
| KU Leuven | Independent | |||
| July 29, 2013 | September 11, 2013 | |||
| Length Hiding Padding for the Transport Layer Security Protocol | Length Hiding Padding for the Transport Layer Security Protocol | |||
| draft-pironti-tls-length-hiding-01 | draft-pironti-tls-length-hiding-02 | |||
| Abstract | Abstract | |||
| This memo proposes length hiding methods of operation for the TLS | This memo proposes length hiding methods of operation for the TLS | |||
| protocol. It defines a TLS extension to allow arbitrary amount of | protocol. It defines a TLS extension to allow arbitrary amount of | |||
| padding in any TLS ciphersuite, and it presents guidelines and a | padding in any TLS ciphersuite, and it presents guidelines and a | |||
| reference implementation of record fragmentation and padding so that | reference implementation of record fragmentation and padding so that | |||
| the length of the exchanged messages is effectively concealed within | the length of the exchanged messages is effectively concealed within | |||
| a given range of lengths. The latter guidelines also apply to the | a given range of lengths. The latter guidelines also apply to the | |||
| standard TLS padding allowed by the TLS block ciphers. | standard TLS padding allowed by the TLS block ciphers. | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 30, 2014. | This Internet-Draft will expire on March 15, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 6, line 40 ¶ | skipping to change at page 6, line 40 ¶ | |||
| the pad MUST be such that the total length (i.e., the pad, the | the pad MUST be such that the total length (i.e., the pad, the | |||
| content and the MAC) are a multiple of the block size. | content and the MAC) are a multiple of the block size. | |||
| For the various ciphers the data are authenticated as follows. | For the various ciphers the data are authenticated as follows. | |||
| Standard Stream Ciphers: | Standard Stream Ciphers: | |||
| MAC(MAC_write_key, seq_num + | MAC(MAC_write_key, seq_num + | |||
| TLSCompressed.type + | TLSCompressed.type + | |||
| TLSCompressed.version + | TLSCompressed.version + | |||
| TLSCompressed.length + | length + | |||
| TLSCiphertext.fragment.GenericStreamCipher.pad + | TLSCiphertext.fragment.GenericStreamCipher.pad + | |||
| TLSCompressed.fragment); | TLSCompressed.fragment); | |||
| Block Ciphers: | Block Ciphers: | |||
| MAC(MAC_write_key, seq_num + | MAC(MAC_write_key, seq_num + | |||
| TLSCompressed.type + | TLSCompressed.type + | |||
| TLSCompressed.version + | TLSCompressed.version + | |||
| TLSCompressed.length + | length + | |||
| TLSCiphertext.fragment.GenericBlockCipher.pad + | TLSCiphertext.fragment.GenericBlockCipher.pad + | |||
| TLSCompressed.fragment); | TLSCompressed.fragment); | |||
| AEAD Ciphers: | AEAD Ciphers: | |||
| additional_data = seq_num + TLSCompressed.type + | ||||
| TLSCompressed.version + length; | ||||
| AEADEncrypted = AEAD-Encrypt(write_key, nonce, | AEADEncrypted = AEAD-Encrypt(write_key, nonce, | |||
| pad + plaintext, | pad + plaintext, | |||
| additional_data); | additional_data); | |||
| length | ||||
| For all the above cases, a uint16 containing the sum of the | ||||
| padding length and the content length. | ||||
| Implementation note: With block and stream ciphers, in order to avoid | Implementation note: With block and stream ciphers, in order to avoid | |||
| padding oracles, decryption, MAC verification and payload decoding | padding oracles, decryption, MAC verification and payload decoding | |||
| MUST be executed in the following order. | MUST be executed in the following order. | |||
| 1. Decrypt TLSCiphertext.fragment. | 1. Decrypt TLSCiphertext.fragment. | |||
| 2. Verify the MAC. | 2. Verify the MAC. | |||
| 3. Split plaintext from pad. | 3. Split plaintext from pad. | |||
| skipping to change at page 18, line 16 ¶ | skipping to change at page 18, line 16 ¶ | |||
| Alfredo Pironti | Alfredo Pironti | |||
| INRIA Paris-Rocquencourt | INRIA Paris-Rocquencourt | |||
| 23, Avenue d'Italie | 23, Avenue d'Italie | |||
| Paris, 75214 CEDEX 13 | Paris, 75214 CEDEX 13 | |||
| France | France | |||
| Email: alfredo.pironti@inria.fr | Email: alfredo.pironti@inria.fr | |||
| Nikos Mavrogiannopoulos | Nikos Mavrogiannopoulos | |||
| Dept. of Electrical Engineering ESAT/COSIC KU Leuven - iMinds | Independent | |||
| Kasteelpark Arenberg 10, bus 2446 | Leuven, B-3000 | |||
| Leuven-Heverlee, B-3001 | ||||
| Belgium | Belgium | |||
| Email: nikos.mavrogiannopoulos@esat.kuleuven.be | Email: nmav@gnutls.org | |||
| End of changes. 9 change blocks. | ||||
| 10 lines changed or deleted | 16 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||