Network Working Group                                         A. Pironti
Internet-Draft                                  INRIA Paris-Rocquencourt
Expires: August 11, 2013                            N. Mavrogiannopoulos
                                                               KU Leuven
                                                        February 7, 2013


    Length Hiding Padding for the Transport Layer Security Protocol
                   draft-pironti-tls-length-hiding-00

Abstract

   This memo proposes length hiding methods of operation for the TLS
   protocol.  It defines a TLS extension to allow arbitrary amount of
   padding in any TLS ciphersuite, and it presents guidelines and a
   reference implementation of record fragmentation and padding so that
   the length of the exchanged messages is effectively concealed within
   a given range of lengths.  The latter guidelines also apply to the
   standard TLS padding allowed by the TLS block ciphers.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 11, 2013.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must



Pironti & Mavrogiannopoulos  Expires August 11, 2013            [Page 1]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  TLS Extension: Extended Record Padding . . . . . . . . . . . .  5
     3.1.  Extension Negotiation  . . . . . . . . . . . . . . . . . .  5
     3.2.  Record Payload . . . . . . . . . . . . . . . . . . . . . .  5
   4.  A Length Hiding Mechanism for TLS  . . . . . . . . . . . . . .  8
     4.1.  Range Splitting  . . . . . . . . . . . . . . . . . . . . .  8
       4.1.1.  Fragmenting Plaintext into Records . . . . . . . . . . 10
       4.1.2.  Adding the Length Hiding Padding . . . . . . . . . . . 11
       4.1.3.  A Length Hiding API  . . . . . . . . . . . . . . . . . 11
     4.2.  Applicability  . . . . . . . . . . . . . . . . . . . . . . 12
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 13
     5.1.  Length Hiding with standard TLS block ciphers  . . . . . . 13
     5.2.  Length Hiding with extended record padding . . . . . . . . 13
     5.3.  Mitigating Denial of Service . . . . . . . . . . . . . . . 14
   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 15
   7.  Normative References . . . . . . . . . . . . . . . . . . . . . 16
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17


























Pironti & Mavrogiannopoulos  Expires August 11, 2013            [Page 2]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


1.  Introduction

   When using CBC block ciphers, the TLS protocol [RFC5246] provides
   means to frustrate attacks based on analysis of the length of
   exchanged messages, by adding extra pad to TLS records.  However, the
   TLS specification does not define a length hiding (LH) method for
   applications that require it.  In fact, current implementations of
   eager fragmentation strategies or random padding strategies have been
   showed to be ineffective against this kind of traffic analysis
   [LH-PADDING].

   This document proposes a TLS extension to allow arbitrary amount of
   padding in any TLS ciphersuite, and in addition it presents
   guidelines and a reference implementation of record fragmentation and
   padding so that the length of the exchanged messages is effectively
   concealed within a range of lengths provided by the user of the TLS
   record protocol.  The latter guidelines also apply to the standard
   TLS padding allowed by the TLS block ciphers.

   The proposed extension also eliminates padding oracles (both in
   errors and timing) that have been plaguing standard TLS block ciphers
   [CBCTIME] [DTLS-ATTACK]

   When using standard TLS block cipher padding, the goals of LH for TLS
   are the following:

   1.  Length-Hiding: use message fragmentation and the allowed extra
       padding for block ciphers to conceal the real length of the
       exchanged message within a range of lengths chosen by the user of
       the TLS record protocol.  All messages sent with the same range
       use the same network bandwidth, regardless of the real size of
       the message itself.

   2.  Interoperability: an implementation sending length-hidden
       messages correctly interoperates with non LH-aware
       implementations of TLS.

   3.  Efficiency: the minimum required amount of extra padding is used,
       and the minimum number of required fragments is sent.

   By design, in the standard TLS block cipher mode, only a limited
   amount of extra padding can be carried with each record fragment, and
   this can potentially require extra fragmentation for wide ranges.
   Moreover, no LH can be implemented for stream ciphers.  To overcome
   these limitations, the TLS extension proposed in this document
   enables efficient LH both for block and stream ciphers (at the
   partial cost of interoperability, as both parties must implement the
   extension).



Pironti & Mavrogiannopoulos  Expires August 11, 2013            [Page 3]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


2.  Terminology

   This document uses the same notation and terminology used in the TLS
   Protocol specification [RFC5246].

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].











































Pironti & Mavrogiannopoulos  Expires August 11, 2013            [Page 4]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


3.  TLS Extension: Extended Record Padding

   The TLS extended record padding is a variant of the TLS record
   protocol where every record can be padded up to 2^14 bytes,
   regardless of the cipher being used.

3.1.  Extension Negotiation

   In order to indicate the support of the extended record padding,
   clients MUST include an extension of type "extended_record_padding"
   to the extended client hello message.  The "extended_record_padding"
   TLS extension is assigned the value of TDB-BY-IANA from the TLS
   ExtensionType registry.  This value is used as the extension number
   for the extensions in both the client hello message and the server
   hello message.  The hello extension mechanism is described in
   [RFC5246].

   This extension carries no payload and indicates support for the
   extended record padding.  The "extension_data" field of this
   extension are of zero length in both the client and the server.

   The negotiated record padding applies for the duration of the session
   including session resumption.  A client wishing to resume a session
   where the extended record padding was negotiated SHOULD include the
   "extended_record_padding" extension in the client hello.

3.2.  Record Payload

   The translation of the TLSCompressed structure into TLSCiphertext
   remains the same as in [RFC5246].  When the cipher is
   BulkCipherAlgorithm.null, the 'fragment' structure of TLSCiphertext
   also remains unchanged.  That is, for the TLS_NULL_WITH_NULL_NULL
   ciphersuite and for MAC-only ciphersuites this extension has no
   effect.  For all other ciphersuites, the 'fragment' structure of
   TLSCiphertext is modified as follows.
















Pironti & Mavrogiannopoulos  Expires August 11, 2013            [Page 5]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


         stream-ciphered struct {
             opaque pad<0..2^14>;
             opaque content[TLSCompressed.length];
             opaque MAC[SecurityParameters.mac_length];
         } GenericStreamCipher;

         struct {
             opaque IV[SecurityParameters.record_iv_length];
             block-ciphered ciphered struct {
                 opaque pad<0..2^14>;
                 opaque content[TLSCompressed.length];
                 opaque MAC[CipherSpec.hash_size];
             };
         } GenericBlockCipher;

         struct {
             opaque nonce_explicit[SecurityParameters.record_iv_length];
             aead-ciphered struct {
                 opaque pad<0..2^14>;
                 opaque content[TLSCompressed.length];
                 opaque MAC[CipherSpec.hash_size];
             };
         } GenericAEADCipher;

   The padding can be filled with arbitrary data, and it is
   authenticated as part of the MAC.  For block ciphers, the length of
   the pad MUST be such that the total length (i.e., the pad, the
   content and the MAC) are a multiple of the block size.

   For the various ciphers the data are authenticated as follows.

      Standard Stream Ciphers:

                 MAC(MAC_write_key, seq_num +
                     TLSCompressed.type +
                     TLSCompressed.version +
                     TLSCompressed.length +
                     TLSCiphertext.fragment.GenericStreamCipher.pad +
                     TLSCompressed.fragment);

      Block Ciphers:

                 MAC(MAC_write_key, seq_num +
                     TLSCompressed.type +
                     TLSCompressed.version +
                     TLSCompressed.length +
                     TLSCiphertext.fragment.GenericBlockCipher.pad +
                     TLSCompressed.fragment);



Pironti & Mavrogiannopoulos  Expires August 11, 2013            [Page 6]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


      AEAD Ciphers:

                 AEADEncrypted = AEAD-Encrypt(write_key, nonce,
                                              pad + plaintext,
                                              additional_data);

   Implementation note: With block and stream ciphers, in order to avoid
   padding oracles, decryption, MAC verification and payload decoding
   SHOULD be executed in the following order:

   1.  Decrypt TLSCiphertext.fragment.

   2.  Verify the MAC.

   3.  Split plaintext from pad.




































Pironti & Mavrogiannopoulos  Expires August 11, 2013            [Page 7]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


4.  A Length Hiding Mechanism for TLS

   In order to send length-hidden messages, a user of a LH-TLS
   implementation provides the plaintext to be sent together with a
   range (low,high), meaning that an attacker can at most learn that the
   real plaintext length is between low and high.

   The LH mechanism described in the rest of this document applies both
   to standard TLS block ciphers and the extended record padding of
   section Section 3.

4.1.  Range Splitting

   Not all user-provided ranges can be conveyed in a singe TLS record
   fragment.  A LH-TLS implementation uses a fragmentation algorithm
   that takes a message with a desired length range (low,high) and
   breaks it up into n suitably sized ranges each of which can be
   conveyed in a single TLS record fragment.  The Range and
   FragmentRange are defined as follows.

   struct {
     uint32 low;
     unit32 high;
   } Range;

   struct {
     uint16 low;
     unit16 high;
   } FragmentRange;

   If the difference between Range.high and Range.low is greater than
   the maximum allowed padding size for a single fragment, or if their
   value is greater than the maximum fragment size, the given range must
   be split into multiple smaller FragmentRange structures each of which
   can be conveyed into a single TLS record.

   Range.low MUST be less or equal to Range.high.  Declaring Range.low
   and Range.high as uint32 allows to send messages of length up to
   2^32: TLS implementations MAY use larger data types for these fields.
   A FragmentRange, that can be conveyed in one record, MUST have both
   values of FragmentRange.low and FragmentRange.high not exceeding 2^14
   (or the negotiated maximum value of TLSPlaintext.length [RFC6066]).

   A TLS implementation applies the range splitting algorithm starting
   from the user-provided Range structure, resulting into a sequence of
   FragmentRange structures.  For each FragmentRange structure, it
   transmits a TLS record adhering into the limits of the corresponding
   FragmentRange.  When a block cipher is in use, on each record the



Pironti & Mavrogiannopoulos  Expires August 11, 2013            [Page 8]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


   implementation computes n bytes of minimal padding (the minimum
   amount of padding required to get block alignment) pretending the
   length of the plaintext is FragmentRange.high.  The total padding
   added to the current fragment is finally n plus the difference
   between Range.high and the real plaintext length.

   This document does not mandate any specific algorithm to split a
   Range into multiple FragmentRange ranges.  The only constraint is
   that the sum of the obtained sequence of ranges equals the range
   given as input.  Implementations may use non-deterministic splitting
   algorithms to change the shape of the traffic each time messages with
   the same range are exchanged.

   A reference range splitting algorithm is provided in the following.

   // The maximum allowed TLSPlaintext.length
   uint16 FS = 2^14;
   // Maximum padding size:
   // p = 255 for standard TLS block ciphers;
   // p = 2^14 for extended record padding
   uint16 PS = p;
   // Length of the padlen:
   // pl = 1 for standard TLS block ciphers;
   // pl = 2 for extended record padding
   uint8  PL = pl;
   // Note: Block size is 0 for stream ciphers
   uint8  BS = SecurityParameters.block_length;
   // MAC size
   uint8  MS  = SecurityParameters.mac_length;

   /* Returns the maximum pad that can be added for a fragment,
    * given that at least 'len' bytes of plaintext will be
    * transferred.
    */
   uint16 max_lh_pad(uint16 len)
   {
       uint16 this_pad = min(PS,FS-len);
       if (BS == 0) {
           return this_pad;
       } else {
           uint8 overflow = (len + this_pad + MS + PL) % BS;
           if (overflow > this_pad) {
               return this_pad;
           } else {
               return this_pad - overflow;
           }
       }
   }



Pironti & Mavrogiannopoulos  Expires August 11, 2013            [Page 9]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


   FragmentRange split_range(Range *total)
   {
       FragmentRange f;

       if (total.high == total.low) {
           // "Point" range, no real LH to do:
           // just implement standard fragmentation.
           uint16 len = min(total.high,FS);
           f.low  = len;
           f.high = len;
           total->low  -= len;
           total->high -= len;
       } else if (total.low >= FS) {
           // More bytes to send than a fragment can handle:
           // send as many bytes as possible.
           f.low  = FS;
           f.high = FS;
           total->low  -= FS;
           total->high -= FS;
       } else {
           // We are LH: add as much padding as necessary
           // in the current fragment.
           uint16 all_pad = max_lh_pad(total->low);
           all_pad = min(all_pad, total->high - total->low);
           f.low  = total->low;
           f.high = total->low + all_pad;
           total->low   = 0;
           total->high -= total->low + all_pad;
       }

       return f;
   }

   This algorithm if called multiple times creates a list of
   FragmentRange structures, carrying all the payload up to Range.low,
   followed by a sequence of fragments carrying either padding or the
   remaining part of the message that exceeds Range.low.

4.1.1.  Fragmenting Plaintext into Records

   There are many ways to fragment the message content across a sequence
   of FragmentRanges.  This document does not mandate any fragmentation
   algorithm.  In the following, a fragmentation algorithm that tries to
   put as many bytes as possible in the first fragments is provided.







Pironti & Mavrogiannopoulos  Expires August 11, 2013           [Page 10]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


   /* len: The total real plaintext length to be sent.
    * r0: a range that can be conveyed in one fragment,
    *     as returned by split_range.
    * r1: the remaining range used to send the remaining data
    * Returns: the number of bytes of plaintext to be sent
    *          in the next fragment with range r0.
   uint16 fragment(uint32 len, FragmentRange r0, Range r1)
   {
       return min(r0.high, len - r1.low);
   }

4.1.2.  Adding the Length Hiding Padding

   If 'len' is the real plaintext length to be sent in a record fragment
   with range FragmentRange, a LH-TLS implementation MUST add at least
   FragmentRange.high - len bytes of padding to that record fragment
   (plus, if needed, some additional padding required to get block
   alignment).

   If the split_range and fragment functions above are used, then the
   difference FragmentRange.high - len is always smaller than the
   maximum available padding size (including further block alignment
   padding).

4.1.3.  A Length Hiding API

   Finally, a LH-aware TLS implementation MAY use the algorithms
   described in sections Section 4.1 and Section 4.1.1 to offer a LH TLS
   API similar to the following, where it is assumed that a
   TLS_send(data, len, target_length) function sends a single TLS record
   fragment adding the necessary padding to match the target_length, as
   explained in section Section 4.1.2.

   uint32 message_send(opaque data, Range total)
   {
       FragmentRange current;
       uint16 current_len, sent = 0;

       while (total.high != 0) {
           current = split_range(&total);
           next_len = fragment(data.length - sent, current, total);
           sent += TLS_send(&data[sent], next_len, current.high);
       }

       return sent;
   }

   This interface requires the TLS implementation to internally buffer



Pironti & Mavrogiannopoulos  Expires August 11, 2013           [Page 11]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


   the entire application message.  Alternatively, a LH TLS
   implementation MAY directly expose the split_range and fragment
   functions to the user, to avoid internal buffering.  Note that it is
   only necessary to know the desired plaintext range to execute the
   split_range function, not the real plaintext size nor its content.

4.2.  Applicability

   If a TLS-LH mechanism is used in a TLS session, then TLS record
   protocol compression MUST be disabled.  Compression is known to leak
   substantial information about the plaintext, including its length
   [COMPLEAK], which defeats the purpose of LH.  Moreover, since in TLS
   compression happens after fragmentation, and the compression ratio is
   not known a priori, it is impossible to define a precise
   fragmentation strategy when compression is in place.

   Length hiding can only work when some padding can be added before
   encryption, so that an attacker cannot distinguish whether the
   encrypted data are padding or application data.  Hence, LH can only
   be used with block ciphers in standard TLS, and with any cipher when
   the extended record padding is used.  In any case, length hiding MUST
   NOT be used with TLS_NULL_WITH_NULL_NULL or MAC-only ciphersuites.





























Pironti & Mavrogiannopoulos  Expires August 11, 2013           [Page 12]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


5.  Security Considerations

   The LH scheme described in this document is effective in hiding the
   length of the exchanged messages, when an attacker observes the total
   bandwidth exchanged by a client and server using TLS.  Crucially, the
   split_range algorithm, which determines the traffic shape and total
   bandwidth, MUST NOT depend on the real message length, but only on
   the Range.low and Range.high values, which are public.

   Similarly, only the application knows when the recipient of the
   message is expected to react, upon receiving the message.  For
   example, a web browser may start loading a hyperlink contained in an
   HTML file, as soon as the hyperlink is received, before the HTML file
   has been fully parsed.  By using a callback for the implementation of
   the fragment function, a LH-aware application using a TLS-LH library
   can decide how much data to send in each fragment.  An application
   should consider the TLS LH mechanism effective only to conceal the
   length of the message exchanged over the network.

   Yet, an application on top of TLS could easily leak the message
   length, by performing visible actions after a known amount of bytes
   has been received.  Hiding the length of the message at the
   application level is outside the scope of this document, and is a
   complex information flow property that should carefully considered
   when designing a LH-aware implementation.  Even the way the bytes are
   transferred from the TLS library to the application could leak
   information about their length.

5.1.  Length Hiding with standard TLS block ciphers

   Section 6.2.3.2, Implementation note, of [RFC5246] acknowledges a
   small timing channel, due to the MAC timing depending on the length
   of each TLSCiphertext.content.  Usage of large ranges with the LH
   scheme amplifies this timing channel, up to make it exploitable
   [LH-PADDING], because shorter messages within a range will be
   processed faster than longer messages in the same range.
   Implementations supporting the LH scheme SHOULD implement a MAC
   algorithm whose execution time depends on the length of the
   TLSCiphertext.content plus the length of the padding, thus
   eliminating this timing channel.

5.2.  Length Hiding with extended record padding

   Since the padding is always included in the MAC computation, attacks
   that utilize the current CBC-padding timing channel (e.g.,
   [DTLS-ATTACK]) are not applicable.

   In a way, the extended record padding can be seen as a special way of



Pironti & Mavrogiannopoulos  Expires August 11, 2013           [Page 13]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


   encoding application data before encryption (where application data
   given by the user are prefixed by some padding).  Hence, previous
   security results on standard TLS block and stream ciphers still apply
   to the extended record padding.

5.3.  Mitigating Denial of Service

   The TLS protocol allows zero-length fragments of Application data,
   and these are exploited by the TLS length-hiding mechanism proposed
   in this document.  If the user is notified of such zero-length
   fragments, normally this poses no problem.  However, some TLS
   implementations will keep reading for the next fragment if a zero-
   length fragment is received.  This exposes implementations
   (especially server-side ones) to distributed denial of service (DoS)
   attacks, where a network of attackers connect to the same host and
   send a sequence of zero-length fragments, keeping the host busy in
   processing them.  This issue gets amplified when the
   "extended_record_padding" extension is used, because MAC computation
   includes a possibly large amount of padding.

   Implementations that keep reading for the next fragment when a zero-
   length one is received, and that are concerned by such DoS attacks,
   MAY implement a DoS countermeasure.  For example, they could accept
   'n' zero-length fragments in a row, before notifying the user or
   returning an error.  This conflicts with the requirements of a
   length-hiding mechanism, where zero-length fragments are used to
   conceal the real plaintext length.  The value of 'n' SHOULD be chosen
   to satisfy the tradeoff so that it is the smallest number of
   fragments that can convey the required LH padding.  Normally, this
   value is application specific, so TLS implementations that implement
   this mitigation SHOULD let 'n' be set by the application.




















Pironti & Mavrogiannopoulos  Expires August 11, 2013           [Page 14]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


6.  IANA Considerations

   This document defines a new TLS extension, "extended_record_padding",
   assigned a value of TBD-BY-IANA (the value 48015 is suggested) from
   the TLS ExtensionType registry defined in [RFC5246].  This value is
   used as the extension number for the extensions in both the client
   hello message and the server hello message.  The new extension type
   is used for certificate type negotiation.











































Pironti & Mavrogiannopoulos  Expires August 11, 2013           [Page 15]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


7.  Normative References

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC6066]  Eastlake, D., "Transport Layer Security (TLS) Extensions:
              Extension Definitions", RFC 6066, January 2011.

   [DTLS-ATTACK]
              Nadhem, N. and K. Paterson, "Plaintext-recovery attacks
              against datagram TLS.", Network and Distributed System
              Security Symposium , 2012.

   [LH-PADDING]
              Pironti, A., Strub, P., and K. Bhargavan, "Identifying
              Website Users by TLS Traffic Analysis: New Attacks and
              Effective Countermeasures.", INRIA Research Report 8067 ,
              2012.

   [CBCTIME]  Canvel, B., Hiltgen, A., Vaudenay, S., and M. Vuagnoux,
              "Password Interception in a SSL/TLS Channel", Advances in
              Cryptology -- CRYPTO , 2003.

   [COMPLEAK]
              Kelsey, K., "Compression and information leakage of
              plaintext", Fast software encryption , 2002.






















Pironti & Mavrogiannopoulos  Expires August 11, 2013           [Page 16]


Internet-Draft   Length Hiding Padding for TLS Protocol    February 2013


Authors' Addresses

   Alfredo Pironti
   INRIA Paris-Rocquencourt
   23, Avenue d'Italie
   Paris,   75214 CEDEX 13
   France

   Email: alfredo.pironti@inria.fr


   Nikos Mavrogiannopoulos
   Dept. of Electrical Engineering ESAT/COSIC KU Leuven - iMinds
   Kasteelpark Arenberg 10, bus 2446
   Leuven-Heverlee,   B-3001
   Belgium

   Email: nikos.mavrogiannopoulos@esat.kuleuven.be

































Pironti & Mavrogiannopoulos  Expires August 11, 2013           [Page 17]