Rene Eberhard wrote:
>
> What about the random length padding as defined in TLS?
>
> Rene
TLS defines random padding only when CipherSuites using block ciphers
are agreed by the parties. If the CipherSuite chosen by the parties use
a stream cipher, there is no random padding, so the length of the
application layer data is bigger in a constant size, then there is no
padding protection when stream ciphers are used in TLS.
However, random padding of records are not the only thing to stop
traffic analysis attacks. There is a lot of contextual data transmitted
in a HTTPS request/reply.
Using statistical methods, the attacker can guess the HTML file I'm
viewing by keeping a record of the last, current and next page I will go
(by clicking in a hiperlink).
Also, both the quantity of TLS connections and lengths of the embedded
resources into a HTML page (used with the HTML page length guessed) is
usefull to accomplish the attack (if the browser cache is disabled), but
although keeping the cache enabled is a common configuration in web
browsing, it might not be in others application protocols, from there
the idea of developing an extra layer below the app protocol and upper
the TLS protocol, so that it is reusable by others applications, not
only web browser and servers.
Even all that stuff, the "random" padding thing with stream ciphers is
not too much work. It could be added to a TLS implementation in a couple
of hours by any experienced TLS developer.
Cheers,
Gabriel
> > Here I send to you a draft of the protocol, but there are a
> > lot of work
> > to do yet.
> > Numbers and lengths are drafts too.
> >
> > Gabriel.
> >
> > Ben Laurie wrote:
> > >
> > > Gabriel Belingueres wrote:
> > > >
> > > > Hi,
> > > >
> > > > Talking in the sci.crypt newsgroup, I did have an
> > > > idea about how to do the Web more secure against traffic
> > analysis. The
> > > > idea come from a paper I been reading ("Analysis of the SSL 3.0
> > > > protocol" by B. Schneier and D. Wagner). They describe
> > how an attacker
> > > > can guess the pages you have been accessed by looking the
> > lengths of the
> > > > SSL messages exchanged in the HTTPS's requests and replys.
> > > > The idea I was thinking is to add a tiny protocol between
> > HTTP and SSL,
> > > > to break the 1-to-1 mapping between HTTP and SSL
> > messages. The mapping
> > > > now would be in a random way.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
