On Friday, 7 April 2017 19:05:42 CEST Benjamin Kaduk wrote: > With TLS 1.3 we have this new padding scheme for encrypted records, and > even allow for padding-only records (of nominal internal content type > "application data"). This is generally a good thing, in that it gives a > lot of degrees of freedom to introduce countermeasures to traffic > analysis, but perhaps we are overgenerous. There doesn't seem to be > anything preventing a peer from sending only padding records and never > any application data, whether that is in the client's early data or in > regular data after the handshake.
While this indeed may be a possible attack, it's a symmetric attack - the attacker will have to encrypt as much data as the server will decrypt. If he or she doesn't do that, the server will reject the records as having incorrect mac. That's a big difference between it, and ealy data, where to server there's no difference between correct ciphertext encrypted with unknown key and string of random data. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
