[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Record layer padding

To: Pasi.Eronen@xxxxxxxxx
Subject: Re: [TLS] Record layer padding
From: JCA <1.41421@xxxxxxxxx>
Date: Fri, 25 Jan 2008 08:29:46 -0800
Cc: tls@xxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=OOaFMXS1LFhuBwrgbAVXvFmL/z9bcyetbkrXduED6C0=; b=udZNo41EPVlReg43Oku4t1IvIshI0cbLhXvx61p/shBO+IyinuBH2nO4TW51bXpoM6B2bukxh7KaF1iO6NE0D7y6f/7CGgNE1BtzDUahvkTHnuDxifZZ1OIkNoqgEiq8GW73Sa6YESNRhz/V1nGryR5Ya34UuddO968QSRW0hDE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qbur1+A66qB/4xd/VbGzQRTF9RHXbOfyv89OVnX1eFdFNRQGnOe277i509xsF30YjH2uw/90ff/TUVOrxJeKFwJvk11huaOqbA41ykhBIyMJmlX9t5a6O6irINFRs2Qed6f4wYwNe3XsUt9gi8GgkWE0eJFtLasBqGBjQWKgrno=
In-reply-to: <B356D8F434D20B40A8CEDAEC305A1F240528D5BA@xxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <a10b0c8a0801242017y7ce85cden8bc0a4272d7d9f44@xxxxxxxxxxxxxx> <B356D8F434D20B40A8CEDAEC305A1F240528D5BA@xxxxxxxxxxxxxxxxxxxxxx>

On Jan 24, 2008 10:34 PM,  <Pasi.Eronen@xxxxxxxxx> wrote:
> JCA (1.41421@xxxxxxxxx) wrote:
> >
> >    What happens when the length of the record layer data to be
> > encrypted happens to be a multiple of the block cipher's block size?
> > Does one have to add a padding block the same size as the cipher's
> > block size, or is one to set the closing padding length byte to
> > zero, without adding any explicit padding? I'd be inclined to do the
> > former, but I do not know if this is what the spec intended.
>
> The data-to-be-encrypted consists of the actual record layer content
> (GenericBlockCipher.content), the MAC, the padding (zero or more
> bytes) and the padding_length byte. The sum of these has to be a
> multiple of the block size (and the padding_length byte is always
> present).
>
> So, for example, if you're using AES_128_CBC_SHA, and have 27
> bytes of actual content, you could set padding_length to 0
> (since 27+20+1 = 48 = 3*16)

    Thanks, that clarifies it. In fact, on rereading the relevant part
of the spec that seems to be implied. I would also seem to be implied
that one is free to add as many padding blocks as one wishes (and fit
the bill,) provided the padding length is less than 256 bytes, right?
Even more: If I am understand it correctly, implementations are
encouraged to do so in order to foil traffic analysis-based cracking
attempts.

> >    Also, what happens to record layers put together before
> > encryption kicks in? Is one supposed not to use the padding length
> > byte at all?  That's what I would do myself but, again, I am not
> > sure.
>
> Each TLS record is encrypted separately, and the padding_length
> byte is present in each of them. (If you e.g. combine several
> handshake messages in one TLS record -- well, that's done
> before the record layer, so it's just one record then.)

   Hmm.... I am not sure I follow here. My understanding is that all
TLS data will be exchanged encapsulated within TLS record layers. From
this it would seem that messages in the same record must be either
encrypted or unencrypted, but not both. That is, what one encrypts (or
not) are whole records, not individual messages. And analogously for
the MAC computation. Is this what the spec means?

   To answer my own question, again on rereading the spec my take is
that unencrypted records are just records encrypted with the Null
cipher - which, according to the spec (and just like stream ciphers)
does not require padding, and therefore no padding length byte.

   Thanks very much for your feedback.


_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- RE: [TLS] Record layer padding
  - From: Pasi.Eronen

References:
- [TLS] Record layer padding
  - From: JCA
- RE: [TLS] Record layer padding
  - From: Pasi.Eronen

Prev by Date: RE: [TLS] Record layer padding
Next by Date: RE: [TLS] Record layer padding
Previous by thread: RE: [TLS] Record layer padding
Next by thread: RE: [TLS] Record layer padding
Index(es):
- Date
- Thread