forked from agl/tls-padding
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdraft-ietf-tls-padding.xml
124 lines (105 loc) · 5.17 KB
/
draft-ietf-tls-padding.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
<?xml version="1.0"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd"[
<!ENTITY RFC2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY RFC5246 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml'>
]>
<?rfc toc="yes" symrefs="yes"?>
<rfc ipr="trust200902" docName="draft-ietf-tls-padding-00">
<front>
<title abbrev="TLS ClientHello Padding Extension">A TLS ClientHello padding extension</title>
<author initials="A." surname="Langley" fullname="Adam Langley">
<organization>Google Inc</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<date month="Jan" year="2015" />
<area>Security</area>
<abstract>
<t>
This memo describes a TLS extension that can be used to pad ClientHello messages to a desired size.
</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="intro">
<t>
Successive <xref target="RFC5246">TLS</xref> versions have added support for more cipher suites and, over time, more TLS extensions have been defined. This has caused the size of the TLS ClientHello to grow and the additional size has caused some implementation bugs to come to light. At least one of these implementation bugs can be ameliorated by making the ClientHello even larger.
</t>
<t>
This memo describes a TLS extension that can be used to pad a ClientHello to a desired size in order to avoid implementation bugs caused by certain ClientHello sizes.
</t>
</section>
<section title="Requirements Notation">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.
</t>
</section>
<section title="Padding Extension">
<t>
A new extension type (<spanx style="verb">padding(21)</spanx>) is defined and MAY be included by the client in its ClientHello message.
</t>
<figure>
<artwork align="left">enum {
padding(21), (65535)
} ExtensionType;</artwork>
</figure>
<t>
The <spanx style="verb">extension_data</spanx> for the extension consists of an arbitary number of zero bytes. For example, the smallest <spanx style="verb">padding</spanx> extension is four bytes long and is encoded as 0x00 0x15 0x00 0x00. A ten byte extension would include 6 bytes of <spanx style="verb">extension_data</spanx> and would be encoded as:
</t>
<figure>
<artwork align="left">
00 15 00 06 00 00 00 00 00 00
|---| |---| |---------------|
| | |
| | \- extension_data: 6 zero bytes
| |
| \------------- 16-bit, extension_data length
|
\------------------- extension_type for padding extension
</artwork>
</figure>
<t>
The client MUST fill the padding extension completely with zero bytes, although the padding extension may be empty.
</t>
<t>
The server MUST NOT echo the extension.
</t>
</section>
<section title="Example usage">
<t>
As an example, consider a client that wishes to avoid sending a ClientHello with a record size between 256 and 511 bytes (inclusive). This case is considered because at least one TLS implementation is known to hang the connection when such a ClientHello record is received.
</t>
<t>
After building a ClientHello as normal, the client can add four to the length (to account for the <spanx style="verb">msg_type</spanx> and <spanx style="verb">length</spanx> fields of the handshake protocol) and test whether the resulting length falls into that range. If it does, a padding extension can be added in order to push the length to (at least) 512 bytes.
</t>
<t>
Note that if the original ClientHello size was between 505 and 507 bytes then, with the handshake protocol overhead, the record would be between 509 and 511 bytes long. Since it's not possible for an extension to take less than four bytes of space, the additional padding would have to expand the ClientHello record past 512 bytes in these cases.
</t>
</section>
<section title="Security Considerations">
<t>
The contents of the padding extension could be used as a covert channel. In order to prevent this, the contents are required to be all zeros, although the length of the extension can still be used as a much smaller covert channel. Servers MAY verify that the extension is either empty or contains only zero bytes, in order to enforce this.
</t>
</section>
<section title="IANA Considerations">
<t>
IANA is requested to permanently assign the early code point for the padding extension in its ExtensionType registry.
</t>
</section>
<section title="Acknowledgements">
<t>
The author gratefully acknowledges the contributions of Wan-Teh Chang and the suggestions of Eric Rescorla.
</t>
</section>
</middle>
<back>
<references title="Normative References">
&RFC2119;
&RFC5246;
</references>
</back>
</rfc>