[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: padding values history



Bill,

Thanks for the historic analyiss of ESP padding.  I've gone back and
reviewed the messages in question, and I think we have some differences
when it comes down to the cited motivations for padding with other than
random bytes, although I agree with most of the history as you presented it.

For exmaple, you cite e-mail from Steve Bellovin in the 2-3/96 timeframe.
My records show that discussion ending with the following message from
Steve to Phil Karn with regard to Wagner's attack:

-------
Karn:
         I don't remember how the text got changed, but it's not
         important. The question is, do we want to change the ESP spec
         re padding?

Bellovin:

We could make that change, but I suspect that it's a palliative measure
at best.  The real answer is integrity-checking, done right.

-----

So it would appear that Steve's response to Phil was that while padding
with zeros would help with the cited attack, Steve's view was that the
preferred approach was just to elect use of authentication/integrity if one
wants to achieve that effect.

>In April 1996, RSA "purists" examined ESP.  One of the issues raised by
>Baldwin was covert and subliminal channels.  Although there are many in
>the IPSec transforms, using the 0,1,2,3,... self-describing padding was
>suggested as a way to minimize that problem in ESP.

I didn't see any messages dealing with covert or subliminal channels in the
old traffic, so I called Bob Baldwin and we discussed the matter.  The
issue he believes that you cited is that arbitrary padding allows covert
exfiltration of data by the encryption module, but only to a legitimate
receiver.  Frankly, there is a much greater concern about malicious
software somewhere in the system shipping out vast quantities of text over
an SA, rather than hiding it in the padding.  The second example you cite
is completely different, i.e., a Trojan Horse can manipulate the length of
the padding to effect a covert channel that is accessible to a passive
wiretapper, and this is potentially a more serious concern, since it
involves not an authorized destination for encrypted data, but an attacker
intercepting the ciphertext.  (It also is an attack first described in the
literature in 1978, in two different authors, including me.)   Note that
the choice of padding has no effect on this smaller, but much more serious
channel, so it is irrelevant to our padding content discussion.

This is a long way of saying that the arguments you provided for using this
sort of padding are not really supported, or strongly supported, by the
evidence you cite.  However, I have come to agree with your suggestion,
i.e., that padding should be algorithm specific.  For example, Bob pointed
out to me that there is an ISO spec for DES-CBC that calls for the
enumerated padding.  Others may wish to use random padding.  Those are good
examples of why padding should be algorithm/mode-specific.  So, I'm
changing the padding discussion in ESP to reflect that.

Steve




References: