- From: Bob Briscoe <bob.briscoe@bt.com>
- Date: Sat, 7 Mar 2015 15:15:33 +0000
- To: Martin Thomson <martin.thomson@gmail.com>
- CC: Mike Belshe <mbelshe@chromium.org>, "fenix@google.com" <fenix@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
Martin, Don't listen to me on cryptography, I don't follow it. I'm probably out of date. Nonetheless, I just skimmed the POODLE paper [Möller14]. From my reading, POODLE surely only applies to padding that is beyond the coverage of the MAC (i.e. which necessarily has to have been added while encrypting). I don't think these chosen ciphertext attacks (CCAs) apply to HTTP/2 padding, because the HTTP/2 padding is in the layer below the encryption process, so it will surely always be covered by the MAC. If, as in HTTP/2, the length of the padding field is given in the protocol header (which is then encrypted), I believe the padding can be arbitrary, and I assume it's best for the padding not to be structured (predictable). But please don't take my word for it - crypto is not my field. [Möller14] Möller, Bodo; Duong, Thai; Kotowicz, Krzysztof, "This POODLE Bites: Exploiting The SSL 3.0 Fallback" (September 2014). <https://www.openssl.org/~bodo/ssl-poodle.pdf> Bob At 19:23 06/03/2015, Martin Thomson wrote: >On 6 March 2015 at 11:05, Bob Briscoe <bob.briscoe@bt.com> wrote: > > Why does padding have to be filled with zeros? There are good cryptographic > > reasons for not requiring this. > >Remember POODLE, I think that the opposite is true. Also c.f. IND-CCA >(and IND-CCA2). ________________________________________________________________ Bob Briscoe, BT
Received on Saturday, 7 March 2015 15:16:15 UTC