W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: HTTP/2 States and Frame Types <draft-ietf-httpbis-http2-17>

From: Bob Briscoe <bob.briscoe@bt.com>
Date: Sat, 7 Mar 2015 15:15:33 +0000
Message-ID: <201503071515.t27FFXAa022983@bagheera.jungle.bt.co.uk>
To: Martin Thomson <martin.thomson@gmail.com>
CC: Mike Belshe <mbelshe@chromium.org>, "fenix@google.com" <fenix@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
Martin,

Don't listen to me on cryptography, I don't 
follow it. I'm probably out of date.

Nonetheless, I just skimmed the POODLE paper 
[Möller14]. From my reading, POODLE surely only 
applies to padding that is beyond the coverage of 
the MAC (i.e. which necessarily has to have been 
added while encrypting). I don't think these 
chosen ciphertext attacks (CCAs) apply to HTTP/2 
padding, because the HTTP/2 padding is in the 
layer below the encryption process, so it will 
surely always be covered by the MAC.

If, as in HTTP/2, the length of the padding field 
is given in the protocol header (which is then 
encrypted), I believe the padding can be 
arbitrary, and I assume it's best for the padding 
not to be structured (predictable).

But please don't take my word for it - crypto is not my field.

[Möller14] Möller, Bodo; Duong, Thai; Kotowicz, 
Krzysztof, "This POODLE Bites: Exploiting The SSL 
3.0 Fallback" (September 2014). <https://www.openssl.org/~bodo/ssl-poodle.pdf>



Bob


At 19:23 06/03/2015, Martin Thomson wrote:
>On 6 March 2015 at 11:05, Bob Briscoe <bob.briscoe@bt.com> wrote:
> > Why does padding have to be filled with zeros? There are good cryptographic
> > reasons for not requiring this.
>
>Remember POODLE, I think that the opposite is true.  Also c.f. IND-CCA
>(and IND-CCA2).

________________________________________________________________
Bob Briscoe,                                                  BT 
Received on Saturday, 7 March 2015 15:16:15 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:49 UTC