Re: [MLS] Encoding padding as variable-size vector
Richard Barnes <rlb@ipv.sx> Mon, 02 May 2022 17:49 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30989C15E41E for <mls@ietfa.amsl.com>; Mon, 2 May 2022 10:49:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E-q37zhKPeG2 for <mls@ietfa.amsl.com>; Mon, 2 May 2022 10:49:25 -0700 (PDT)
Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20F8BC15E400 for <mls@ietf.org>; Mon, 2 May 2022 10:49:24 -0700 (PDT)
Received: by mail-qv1-xf2a.google.com with SMTP id kc16so9790052qvb.7 for <mls@ietf.org>; Mon, 02 May 2022 10:49:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=u1Y2OhiyWNHu6cJ0/SLLBWfYOwB8Fz578BZvG6rnoe0=; b=YfIgX+hDPpPG+tXXceJ448lCiCduO/HgtfMRV0nmT9D5JSJq0HF3ovfLBT4uPn0aE2 UTmW2l7p12Ijwf480AtIFtvDU38n9GNEAczZFrYLCTgAfB/g6xtfYvA4kO2LBORMtcgh I7LUwO5NLSsqhWLao/XbqcDI8w8ytrQMJl/Z0izpO9t11ZszakTl+IpaIT/8pp9tfvtN UQT5YW1AJlityfF+rKQHla2amQpCsbdqRpeGdjWIMWJpGnAI3MGXNEcEnqOJpTl8pE2v jznkj+VMgEatHeJlOrn16B8uFbNS9HBRSAwqJgW4cj4jsKQst2BB4MlD3iOFnsAzY/Qi 21XA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=u1Y2OhiyWNHu6cJ0/SLLBWfYOwB8Fz578BZvG6rnoe0=; b=ov6fRBdvGFl7rEEUUTWBbmDQjjJRZS5GeJkiFwP5FYedtYnqC34VlWj0KpYtBkBtDz cWo2qKvf183g2rFAtfrob5ahX9tWuoRfpndrio7s+Sx9JWxqJgt1AY+n+wwr1guhaUQc /QpB+2XQ0Tz/iCkm7WLqoNw4lhbB5oqAGuKzdhlVwLG6v0/EALGcWD8fR9jQ6Nm2NVW9 VEvds8Du6LUnyrF1gZnmyrdmD73TXpvB7o5sBcFYzjLDp3m1MmgamkO6Mka/DKsfK8o/ kv4/ADDbOF5yoo2iu+wJprMgADCW40yYuI+as4n5pr/P7l4WVHlnqE2nnxp75G7GbuPS WFTw==
X-Gm-Message-State: AOAM53109ZzZkjf3H4K3myQH0EJEsQxn2AufiLTy7mvGMQhKcPv0nTMo LgP/i2FIuIooZrVtCZ4n5VUgPfA3ngjk+80hTUgBfw==
X-Google-Smtp-Source: ABdhPJyXsMKV/cZMhqC1JiwczDbBrF8KvzKgsDgWjVIt+motbHJ6I+EnUO4OhojkqRo5CLMRAFENX+wAflsn9XkVHqs=
X-Received: by 2002:a0c:b3cf:0:b0:456:4e1b:8da4 with SMTP id b15-20020a0cb3cf000000b004564e1b8da4mr10518207qvf.86.1651513763536; Mon, 02 May 2022 10:49:23 -0700 (PDT)
MIME-Version: 1.0
References: <9aa90871231e4291bb2a4d782b7b91c1@EX13D48EUB002.ant.amazon.com> <CAL02cgSctOjWsryNpqUC5u=gBhqjN91Fd5yY1pniTi+SmmsveQ@mail.gmail.com> <3165c19a8f5c471f9fccf1edd871c373@EX13D48EUB002.ant.amazon.com> <CACW8--N3GXwh7NV4KjCQru=e0g_gbOg4+Xia5De8Y1sNpR-EWA@mail.gmail.com>
In-Reply-To: <CACW8--N3GXwh7NV4KjCQru=e0g_gbOg4+Xia5De8Y1sNpR-EWA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 02 May 2022 13:49:12 -0400
Message-ID: <CAL02cgR-V=PH++nUkLXi1yW=vJvjknk3R26dfRSYcRdfqH7YTQ@mail.gmail.com>
To: Rohan Mahy <rohan.mahy@wire.com>
Cc: "Alwen, Joel" <alwenjo=40amazon.com@dmarc.ietf.org>, "mls@ietf.org" <mls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000037b69f05de0b03e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/5tMXnlkFfq79BDu1VTwG60CXYhg>
Subject: Re: [MLS] Encoding padding as variable-size vector
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2022 17:49:29 -0000
Minor point, but if you wanted to do that, you would need to use the vector notation struct { select (content_type) { ... } MLSMessageAuth auth; uint8 zeros<0..2^16-1>; } MLSCiphertextContent; But I still think it's cleaner just to not bother with the length prefix, since it's length-delimited on the outside. On Mon, May 2, 2022 at 2:34 AM Rohan Mahy <rohan.mahy@wire.com> wrote: > I think we need: > > struct { > > select (content_type) { ... } > > MLSMessageAuth auth; > > uint8 zeros[0..65535]; > > } MLSCiphertextContent; > > > so the length field of "zeros" is fixed at 2 octets. > > Thanks, > > -rohan > > > *Rohan Mahy *l Vice President Engineering, Architecture > > Chat: @rohan_wire on Wire > > > > Wire <https://wire.com/en/download/> - Secure team messaging. > > *Zeta Project Germany GmbH *l Rosenthaler Straße 40, > <https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g>10178 > Berlin, > <https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g> > Germany > <https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g> > > Geschäftsführer/Managing Director: Morten J. Broegger > > HRB 149847 beim Handelsregister Charlottenburg, Berlin > > VAT-ID DE288748675 > > > On Fri, Apr 29, 2022 at 3:21 AM Alwen, Joel <alwenjo= > 40amazon.com@dmarc.ietf.org> wrote: > >> > struct { >> >> > select (content_type) { ... } >> >> > MLSMessageAuth auth; >> >> > uint8 zeros[length_of_padding]; >> >> > } MLSCiphertextContent; >> >> >> >> This seems better. I.e. I think it now lets us pad to any target length >> of the resulting TLS serialization. >> >> >> >> One thought though: If I were parsing such a TLS serialization from a >> buffer more data after the struct starting with a 0 byte would I >> unambiguously know when I’ve reached the end the struct? If not is that a >> concern? >> >> >> >> - Joël >> >> >> >> *From:* Richard Barnes <rlb@ipv.sx> >> *Sent:* Thursday, 28 April 2022 06:03 >> *To:* Alwen, Joel <alwenjo@amazon.com> >> *Cc:* mls@ietf.org >> *Subject:* RE: [EXTERNAL][MLS] Encoding padding as variable-size vector >> >> >> >> *CAUTION*: This email originated from outside of the organization. Do >> not click links or open attachments unless you can confirm the sender and >> know the content is safe. >> >> >> >> TBH, I'm not sure we need to demarcate the padding at all -- just append >> zero bytes. The real, non-padding data in MLSCiphertextContent is itself >> length-delimited (assuming the content type is known), so there's no need >> to signal how much padding there is. It's just whatever bytes are left in >> the decrypted content. (We should still require it to be zero). >> >> >> >> So we could do something like what TLS 1.3 does [1][2]: >> >> >> >> struct { >> >> select (content_type) { ... } >> >> MLSMessageAuth auth; >> >> uint8 zeros[length_of_padding]; >> >> } MLSCiphertextContent; >> >> >> >> ... with some prose to explain and require that any non-zero padding >> bytes MUST cause a message to be rejected. >> >> >> >> For context, we arrived at the current scheme in #213 [3]. That PR is >> still correct that the prior scheme was ... too creative. The above >> proposal would have the pendulum swing back a little bit, but I think not >> too much. >> >> >> >> --Richard >> >> >> >> >> >> [1] https://datatracker.ietf.org/doc/html/rfc8446#section-5.2 >> >> [2] https://datatracker.ietf.org/doc/html/rfc8446#section-5.4 >> >> [3] https://github.com/mlswg/mls-protocol/pull/213/files >> >> >> >> >> >> >> >> >> >> On Tue, Apr 26, 2022 at 9:55 PM Alwen, Joel <alwenjo= >> 40amazon.com@dmarc.ietf.org> wrote: >> >> In the MLSCiphertextContent struct we have a field for padding >> represented using a variable-size vector which helps hide information about >> the length of content; notably application messages. But because of the way >> we encode variable-size vectors it turns out you can't actually pad the >> rest of the content with certain number of bytes: namely 0, 65, 16386, >> 16387. (E.g. if you pad with a vector of 63 bytes the TLS encoding actually >> produces 64 bytes for padding: 63 bytes + 1 length byte. But if you pad >> with 64 bytes you end up with a 66 byte encoding as now you need 2 bytes >> for the length. >> >> Not being able to pad with 0 is OK. But 65 is kind of annoying. E.g. if >> you want to pad to a target content length X bytes then if the rest of the >> content ends up being X-65 bytes long you are out of luck. (Assuming I'm >> right about how this all works) it seems a bit silly to me for a padding >> scheme to have somewhat arbitrary gaps like that; especially at a not >> unreasonable number of bytes to want to pad with. >> >> If I didn't miss something, and you all agree that its better to avoid >> having gaps like that then how about represent padding as, say, a fixed >> length vector's? >> >> - Joël >> >> >> Amazon Development Center Austria GmbH >> Brueckenkopfgasse 1 >> 8020 Graz >> Oesterreich >> Sitz in Graz >> Firmenbuchnummer: FN 439453 f >> Firmenbuchgericht: Landesgericht fuer Zivilrechtssachen Graz >> >> >> >> _______________________________________________ >> MLS mailing list >> MLS@ietf.org >> https://www.ietf.org/mailman/listinfo/mls >> >> >> >> >> Amazon Development Center Austria GmbH >> Brueckenkopfgasse 1 >> 8020 Graz >> Oesterreich >> Sitz in Graz >> Firmenbuchnummer: FN 439453 f >> Firmenbuchgericht: Landesgericht fuer Zivilrechtssachen Graz >> >> >> _______________________________________________ >> MLS mailing list >> MLS@ietf.org >> https://www.ietf.org/mailman/listinfo/mls >> >
- [MLS] Encoding padding as variable-size vector Alwen, Joel
- Re: [MLS] Encoding padding as variable-size vector Richard Barnes
- Re: [MLS] Encoding padding as variable-size vector Alwen, Joel
- Re: [MLS] Encoding padding as variable-size vector Rohan Mahy
- Re: [MLS] Encoding padding as variable-size vector Richard Barnes