Re: [MLS] Encoding padding as variable-size vector
Richard Barnes <rlb@ipv.sx> Wed, 27 April 2022 21:02 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 395CCC159A39 for <mls@ietfa.amsl.com>; Wed, 27 Apr 2022 14:02:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pMWjTBwsxuQq for <mls@ietfa.amsl.com>; Wed, 27 Apr 2022 14:02:55 -0700 (PDT)
Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DE62C159A33 for <mls@ietf.org>; Wed, 27 Apr 2022 14:02:55 -0700 (PDT)
Received: by mail-qk1-x72f.google.com with SMTP id e128so2252205qkd.7 for <mls@ietf.org>; Wed, 27 Apr 2022 14:02:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KzA5wJEw/0HbN0Hu0CbNK3CvnpSjPZUgGNG1dn4Q+LM=; b=cvtA8XAJTC5oS4cXPyLylc/DeKF9SpefOAy8cMOdLPoX2MYnv2hkBFaw+SSGeOp9Oz 8sQmZccmHvJzwpqe/DFacFGnNO7PBF8w2CKWYWr3471Kxf2Ux7MhJfnISk+yQFLc0YUJ DLSkKkp4JAZvc+JuGlF/7K06cuUo+dgZpNJ6LT+RoP3ZabseC8Ecfji+rKJCtJDopICT 1iNV+56QaiXf/WzS01AyYDgSgCF7lv6o8xHCSQKwHS2pW9Uz0URQ1uUAIRi9s6Qsruer UUERV3f1KZud5vd5CKp7rhlL7PmLklwU6FUU19+ujFsrBmx4EIT1OTrHvuWE1o9VIgav 47QQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KzA5wJEw/0HbN0Hu0CbNK3CvnpSjPZUgGNG1dn4Q+LM=; b=DYpIzEd+Es3RdYaPnAgF2QwHU7IVr4g1I3OQVl8Rx0KYRR34Sj5qk9isJBzhLKtLLn Cv6ti4l+nbCWmZ+3tbnzr/NIA0GZkMRQKOoE58GseNTjQsF/xXoCgdPhZr+hSYqd8fBI b1uLHF8nyDzQHsjfk9uxgOCfH5PHxlUHrccgC3yBHALfq3PqM8R6B2q44NQXDq0aThSc BC9CYYso67PZsBAdMcxBgek5xMfU4lZcDKKsAyKw07turDjRdmM2XGTcwfHBa/0ric6+ Fm7K0fqbW8en3afvKiArweuJP5KXsQ2ybFA2rNFBBHjmrJ4/ryq0Qair7J1VffMeF6nQ 9fCg==
X-Gm-Message-State: AOAM530M/fGQ2A9fZNcr2+4OnmfLIBAu2hN4CYB4kBjVEpKZU22OAPY6 KUEdlyK9YGVLHj8jn/3pWA6PcEq//eZrgtJDRpCuibAdZeXKPA==
X-Google-Smtp-Source: ABdhPJz4UVWQdoLVzMIQUBigAEf6rZ/s42F3y3gjXSHe2ty1CrW01WgjR+bmLwrhYqK9CC5hfQ+wzdmL+puq5PvUGRM=
X-Received: by 2002:a05:620a:12a8:b0:69f:41fe:ff6a with SMTP id x8-20020a05620a12a800b0069f41feff6amr12522033qki.504.1651093374024; Wed, 27 Apr 2022 14:02:54 -0700 (PDT)
MIME-Version: 1.0
References: <9aa90871231e4291bb2a4d782b7b91c1@EX13D48EUB002.ant.amazon.com>
In-Reply-To: <9aa90871231e4291bb2a4d782b7b91c1@EX13D48EUB002.ant.amazon.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 27 Apr 2022 17:02:43 -0400
Message-ID: <CAL02cgSctOjWsryNpqUC5u=gBhqjN91Fd5yY1pniTi+SmmsveQ@mail.gmail.com>
To: "Alwen, Joel" <alwenjo=40amazon.com@dmarc.ietf.org>
Cc: "mls@ietf.org" <mls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000cd63405dda922e3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/R5k3pjRtOUcf3xWkV1bjoOM56jQ>
Subject: Re: [MLS] Encoding padding as variable-size vector
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2022 21:02:56 -0000
TBH, I'm not sure we need to demarcate the padding at all -- just append
zero bytes. The real, non-padding data in MLSCiphertextContent is itself
length-delimited (assuming the content type is known), so there's no need
to signal how much padding there is. It's just whatever bytes are left in
the decrypted content. (We should still require it to be zero).
So we could do something like what TLS 1.3 does [1][2]:
struct {
select (content_type) { ... }
MLSMessageAuth auth;
uint8 zeros[length_of_padding];
} MLSCiphertextContent;
... with some prose to explain and require that any non-zero padding bytes
MUST cause a message to be rejected.
For context, we arrived at the current scheme in #213 [3]. That PR is
still correct that the prior scheme was ... too creative. The above
proposal would have the pendulum swing back a little bit, but I think not
too much.
--Richard
[1] https://datatracker.ietf.org/doc/html/rfc8446#section-5.2
[2] https://datatracker.ietf.org/doc/html/rfc8446#section-5.4
[3] https://github.com/mlswg/mls-protocol/pull/213/files
On Tue, Apr 26, 2022 at 9:55 PM Alwen, Joel <alwenjo=
40amazon.com@dmarc.ietf.org> wrote:
> In the MLSCiphertextContent struct we have a field for padding represented
> using a variable-size vector which helps hide information about the length
> of content; notably application messages. But because of the way we encode
> variable-size vectors it turns out you can't actually pad the rest of the
> content with certain number of bytes: namely 0, 65, 16386, 16387. (E.g. if
> you pad with a vector of 63 bytes the TLS encoding actually produces 64
> bytes for padding: 63 bytes + 1 length byte. But if you pad with 64 bytes
> you end up with a 66 byte encoding as now you need 2 bytes for the length.
>
> Not being able to pad with 0 is OK. But 65 is kind of annoying. E.g. if
> you want to pad to a target content length X bytes then if the rest of the
> content ends up being X-65 bytes long you are out of luck. (Assuming I'm
> right about how this all works) it seems a bit silly to me for a padding
> scheme to have somewhat arbitrary gaps like that; especially at a not
> unreasonable number of bytes to want to pad with.
>
> If I didn't miss something, and you all agree that its better to avoid
> having gaps like that then how about represent padding as, say, a fixed
> length vector's?
>
> - Joël
>
>
> Amazon Development Center Austria GmbH
> Brueckenkopfgasse 1
> 8020 Graz
> Oesterreich
> Sitz in Graz
> Firmenbuchnummer: FN 439453 f
> Firmenbuchgericht: Landesgericht fuer Zivilrechtssachen Graz
>
>
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>
- [MLS] Encoding padding as variable-size vector Alwen, Joel
- Re: [MLS] Encoding padding as variable-size vector Richard Barnes
- Re: [MLS] Encoding padding as variable-size vector Alwen, Joel
- Re: [MLS] Encoding padding as variable-size vector Rohan Mahy
- Re: [MLS] Encoding padding as variable-size vector Richard Barnes