Re: [MLS] Encoding padding as variable-size vector
"Alwen, Joel" <alwenjo@amazon.com> Thu, 28 April 2022 14:55 UTC
Return-Path: <prvs=1105a5559=alwenjo@amazon.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22752C157B5A for <mls@ietfa.amsl.com>; Thu, 28 Apr 2022 07:55:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.17
X-Spam-Level:
X-Spam-Status: No, score=-15.17 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.575, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cWaraS_NicYq for <mls@ietfa.amsl.com>; Thu, 28 Apr 2022 07:55:34 -0700 (PDT)
Received: from smtp-fw-9103.amazon.com (smtp-fw-9103.amazon.com [207.171.188.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3680C15EB48 for <mls@ietf.org>; Thu, 28 Apr 2022 07:55:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1651157716; x=1682693716; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=NPHecMDecXl7tCc4M9BKcGIewg81aEyUSSHhH2hXA+0=; b=sdF+eAkGVVNZWkoaV0f+hFK9M/cVp0sW/QFdPVwcekevgiHTcPJnDuHI mbtX4Fe3W4EPnu9vD3xQjZ0nHea+YDyw6nmLKqrsYZbMYkXROr6fgmp40 aPezQP0H3gkN3RRcjimXVAzhvrhuYXqwx8f9c31sEFFyZnvhAbBrYdiy6 8=;
X-IronPort-AV: E=Sophos;i="5.91,295,1647302400"; d="scan'208,217";a="1011434660"
Thread-Topic: [MLS] Encoding padding as variable-size vector
Received: from pdx4-co-svc-p1-lb2-vlan2.amazon.com (HELO email-inbound-relay-pdx-2c-5c4a15b1.us-west-2.amazon.com) ([10.25.36.210]) by smtp-border-fw-9103.sea19.amazon.com with ESMTP; 28 Apr 2022 14:54:57 +0000
Received: from EX13D48EUB002.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan2.pdx.amazon.com [10.236.137.194]) by email-inbound-relay-pdx-2c-5c4a15b1.us-west-2.amazon.com (Postfix) with ESMTPS id 63DA041842; Thu, 28 Apr 2022 14:54:56 +0000 (UTC)
Received: from EX13D48EUB002.ant.amazon.com (10.43.166.35) by EX13D48EUB002.ant.amazon.com (10.43.166.35) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Thu, 28 Apr 2022 14:54:55 +0000
Received: from EX13D48EUB002.ant.amazon.com ([10.43.166.35]) by EX13D48EUB002.ant.amazon.com ([10.43.166.35]) with mapi id 15.00.1497.033; Thu, 28 Apr 2022 14:54:55 +0000
From: "Alwen, Joel" <alwenjo@amazon.com>
To: Richard Barnes <rlb@ipv.sx>
CC: "mls@ietf.org" <mls@ietf.org>
Thread-Index: AdhVj6PTTzmLP8fwSaqHiJmt+UUMOQE6n9aAACTp16A=
Date: Thu, 28 Apr 2022 14:54:55 +0000
Message-ID: <3165c19a8f5c471f9fccf1edd871c373@EX13D48EUB002.ant.amazon.com>
References: <9aa90871231e4291bb2a4d782b7b91c1@EX13D48EUB002.ant.amazon.com> <CAL02cgSctOjWsryNpqUC5u=gBhqjN91Fd5yY1pniTi+SmmsveQ@mail.gmail.com>
In-Reply-To: <CAL02cgSctOjWsryNpqUC5u=gBhqjN91Fd5yY1pniTi+SmmsveQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.164.162]
Content-Type: multipart/alternative; boundary="_000_3165c19a8f5c471f9fccf1edd871c373EX13D48EUB002antamazonc_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/gQJsNJ47Jpc5b9MgDJBW55tFew8>
X-Mailman-Approved-At: Thu, 28 Apr 2022 18:21:50 -0700
Subject: Re: [MLS] Encoding padding as variable-size vector
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2022 14:55:38 -0000
> struct {
> select (content_type) { ... }
> MLSMessageAuth auth;
> uint8 zeros[length_of_padding];
> } MLSCiphertextContent;
This seems better. I.e. I think it now lets us pad to any target length of the resulting TLS serialization.
One thought though: If I were parsing such a TLS serialization from a buffer more data after the struct starting with a 0 byte would I unambiguously know when I’ve reached the end the struct? If not is that a concern?
- Joël
From: Richard Barnes <rlb@ipv.sx>
Sent: Thursday, 28 April 2022 06:03
To: Alwen, Joel <alwenjo@amazon.com>
Cc: mls@ietf.org
Subject: RE: [EXTERNAL][MLS] Encoding padding as variable-size vector
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
TBH, I'm not sure we need to demarcate the padding at all -- just append zero bytes. The real, non-padding data in MLSCiphertextContent is itself length-delimited (assuming the content type is known), so there's no need to signal how much padding there is. It's just whatever bytes are left in the decrypted content. (We should still require it to be zero).
So we could do something like what TLS 1.3 does [1][2]:
struct {
select (content_type) { ... }
MLSMessageAuth auth;
uint8 zeros[length_of_padding];
} MLSCiphertextContent;
... with some prose to explain and require that any non-zero padding bytes MUST cause a message to be rejected.
For context, we arrived at the current scheme in #213 [3]. That PR is still correct that the prior scheme was ... too creative. The above proposal would have the pendulum swing back a little bit, but I think not too much.
--Richard
[1] https://datatracker.ietf.org/doc/html/rfc8446#section-5.2
[2] https://datatracker.ietf.org/doc/html/rfc8446#section-5.4
[3] https://github.com/mlswg/mls-protocol/pull/213/files
On Tue, Apr 26, 2022 at 9:55 PM Alwen, Joel <alwenjo=40amazon.com@dmarc.ietf.org<mailto:40amazon.com@dmarc.ietf.org>> wrote:
In the MLSCiphertextContent struct we have a field for padding represented using a variable-size vector which helps hide information about the length of content; notably application messages. But because of the way we encode variable-size vectors it turns out you can't actually pad the rest of the content with certain number of bytes: namely 0, 65, 16386, 16387. (E.g. if you pad with a vector of 63 bytes the TLS encoding actually produces 64 bytes for padding: 63 bytes + 1 length byte. But if you pad with 64 bytes you end up with a 66 byte encoding as now you need 2 bytes for the length.
Not being able to pad with 0 is OK. But 65 is kind of annoying. E.g. if you want to pad to a target content length X bytes then if the rest of the content ends up being X-65 bytes long you are out of luck. (Assuming I'm right about how this all works) it seems a bit silly to me for a padding scheme to have somewhat arbitrary gaps like that; especially at a not unreasonable number of bytes to want to pad with.
If I didn't miss something, and you all agree that its better to avoid having gaps like that then how about represent padding as, say, a fixed length vector's?
- Joël
Amazon Development Center Austria GmbH
Brueckenkopfgasse 1
8020 Graz
Oesterreich
Sitz in Graz
Firmenbuchnummer: FN 439453 f
Firmenbuchgericht: Landesgericht fuer Zivilrechtssachen Graz
_______________________________________________
MLS mailing list
MLS@ietf.org<mailto:MLS@ietf.org>
https://www.ietf.org/mailman/listinfo/mls
Amazon Development Center Austria GmbH
Brueckenkopfgasse 1
8020 Graz
Oesterreich
Sitz in Graz
Firmenbuchnummer: FN 439453 f
Firmenbuchgericht: Landesgericht fuer Zivilrechtssachen Graz
- [MLS] Encoding padding as variable-size vector Alwen, Joel
- Re: [MLS] Encoding padding as variable-size vector Richard Barnes
- Re: [MLS] Encoding padding as variable-size vector Alwen, Joel
- Re: [MLS] Encoding padding as variable-size vector Rohan Mahy
- Re: [MLS] Encoding padding as variable-size vector Richard Barnes