IETF Logo Mail Archive

Re: [MLS] Encoding padding as variable-size vector

Rohan Mahy <rohan.mahy@wire.com> Mon, 02 May 2022 06:34 UTC

Return-Path: <rohan.mahy@wire.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FEDAC159483 for <mls@ietfa.amsl.com>; Sun, 1 May 2022 23:34:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wire-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id huJPw3pD2wSO for <mls@ietfa.amsl.com>; Sun, 1 May 2022 23:34:30 -0700 (PDT)
Received: from mail-pg1-x52c.google.com (mail-pg1-x52c.google.com [IPv6:2607:f8b0:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF29DC159482 for <mls@ietf.org>; Sun, 1 May 2022 23:34:30 -0700 (PDT)
Received: by mail-pg1-x52c.google.com with SMTP id q76so7965357pgq.10 for <mls@ietf.org>; Sun, 01 May 2022 23:34:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wire-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QcPqtyT2aA9xDwzabByNG8G3PG+k/fDfWHF9A2gINuQ=; b=Dw9z2IfLlmi9cjw3iS3bcKf7gw5vf7ig1jPvYegvgdUGLmHVXMNDjmVFDwVNqoMGsW uYUJ6hhW9kKNqDwKIsZ6PmlzFaR+l+LvVm0kKESs5NK1pM1mP1b/Zf5NjI5cLlfhXEHz PwmtJa0eOG25nHqUU94Mzi+RFD0x30yiQ8jWPm+M5EnjWvv2qOLiuWxPnJ9guF+lnrGU N/ezLez6yXIictcFJDeHTHO/5mhF+sEYWzU1oCWGn1SmReGZbjLgqzHk6O9cbP/5GQn3 L7FPhV9URgbsmv27kq/a/HQ1NGDvZ3vQboebxWhTn/MHxEI4Wc8nO+qlzrMQizben1S2 32rQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QcPqtyT2aA9xDwzabByNG8G3PG+k/fDfWHF9A2gINuQ=; b=SbvEb6RwNITuA4Vi93IyWAu8tTZeoJT7cZTXiE32zih42ncPA78aHIcGY++odOKgyX UxylKy0IjKL8E73TxBxXPchxowWGT2iNvzuTwB3iUxgrCxhu2TlX7WW1fGXlH6aC+2ou tMKG7SSXDkYl8OXvOrxVb0xUzalZoQtAKOYLfaUKFFSK9/Dect8/zs13S7O852+6I4SD BzAVK6sqrsxQJlf8uM2L9Z0ekONSux0Cbq34hpp+3CrBwTPt/NUd8yj/MmCqlGeUq+NM StF/C2ao+CZ0CkBqWKE/shvBKRLDKZ5/Xy0tnM9u6/rtP6MwYcZpEFysYMc8I3HHrfOg fNAA==
X-Gm-Message-State: AOAM533F6Qiho0aZqe/yOZ9Jmd1E4BTZxymQ2ASQS1O9K4mVUqeu/Ysr AJkXzfFLiAwGuh+NKJE1h3eMD5v1b1p7j18zd3q0ZQ==
X-Google-Smtp-Source: ABdhPJxPolFaqOxoNLX62Z0MrHMMVTRC1EVk4oE0bJUOdmsDAhcpHg3Jwwr0aVsUwsvbq5+wREvUQZIWcrQEAgWxVo4=
X-Received: by 2002:a62:a211:0:b0:50d:cdb2:87f4 with SMTP id m17-20020a62a211000000b0050dcdb287f4mr9012736pff.63.1651473269826; Sun, 01 May 2022 23:34:29 -0700 (PDT)
MIME-Version: 1.0
References: <9aa90871231e4291bb2a4d782b7b91c1@EX13D48EUB002.ant.amazon.com> <CAL02cgSctOjWsryNpqUC5u=gBhqjN91Fd5yY1pniTi+SmmsveQ@mail.gmail.com> <3165c19a8f5c471f9fccf1edd871c373@EX13D48EUB002.ant.amazon.com>
In-Reply-To: <3165c19a8f5c471f9fccf1edd871c373@EX13D48EUB002.ant.amazon.com>
From: Rohan Mahy <rohan.mahy@wire.com>
Date: Mon, 02 May 2022 08:34:18 +0200
Message-ID: <CACW8--N3GXwh7NV4KjCQru=e0g_gbOg4+Xia5De8Y1sNpR-EWA@mail.gmail.com>
To: "Alwen, Joel" <alwenjo=40amazon.com@dmarc.ietf.org>
Cc: Richard Barnes <rlb@ipv.sx>, "mls@ietf.org" <mls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009ab92005de0195ab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/l9QvAijAFWDiQcSY9Cf7XbzPmSA>
Subject: Re: [MLS] Encoding padding as variable-size vector
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2022 06:34:35 -0000

I think we need:

struct {

    select (content_type) { ... }

    MLSMessageAuth auth;

    uint8 zeros[0..65535];

} MLSCiphertextContent;


so the length field of "zeros" is fixed at 2 octets.

Thanks,

-rohan


*Rohan Mahy  *l  Vice President Engineering, Architecture

Chat: @rohan_wire on Wire



Wire <https://wire.com/en/download/> - Secure team messaging.

*Zeta Project Germany GmbH  *l  Rosenthaler Straße 40,
<https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g>10178
Berlin,
<https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g>
Germany
<https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g>

Geschäftsführer/Managing Director: Morten J. Broegger

HRB 149847 beim Handelsregister Charlottenburg, Berlin

VAT-ID DE288748675


On Fri, Apr 29, 2022 at 3:21 AM Alwen, Joel <alwenjo=
40amazon.com@dmarc.ietf.org> wrote:

> > struct {
>
> >    select (content_type) { ... }
>
> >    MLSMessageAuth auth;
>
> >    uint8 zeros[length_of_padding];
>
> > } MLSCiphertextContent;
>
>
>
> This seems better. I.e. I think it now lets us pad to any target length of
> the resulting TLS serialization.
>
>
>
> One thought though: If I were parsing such a TLS serialization from a
> buffer more data after the struct starting with a 0 byte would I
> unambiguously know when I’ve reached the end the struct? If not is that a
> concern?
>
>
>
> - Joël
>
>
>
> *From:* Richard Barnes <rlb@ipv.sx>
> *Sent:* Thursday, 28 April 2022 06:03
> *To:* Alwen, Joel <alwenjo@amazon.com>
> *Cc:* mls@ietf.org
> *Subject:* RE: [EXTERNAL][MLS] Encoding padding as variable-size vector
>
>
>
> *CAUTION*: This email originated from outside of the organization. Do not
> click links or open attachments unless you can confirm the sender and know
> the content is safe.
>
>
>
> TBH, I'm not sure we need to demarcate the padding at all -- just append
> zero bytes.  The real, non-padding data in MLSCiphertextContent is itself
> length-delimited (assuming the content type is known), so there's no need
> to signal how much padding there is.  It's just whatever bytes are left in
> the decrypted content.  (We should still require it to be zero).
>
>
>
> So we could do something like what TLS 1.3 does [1][2]:
>
>
>
> struct {
>
>     select (content_type) { ... }
>
>     MLSMessageAuth auth;
>
>     uint8 zeros[length_of_padding];
>
> } MLSCiphertextContent;
>
>
>
> ... with some prose to explain and require that any non-zero padding bytes
> MUST cause a message to be rejected.
>
>
>
> For context, we arrived at the current scheme in #213 [3].  That PR is
> still correct that the prior scheme was ... too creative.  The above
> proposal would have the pendulum swing back a little bit, but I think not
> too much.
>
>
>
> --Richard
>
>
>
>
>
> [1] https://datatracker.ietf.org/doc/html/rfc8446#section-5.2
>
> [2] https://datatracker.ietf.org/doc/html/rfc8446#section-5.4
>
> [3] https://github.com/mlswg/mls-protocol/pull/213/files
>
>
>
>
>
>
>
>
>
> On Tue, Apr 26, 2022 at 9:55 PM Alwen, Joel <alwenjo=
> 40amazon.com@dmarc.ietf.org> wrote:
>
> In the MLSCiphertextContent struct we have a field for padding represented
> using a variable-size vector which helps hide information about the length
> of content; notably application messages. But because of the way we encode
> variable-size vectors it turns out you can't actually pad the rest of the
> content with certain number of bytes: namely 0, 65, 16386, 16387. (E.g. if
> you pad with a vector of 63 bytes the TLS encoding actually produces 64
> bytes for padding: 63 bytes + 1 length byte. But if you pad with 64 bytes
> you end up with a 66 byte encoding as now you need 2 bytes for the length.
>
> Not being able to pad with 0 is OK. But 65 is kind of annoying. E.g. if
> you want to pad to a target content length X bytes then if the rest of the
> content ends up being X-65 bytes long you are out of luck. (Assuming I'm
> right about how this all works) it seems a bit silly to me for a padding
> scheme to have somewhat arbitrary gaps like that; especially at a not
> unreasonable number of bytes to want to pad with.
>
> If I didn't miss something, and you all agree that its better to avoid
> having gaps like that then how about represent padding as, say, a fixed
> length vector's?
>
> - Joël
>
>
> Amazon Development Center Austria GmbH
> Brueckenkopfgasse 1
> 8020 Graz
> Oesterreich
> Sitz in Graz
> Firmenbuchnummer: FN 439453 f
> Firmenbuchgericht: Landesgericht fuer Zivilrechtssachen Graz
>
>
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>
>
>
>
> Amazon Development Center Austria GmbH
> Brueckenkopfgasse 1
> 8020 Graz
> Oesterreich
> Sitz in Graz
> Firmenbuchnummer: FN 439453 f
> Firmenbuchgericht: Landesgericht fuer Zivilrechtssachen Graz
>
>
> _______________________________________________
> MLS mailing list
> MLS@ietf.org
> https://www.ietf.org/mailman/listinfo/mls
>

v2.23.0 | Report a Bug | By Email