IETF Logo Mail Archive

[Ohai] Padding message contents

Martin Thomson <mt@lowentropy.net> Fri, 10 December 2021 01:13 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: ohai@ietfa.amsl.com
Delivered-To: ohai@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C38B3A167E for <ohai@ietfa.amsl.com>; Thu, 9 Dec 2021 17:13:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=eLuBmNAI; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Qsish5KF
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pBC-dK1El__L for <ohai@ietfa.amsl.com>; Thu, 9 Dec 2021 17:13:09 -0800 (PST)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E9E53A167D for <ohai@ietf.org>; Thu, 9 Dec 2021 17:13:08 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 3194F3201DB2 for <ohai@ietf.org>; Thu, 9 Dec 2021 20:13:08 -0500 (EST)
Received: from imap41 ([10.202.2.91]) by compute3.internal (MEProxy); Thu, 09 Dec 2021 20:13:08 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:date:from:to:subject:content-type; s= fm1; bh=7ue6+/ZA2vyxpszmm2a1yf/x4x+Lw/Zi0fkqxFUWRqY=; b=eLuBmNAI sPbBuz4wlVUNgxzSvO2ozaBD9smEIMlXIWzJPWbTIhA8mbGwkLgJGTMbTxgDQu7n bOSLBHB/npkQ+3aJqLGXsO0GUvl9fYIvbw51fVfKmAy3nJ9NsNNbG7n4TrMUEHiL RK566A3flJgV6XwWjOW407lLaeOam/jBze2VwwRlr7DXCwlk66bfFautOaqGD0kg Hg8FGjlX+PZaJmdJSzNtWpLuMD6b2c8MATcrKGOWyvneE+5Ztl3HAyMrONm1dI/j Niom3oQkpBZmY225zo/cRX4xC7Hm1nuO/dR7kRZeJpuM8jqT/b/qy9fmxA97jLRc g/fAg3nEKFnzbQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=7ue6+/ZA2vyxpszmm2a1yf/x4x+Lw /Zi0fkqxFUWRqY=; b=Qsish5KFNyjSVPeg4HNdiMf306kwxGxWQsaq9Qr25f2c9 8bzsOZT1OZU0U5V8rzzlFvdYjzfhDSZ+qUkZTJEYcNZpnwYmbUul3NIZuCnOpOHV c4MehL28dl7cqHMbVfn/4yI3DXiS812z91CE/Cx9Ah3UteKvZfK5tGv+9SmYlsdw 5sytnm4CuIloxmUMMzAz1bcQHmz5byauwsACbe8lUQYLLYPumBDEmcUwSqh2giHz SNsnvA7juqcaTBXySnp7eB55H7hFGv4ULXQM1j/eAX7Kg1QT/NffbGKFzSHg5QAK ViFRkDzfMEzU5ab0i5vwBPlZaOPSMKOpNgppNp9Rg==
X-ME-Sender: <xms:o6myYd9SKHPV73fbtVWnlgjdcu9AOL6bXjhvLTC8dqvxGszC3Gcijg> <xme:o6myYRu_KVJtV91Gl_9g9pyddMXfF6zGOh4EWdauDV3x-BxDCsi4AUoM8DWWvn3AD hduaO7-uS064fMTR0I>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrkedugdefudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkfffhvffutgesthdtredtre ertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghn thhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhepgeeuheeujedvieevffehvdekge ffkefggfdtteelfeekfeeftdejhfdtuddvuddtnecuffhomhgrihhnpehgihhthhhusgdr tghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:o6myYbD4vAvncMjposf1RtOdSZOKdEaR7GMqRCrPU3jjVuM1wNNMxA> <xmx:o6myYRdvB-4ub6dui0hVMmV6EfQlLUpGekOhmwReMn2YocmLTQgNHQ> <xmx:o6myYSO7cJ5-I8r4OHm8RlmlSmT6BbJNUi9iPbx4HwhqNazDYVE5Dw> <xmx:o6myYYaaNuvRR0iibNm-CV36qCyMnWPKeOLi2tTgrJ7TIK19uWaX3g>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 7A63D3C0246; Thu, 9 Dec 2021 20:13:07 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-4514-g2bdc19e04f-fm-20211209.002-g2bdc19e0
Mime-Version: 1.0
Message-Id: <35825904-2bca-4cde-a8ae-e93244c109d6@www.fastmail.com>
Date: Fri, 10 Dec 2021 12:12:48 +1100
From: Martin Thomson <mt@lowentropy.net>
To: ohai@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/ohai/WEQVWhTRyUzbmNanxME_2CEMNMA>
Subject: [Ohai] Padding message contents
X-BeenThere: ohai@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Oblivious HTTP Application Intermediation <ohai.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ohai>, <mailto:ohai-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ohai/>
List-Post: <mailto:ohai@ietf.org>
List-Help: <mailto:ohai-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ohai>, <mailto:ohai-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2021 01:13:15 -0000

tl;dr I propose we simplify the padding scheme and move it to binary messages.

Changes proposed:
https://github.com/ietf-wg-ohai/oblivious-http/pull/83
https://github.com/httpwg/http-extensions/pull/1832

---
Tommy Pauly asked me a question about a bug in my implementation of the OHTTP specification that prompted me to realize that there are a few problems with the padding design.  I'd been meaning to come back to it, so here we are.

This is the current format of the plaintext input to HPKE:

Plaintext Message {
  Message Length (i),
  Message (..),
  Padding Length (i),
  Padding (..),
}

However, this is slightly redundant.  The binary message format has a really convenient property that it is length-delimited.

It also suffers from an awkward discontinuity when your padding gets long enough to reach the point that the size of the VLI length increases.  63 bytes of padding takes a single octet of length; 64 bytes takes two bytes minimum.  So with minimum-sized lengths, you go from 64 bytes all up to 66.  You can avoid that by encoding 63 bytes of length with a two byte length field, but that requires custom (read: fragile) code.

There's a simpler design, just extend the binary HTTP message with zero bytes:

Plaintext Message {
  Message (..),
  Zeros (..),
}

Binary HTTP messages are length-prefixed internally so there is no risk of ambiguity, with one wrinkle (see below).

This results in a little loss of generality, but I don't think that's a problem.  It doesn't make sense to have generic media type switching at this layer: that's complexity.  So we can (and should) recognize that message/ohttp-req maps to message/bhttp always; same for message/ohttp-res.

Another protocol that wants to reuse the work we've done here to make a similar sort of format can switch out the type of protected message by choosing a different encapsulation.  As long as that format is length-prefixed (or doesn't end in a zero byte, I guess), they can use an identical encapsulation.  But there are other things they would want to do, such as use different key derivation labels to maintain key diversity, etc...

One consequence of this sort of change is that you don't have an easy way to carve out the message part from the zeros part without understanding (and parsing) the message format.  If you could rely on your binary message format being able to handle padding, then you could just hand the whole blob over for processing.  If we also consider the potential for binary messages to be used outside of this context, having padding in that format is probably a good feature to have.

To that end, I'm going to propose that we add the ability to pad with zeroes to the binary-messages draft (which will need an email to the HTTP WG) and remove this Plaintext Message structure entirely.  The plaintext input would just be the binary-encoded http-message.

I've written a pull request with proposed changes to the binary HTTP message draft: 
https://github.com/httpwg/http-extensions/pull/1832

And a pull request for the OHTTP draft:
https://github.com/ietf-wg-ohai/oblivious-http/pull/83

v2.23.0 | Report a Bug | By Email