IETF Logo Mail Archive

Re: [TLS] DTLS 1.3 AEAD additional data

Christopher Wood <caw@heapingbits.net> Sun, 26 April 2020 14:49 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1235A3A0793 for <tls@ietfa.amsl.com>; Sun, 26 Apr 2020 07:49:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=dbVuI783; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=dNmMCXMM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zsPmjcLx6S06 for <tls@ietfa.amsl.com>; Sun, 26 Apr 2020 07:49:27 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DBCC3A0791 for <tls@ietf.org>; Sun, 26 Apr 2020 07:49:27 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id BFFD75C0108; Sun, 26 Apr 2020 10:49:26 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Sun, 26 Apr 2020 10:49:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=gpP6ou7WwShqq28KpasFdAZTcf0ecWt S/4DbFIHdSso=; b=dbVuI783k4xciKYDV2NskypxV7SoesZN7zGlGmPriqUqTLD DqAlR7NAFTbno+18IOxttzxcnTTLWSjv4i9MoThIUwCABOMD7OMTgm3BfbjXlNGj jrDI1F+ebSTsntMVWyZIsHpyR+61KUnBatA0qtYY+8GkE474bAO5LzFuYPsQCfTE KxbNDC40GphZ7WtBwH9SmLwssFWc26Cu6KfN0HqSoz4QMJ2wWWnyy6W55ZwAI/Iq 9alD7ug2AxidbNQoM8nOkPD7wOKmaNBMNbLXHZOZg2k58Q/cysTpda7ZlTwTZMCr Df3NVof3Ktw3I9i4KUYhWITX64EnGCT7UCiM3uA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=gpP6ou 7WwShqq28KpasFdAZTcf0ecWtS/4DbFIHdSso=; b=dNmMCXMMw0KqIHpmfpP/h3 TxFJ35augGtYPEngNIQvrRLcv9MPLliXi26rGrKQOxfWKspMDxWLDuzvu7gXbX3b MPvo4Qrlgwc982QH0XG+3HP0fjYHVWqkMSlfFxNiUvaiNq8uYEcsPVO1yqciWfly PUrto2xgpzv7KcgewtOba87TiDdoUQ9ua8ufXWxdI2BGnCCkzR8+dJBOfqunhq2V MI7Uw96UtMdjn7Jwfi8ZZQnn/jyOItEJioGXOtS7IXpBm79wXZNx/PguDttbh9BY X6lemLkiEVDtsrxusanrujEmX7SLTJKaWV3bvgwBtbo8kMFIbliUifT85I4/4bdA ==
X-ME-Sender: <xms:dp-lXmWYJV05yBOgLz65xnAPrKmy3n431SFe3IEsfMvKDYTzCPLA_g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrheejgdekfecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfvehhrhhi shhtohhphhgvrhcuhghoohgufdcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvghtqe enucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegtrgif sehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:dp-lXvu2fY2SbDbZp-5SDD86_4Vj2B36nlO9d_3CHsitUEIaq_gzpA> <xmx:dp-lXq1SwSiOEAX9LLqwyNGAwmarARqD0BHpzMVPdgeY-ffOcKYhhg> <xmx:dp-lXuUi7eM4yvsjjRVGsb6wrkHHmnjKQitNAidBZKe4oYTYg9R9Dw> <xmx:dp-lXqMfLoMNiTmsLkTPzgJTh6PYwwJIhN2Fh45p4BTDiQJbcjdKgQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 2073F3C00A1; Sun, 26 Apr 2020 10:49:26 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-351-g9981f4f-fmstable-20200421v1
Mime-Version: 1.0
Message-Id: <18d9978c-1dd1-4365-827c-94c121099949@www.fastmail.com>
In-Reply-To: <009D63D5-6353-4429-A62C-EB7617E4B9EC@arm.com>
References: <AM6PR08MB3318911C71C0DDB90480694A9BD50@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBMs+o4BU5VhqJKmQvnkEe9RkQXRv7Ej6pVD1-e1vdMoyA@mail.gmail.com> <CABcZeBM9Ri=Rz5kbWn08Vk-Y14MVSALwB1Bd9QV=HfWoq3XqSA@mail.gmail.com> <AM6PR08MB33184161239B6383EA7D776C9BD20@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBM4wVkH_pdTZMakyV9Y=tk8PNDknHTFhjwX-sw3GOOaZw@mail.gmail.com> <AM6PR08MB3318D6A11587449627F6EA679BD20@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBNcODKehe217nr2jSedy6N6Gun+QYcksFp2Oqv6gLrzzw@mail.gmail.com> <AM6PR08MB3318717D21E69A2373AC1ACE9BD20@AM6PR08MB3318.eurprd08.prod.outlook.com> <8371994b-799c-4196-a3cd-4b0f71e24b5e@www.fastmail.com> <CABcZeBNbehkW8FO29DS00m19+b=dH8V8esscu8OU-mmaJf6etQ@mail.gmail.com> <5b74a840-a1cd-4b5b-a0c5-65320b851325@www.fastmail.com> <CABcZeBOvm-nx6hKR79ChN=A4RFzWgt=-BzjORc=N7_A79tO6Ng@mail.gmail.com> <AM6PR08MB3318D5881B8D2BEFF938F2B79BD30@AM6PR08MB3318.eurprd08.prod.outlook.com> <1e6201d6-a078-4137-898d-d1554c22aa10@www.fastmail.com> <CABcZeBPs7gOenD8Fs2uFXxY=hHyvwiKAvqkDPNzSZDTuReuBJg@mail.gmail.com> <fd9e2ddd-a79d-4f52-be17-92ba688d618f@www.fastmail.com> <E1F21884-A4FE-4057-B670-387A8B4C3100@arm.com> <1CBF6B88-8830-44A4-8F9B-143F884FF6ED@arm.com> <009D63D5-6353-4429-A62C-EB7617E4B9EC@arm.com>
Date: Sun, 26 Apr 2020 07:49:05 -0700
From: Christopher Wood <caw@heapingbits.net>
To: Thomas Fossati <Thomas.Fossati@arm.com>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0Psyhc_guQiMrfbelWc68S1RF1E>
Subject: Re: [TLS] DTLS 1.3 AEAD additional data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2020 14:49:29 -0000

On Sun, Apr 26, 2020, at 2:37 AM, Thomas Fossati wrote:
> On 25/04/2020, 11:43, "Thomas Fossati" <Thomas.Fossati@arm.com> wrote:
> > On 25/04/2020, 11:11, "Thomas Fossati" <Thomas.Fossati@arm.com> wrote:
> > > On 25/04/2020, 01:30, "Christopher Wood" <caw@heapingbits.net>
> > > wrote:
> > > > On Thu, Apr 23, 2020, at 2:17 PM, Eric Rescorla wrote:
> > > > > 1. Allowing implicit CIDs is very recent (it was introduced in
> > > > > -34)
> > > > > 2. The CID specification explicitly prohibits it for DTLS 1.2.
> > > > > 3. I haven't really heard a very compelling argument for this
> > > > >    and I note that QUIC forbids it [and in fact has much worse
> > > > >    problems when you mix epochs because the long header is so
> > > > >    long]
> > > > >
> > > > > So, given that the simplest and most consistent thing is to
> > > > > simply forbid it: can someone make an argument for why this is
> > > > > important to permit?
> > > >
> > > > Thanks to everyone who participated in this thread so far! Given
> > > > the points above, the chairs would like to hear arguments in favor
> > > > of implicit CIDs. Absent substantial rationale, we'll assume rough
> > > > consensus for explicit CIDs.
> > >
> > > Hi Chris, I think implicit CID needs to be considered in the wider
> > > scope of unified_hdr compression, together with implicit length and
> > > shortened epoch.  In particular, from Chris P's emails I understand
> > > that being able to authenticate records' length is a core assumption
> > > in the security proof of TLS.  Therefore leaving it out from DTLS
> > > AAD when it's not in the header looks like a pretty bad idea.  If
> > > this is the case (i.e. the fact that the wire image by itself is not
> > > sufficient input to the AAD), then authenticating implicit CIDs
> > > should just come in the same bundle.
> >
> > Sorry, scratch that for the moment - I had missed the most recent
> > emails on this thread :-(
> 
> Back to this after having read and digested the parallel thread.
> 
> As it stands I don't think we have enough data to take an optimal
> decision with respect to what needs to be input to the AAD.
> 
> I suggest we err on the side of caution and use a pseudo-header approach
> where the pseudo-header equates the wire-header (except the epoch is in
> full) when no compression is involved and otherwise includes all the
> elided fields.
> 
> I also note that it'd be great if the formal verification community
> could carve some time to look into the security of DTLS 1.3.  There is
> certainly a lot of overlap with TLS and I guess substantial parts of the
> modelling can be reused, but there are interesting differences (in
> particular, around the tight knit between reliability and security
> layers during handshake) that are unique to DTLS and likely deserve a
> more careful look.

Thanks, Thomas. To clarify (as the request was about prohibiting implicit CIDs and not more generally about what's included in the AAD), you'd prefer we allow implicit CIDs, correct? I agree that backing analysis would be generally useful here.

Best,
Chris

v2.23.0 | Report a Bug | By Email