IETF Logo Mail Archive

Re: [TLS] Choice of Additional Data Computation

Hanno Becker <Hanno.Becker@arm.com> Wed, 06 May 2020 06:00 UTC

Return-Path: <Hanno.Becker@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BEF33A00D5 for <tls@ietfa.amsl.com>; Tue, 5 May 2020 23:00:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=VRHcWsto; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=VRHcWsto
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0HRCbk9ZDOs for <tls@ietfa.amsl.com>; Tue, 5 May 2020 23:00:41 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00071.outbound.protection.outlook.com [40.107.0.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DAE73A00D3 for <tls@ietf.org>; Tue, 5 May 2020 23:00:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KfK/gNJJ0xi6W+ZOcBzXJ31LcphTbR1ZH6T+VHdeLYE=; b=VRHcWstorbjQRjmTPkRxxsKvOmVeOB1DLB2Ai3WMc3yAUmPDypvfU4BuzCk+k55gKtFJzFl4x9yIEl4Nxd00ztrOz44SbnbobMgS4w2bhcusqomf664BtHWQDp6l2MCc1fbFtrSwtSy89Clrx87EM6+spMZk1UxS8btv0dJ1/JI=
Received: from DB7PR02CA0024.eurprd02.prod.outlook.com (2603:10a6:10:52::37) by AM5SPR00MB254.eurprd08.prod.outlook.com (2603:10a6:203:14::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.26; Wed, 6 May 2020 06:00:37 +0000
Received: from DB5EUR03FT046.eop-EUR03.prod.protection.outlook.com (2603:10a6:10:52:cafe::fc) by DB7PR02CA0024.outlook.office365.com (2603:10a6:10:52::37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.20 via Frontend Transport; Wed, 6 May 2020 06:00:37 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT046.mail.protection.outlook.com (10.152.21.230) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.27 via Frontend Transport; Wed, 6 May 2020 06:00:37 +0000
Received: ("Tessian outbound b3a67fbfbb1f:v54"); Wed, 06 May 2020 06:00:37 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 2da135f6b391ac99
X-CR-MTA-TID: 64aa7808
Received: from 3b07f7456ea3.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 34B0C7FF-6BA6-43A7-B642-E4362B42B0FF.1; Wed, 06 May 2020 06:00:32 +0000
Received: from EUR04-DB3-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 3b07f7456ea3.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 06 May 2020 06:00:32 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hc0FZZaMjmg6NLf7v5yos4PWhdPjmx07IjOrFo4ly/AYHyCGTQ4qjwh8SDuE1MRv2eXzALLs7JRj5SBBblbrmNZsOLWYT7TjRPfNy6WoWpykZPG0DfvuCDXwhbnJjDhVfvC6u6y6T5VVriKwbJdXsso3UN/74IuuWxEMx5+/CHR9U6FAIj4Y23Wlh++sCMR7e/7jV37vITZhIpG7A1QQshPgZsxtNjGla/VGMxPdgpPAqe7qxSC8K6GLOr9IsKKtrggX0suefa0QqJBmdea1uCna60Hy8estxgjpR2dJalWUUO2/8LhpUeFmt9FFtz79T5OuAeWuKn3kz96FECDHOw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KfK/gNJJ0xi6W+ZOcBzXJ31LcphTbR1ZH6T+VHdeLYE=; b=EwjtWjHiOYmFMIWMYZ0MRN2exLDBgBdAq6pKmX3eITMCg2rg5mDoCxe4XMqF9LKZDQrpavtGYLZlct3V1ljI5ehGa8vsb68QBkrhc9Ae3+yrhwaD9jp+Zg7ABSl6Cg4C7WmkuiasFqRGH9xYiGEaObIKF5tai3bmhnvzrJbYQMHXZoJQeCFYaXoJpR7jw6mLoD8xqDTjhpQ9Q9FQ/WpnhuvLQOMdDdzHd/fVxfbBREP/rmi+c/Bu3lUAH5gBxkkuStJcHGhnGK2yc0gZhe858rr73UYqrbN1DGfqTh153RJF6KuPsYDXFPBFwpFS7abrB3atAMZYc3SnrqNHSmC7yQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KfK/gNJJ0xi6W+ZOcBzXJ31LcphTbR1ZH6T+VHdeLYE=; b=VRHcWstorbjQRjmTPkRxxsKvOmVeOB1DLB2Ai3WMc3yAUmPDypvfU4BuzCk+k55gKtFJzFl4x9yIEl4Nxd00ztrOz44SbnbobMgS4w2bhcusqomf664BtHWQDp6l2MCc1fbFtrSwtSy89Clrx87EM6+spMZk1UxS8btv0dJ1/JI=
Received: from AM4PR08MB2627.eurprd08.prod.outlook.com (2603:10a6:205:b::32) by AM4PR08MB2868.eurprd08.prod.outlook.com (2603:10a6:205:e::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Wed, 6 May 2020 06:00:30 +0000
Received: from AM4PR08MB2627.eurprd08.prod.outlook.com ([fe80::5d3a:d659:93d1:ab63]) by AM4PR08MB2627.eurprd08.prod.outlook.com ([fe80::5d3a:d659:93d1:ab63%6]) with mapi id 15.20.2958.030; Wed, 6 May 2020 06:00:30 +0000
From: Hanno Becker <Hanno.Becker@arm.com>
To: Felix Günther <mail@felixguenther.info>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Choice of Additional Data Computation
Thread-Index: AdYaKASVCp3JPFQuSaOSMkwtz/VZZwAEUEsAAAN7oaAAAnFQAAB17U6AAbcMx4AAGLdiJw==
Date: Wed, 06 May 2020 06:00:30 +0000
Message-ID: <AM4PR08MB262710CF5283E28709A8E4C99BA40@AM4PR08MB2627.eurprd08.prod.outlook.com>
References: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <93042b37-37e1-5b6a-3578-a750054d0507@gmx.net> <AM0PR08MB3716541F4825F8D43DC3D308FAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <CACLV2m4-Qcx-xKWP201VCY73HVyjCzHVCb6PrntnBWhA8fBQYg@mail.gmail.com> <a18b8223-ca9e-4a06-97fc-448865023376@www.fastmail.com>, <6b074b76-2977-fbc1-99d7-f9acb79466e3@felixguenther.info>
In-Reply-To: <6b074b76-2977-fbc1-99d7-f9acb79466e3@felixguenther.info>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: felixguenther.info; dkim=none (message not signed) header.d=none;felixguenther.info; dmarc=none action=none header.from=arm.com;
x-originating-ip: [217.140.99.251]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 9a896d97-0af3-454f-7263-08d7f182cc79
x-ms-traffictypediagnostic: AM4PR08MB2868:|AM5SPR00MB254:
X-Microsoft-Antispam-PRVS: <AM5SPR00MB25464708E6244B9442A05A69BA40@AM5SPR00MB254.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 03950F25EC
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM4PR08MB2627.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(376002)(366004)(346002)(396003)(39830400003)(33430700001)(9686003)(55016002)(7696005)(110136005)(8676002)(478600001)(26005)(2906002)(8936002)(33656002)(966005)(6506007)(316002)(19627405001)(52536014)(86362001)(186003)(66946007)(76116006)(66446008)(64756008)(66556008)(33440700001)(166002)(66476007)(71200400001)(5660300002); DIR:OUT; SFP:1101;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 3NdXCP0UUeifa3cM3+grVTMceRYoUB+VzfbytFUhpKW6K7E1skLq68ZO1hQW5pyf/vbLUX5SrM1rU57ztXMGQR+FDmuQPyo1ij6v8SpTb9Jy6GTSdwgKs8y1Lh0RzB0wkgSreSyn71EtiUssEYH7zRIK1c8nZOLZm5spWQGjMlnJd8UxTN46AUdTMu/zmg+3EqfXmyH3psV5wF+Ne0oZkTdpDy5L2xTEUqJEhCAPfDJdkZ16zMBDHcMXvgfX8AaMHIOdGy2rHgzjVJ3BCbn7UWEcwfinQXKZLCBq4ys/h1B4O+yXtpg60Iwnq1jSS1aQU1mx5yJ0jDxM5h18t9TXxqrNrO+DrFkYgUP6FM7lcrx1F8GVbmPVxiELXhQABfLs1b2KAsY+wg3ec4HmVfqU+GceOphgotw+AmUd58/BE4i34yANpRVWkWzJiIWINFP9GGZhEvTd5z6JREnUsi7qIUoupfECVJ9SyMwurvhGTF5teQgWxYHtixe2RmYZtCyr2W928PteoGFXu1Ik7c3/QoQYIL8v+ffnWBfKxEY7uqKf2rs3VdnqrtzS1xGAnv1ovAUnL9rz9YfrH3x8okVtpiX7UIeeDX3urwQyL0h3YRg=
x-ms-exchange-antispam-messagedata: SpYD9QdSgwJ0l7+M5ODfcWgPAxccQeTQ6MOhMBYjqWt7IDEHuRhQFGi0/0joCoXIVK90bxwuqY4j4iMxJd/mSDyt1IxbbBSHpw4WLSTvczjVea0XRH/2XgbVcqlhoUI915gnyVocEIpNixHgSCy/kl/k5XZ2yk7QePewbITph2j+WTAxtnnBJDu3VDK0yY8lpLvmpF0/iW6t36BwwWIWFzBz9RsrxjnYDZBm/sCn5mg4dlGepbFzvtVdTe/61pD/vqWqFT/4qhg5Wj0Usemak0h5vSttFfw/HJdcAuixfjb3CIEWiLUD5JcWTS0RBgqvQ5wC4ldDSqR6kXH0MGWNSm19JOtRFUiG4gs5t48EYF+h0UsHA+pV36GeZLIw4YQc+n7lAbGqYuXU1U5MnAakXDIXUlHZtnWzm01zum8TCyLDXKVBypwVfbADC4s6TGHGvu9cOpeHLFF5OP6rdNp5yeOFAsF9/K5uaTtfYKDR3/MojnKJSuZeOTFvJbT4Mha6XjiE2PoALF0XAZcyvOvgupLpooye/CF03xq1/187pkzKbfxTKvAS/PYPB2ROs+GB8kgvoLbx1RiBp8CmxexMpombeENHjXHrF7xOilyfJIGUeodM1bOj3z9occcEeSJPgnCTuq3rwFssXnn7k6DTdloQ5DcVgBjbfrJZ7y3Bsfgr0OojzclEja32VvS2H1AlRrdgTV/L1enzEqf0AqS6dF1KTkWBUQx4UG02j5nOxWMZ8okvSpkcs6qRGUk9z++XTxT+U6g32KY1MrmkKkdSNLuCZnys/BHdbV3i5dHDVPI=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM4PR08MB262710CF5283E28709A8E4C99BA40AM4PR08MB2627eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR08MB2868
Original-Authentication-Results: felixguenther.info; dkim=none (message not signed) header.d=none; felixguenther.info; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT046.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(39830400003)(136003)(346002)(376002)(396003)(46966005)(33430700001)(81166007)(55016002)(356005)(9686003)(8676002)(86362001)(82310400002)(47076004)(8936002)(19627405001)(6506007)(26005)(186003)(7696005)(336012)(316002)(110136005)(33440700001)(52536014)(33656002)(5660300002)(70206006)(478600001)(70586007)(2906002)(166002)(966005); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 178bac6e-ab7f-4039-1b7c-08d7f182c852
X-Forefront-PRVS: 03950F25EC
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: +YR+yF6WkLiFkCo4npMUdH50aIHrvMiBnQhwXH3RXWCgsuA08Wg9AFhwjsr50sytH5Vj/pv0rpr/w6EyNmi74jrarHDL//FIVBl1oBk8RXg//l44mEmw99birU7eLLl9YRGiI51D3L+Ctc8WoNc/5Dq20/EYf+hEU5w7RQ0Vp0XKQ7zvjsKNky470017X4JzGiwlQainlccRVg0OTXQ2mYNg9QLDD9a00amQfvruz3Wx3ieuNuxC9YtHMHH2nKtCGsTnOeM1BIUMrqtMMlHWdnz6gwgBC8A1DmSqTUpsOPjXJqFHguduZ7iTGJOoVyFvbgKFht2qudgORdzc2YnvK//jAr6gQW5CRse+NPBLkyD9vWIYPrtv4JF5KF2xy6a9DogmGHM6NImeC6u0pL066AAaQVaKgG6fXxBORoK3lHhHbCAKqNVqfrjMS+NM3kGZgwD63Oo6pwfYApvgl84tV1oAquUwpxn83TOQuXBsaPDpGM/l37MlLOkqYMnorPAyfiFW+AlrPhV8BN4Z3T6kRILm+hW3nFtDXe2jsN31WmVM2cy3H4IDGiUseG01+ckq3oLeo9FW46vkj3gISStt5X6u6ABp19XH0SO2H+QQ+B2k29l4DPoJlykJbLEEHNSYRBmnLBLOxok1iLLcPjs6ng==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 May 2020 06:00:37.4708 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 9a896d97-0af3-454f-7263-08d7f182cc79
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5SPR00MB254
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/yYE4pwKn31IKEESRoPNHtsP7TE8>
Subject: Re: [TLS] Choice of Additional Data Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 06:00:46 -0000

Hi Felix,

Thanks for chiming in!

> First of all, let me make sure I correctly understand that
>  * "on-the-wire header" is what's exemplified in Fig. 4 of the draft
>  * "pseudo-header" would be a superset, esp. including full epoch, full
> sequence number, length, connection ID, ... -- what else?

Perhaps version and content type, though at least the latter is fixed.

> Further, I understand there is _no_ unique mapping from pseudo-header to
> on-the-wire header (as the latter may be compressed in different ways).

Yes.

> The latter, to me, suggests that authenticating the pseudo-header alone
> may not be sufficient. It would at least allow on-path modifications to
> the on-the-wire header, which I don't expect is intended.

Can we go a bit into this? As mentioned in the original thread
https://mailarchive.ietf.org/arch/msg/tls/VK9e6fA9jdQVFc6tQNWNO8OThU8/
there are some (arguable) considerations of why it has practical benefits
to not cryptographically bind the header _format_ to the record.

Those considerations, however, are secondary to security considerations,
so they didn't surface here so far.

Could we therefore clarify:

Are there any _security_ concerns arising from the modifiability of the
header format assuming the underlying pseudo-header is bound via AEAD?

I don't see one so far, but might miss something. In my head, once the logical
data is authenticated, the entire on-the-wire header merely degrades to a 'hint'
to the receiver as to what the logical header data is, the precise form of which
is entirely irrelevant.

_If_ there are no security concerns (and only then), I'd like to bring up those secondary
considerations from https://mailarchive.ietf.org/arch/msg/tls/VK9e6fA9jdQVFc6tQNWNO8OThU8/
regarding modularity, efficiency and flexibility again, arguing in favor of purely logical AEAD
omitting the wire-format.

> 1) The length is implicitly authenticated through the ciphertext itself
> -- tampering with the ciphertext, in particular its length, will make
> AEAD decryption fail.
> 2) The full sequence number is implicitly authenticated through the
> nonce -- decoding the wrong sequence number will (offset by the IV)
> yield a different nonce, leading AEAD decryption to fail.

Would you expect a change in proof complexity when switching
to explicit length and sequence number authentication in the AEAD?

>  4) I slightly disagree with "epochs determine the key" (true) as, what
> I understand is, an argument that "the full epoch is implicitly
> authenticated by using the right key", at least in its absoluteness. My
> *guess* would be that, due to the key schedule, this argument comes down
> to the probability of keys colliding (which is anyway to be avoided, so
> probably fine). Still, from a security analysis point of view, showing
> security with key updates might be easier if the (full) epoch was
> authenticated as part of the AAD.

Yes, that matches my thinking above - it's probably practically fine, but
a formal argument gets more complex without explicit epoch authentication
because it involves the mapping { epoch id } -> { keys }.

Regards,
Hanno
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email