Re: [TLS] DTLSv1.3: Record Number in AEAD computation
"Cunningham, Andrew" <andrew.cunningham@intel.com> Mon, 30 May 2022 11:33 UTC
Return-Path: <andrew.cunningham@intel.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22352C157B40 for <tls@ietfa.amsl.com>; Mon, 30 May 2022 04:33:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.851
X-Spam-Level:
X-Spam-Status: No, score=-2.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3B8CsqwVz1cm for <tls@ietfa.amsl.com>; Mon, 30 May 2022 04:32:59 -0700 (PDT)
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47BC0C159488 for <tls@ietf.org>; Mon, 30 May 2022 04:32:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1653910379; x=1685446379; h=from:to:subject:date:message-id:mime-version; bh=MHasK3EQab1tAwPAxGDv/AWUOa4og9r/RwsaZxw+bF8=; b=TsrF5ZiIS4bCurVgXmnetu1rj9id0KG8ncPhSxzOVhYFZkneK53wxdhg iZ5YFmFt4wDYNYzeBfHKpbbpshycfbRCvbuorQfwH4qivnH6jXT3xcgSP JQdGtAOXwJcefCLgThBKOjcIrfQ3WkYsawK7WInreeKkbheX4pHipcqCY l71vRKzfDMBIJqVeNaTAmmul7F9q1WnF9bXgBPLbrQ8RqAIuciB/2ukWT R46Lh8RrRA4G9UUL3v62tYKhlSais0Jujd3mNTItG5XrIr4iFSPrrk8CS QJ30zykei7fl1nI0UyH6XsUBueXciah4agRe4e+Sx74iFxPq1IAfapnoJ g==;
X-IronPort-AV: E=McAfee;i="6400,9594,10362"; a="272546439"
X-IronPort-AV: E=Sophos;i="5.91,262,1647327600"; d="scan'208,217";a="272546439"
Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 May 2022 04:32:56 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.91,262,1647327600"; d="scan'208,217";a="750823042"
Received: from orsmsx604.amr.corp.intel.com ([10.22.229.17]) by orsmga005.jf.intel.com with ESMTP; 30 May 2022 04:32:56 -0700
Received: from orsmsx608.amr.corp.intel.com (10.22.229.21) by ORSMSX604.amr.corp.intel.com (10.22.229.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Mon, 30 May 2022 04:32:55 -0700
Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX608.amr.corp.intel.com (10.22.229.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Mon, 30 May 2022 04:32:55 -0700
Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27 via Frontend Transport; Mon, 30 May 2022 04:32:55 -0700
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.46) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.27; Mon, 30 May 2022 04:32:54 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FaX6L79Xexe2q4pv5WgRSqEgKME9wk8RD/iYeoGAx+8dLY3YSLwp2TcTUCgYdtheyB9p+wO2J8vvYmqgGPandRoWGu23K/YxegytDdLPzTTmdRYoEEwr1/AZg9PrntmQ5wA3sdiOkNxkjES/ZutjZsssKwdQKtQC1tBwUdgQ8JUNjt3afuxH6V11XkvJpGaLtb41s8p69KlumAi5nuDRWRh0VRmnYhimLus28zPhIermi5yWXQOhCUm3QO7vhh8V3BrRil/JEEe3S36a+VifCSLjKNULpWW8w3f+GDxxXkISdiLrfb8GIjkS8alMyooMeej65joGdVdUGHayvgZMJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VViEIdBqGWZXMeUNfasQtjlc63AREDUCxZEZusQNRMQ=; b=fSMBhsVIlymxLoBECPBB0njLUW9HUbEUQqygXKOg35vEuIwNwL7LNHqxwSk2sqdmbldk5xqjBwzs7kqTz6ldDBcOBBs/JCKtjeQ8bWpaBopNdanPt4qlCfZwmElibC7l+sjEW2CmfFnhHAjx/NeyEI+b9LWVQtU5GL+S8y+Vxoc8o18bs5CjqvLRrUjCjn7XBrcNvQl8eHI/Fs5Anugg3pXAOoKIIgNoiGogod8H0O5R9vhuN6VbrrhpfGI7hD0VscIVRrHFRNtXJMC2MJU4yzl4zy+6I1uEhuqeWnpCXWOryaJxrxNHcjy759rBCNroQQL8lkyphGMrHUp5ru2HtQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from BYAPR11MB3464.namprd11.prod.outlook.com (2603:10b6:a03:7d::13) by SN6PR11MB3168.namprd11.prod.outlook.com (2603:10b6:805:c4::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5293.13; Mon, 30 May 2022 11:32:53 +0000
Received: from BYAPR11MB3464.namprd11.prod.outlook.com ([fe80::d98a:46c2:3ff0:cfa4]) by BYAPR11MB3464.namprd11.prod.outlook.com ([fe80::d98a:46c2:3ff0:cfa4%6]) with mapi id 15.20.5293.019; Mon, 30 May 2022 11:32:53 +0000
From: "Cunningham, Andrew" <andrew.cunningham@intel.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Re: [TLS] DTLSv1.3: Record Number in AEAD computation
Thread-Index: Adh0ESPJkgNgwjc6Qfi024LcMQgyCw==
Date: Mon, 30 May 2022 11:32:53 +0000
Message-ID: <BYAPR11MB346406C206A4A863AB1A822EF8DD9@BYAPR11MB3464.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-version: 11.6.500.17
dlp-product: dlpe-windows
dlp-reaction: no-action
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8892ac27-b0c0-4661-b478-08da423022bf
x-ms-traffictypediagnostic: SN6PR11MB3168:EE_
x-microsoft-antispam-prvs: <SN6PR11MB3168E05E89F901BA3CFD24BBF8DD9@SN6PR11MB3168.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: epHY/cPEhDoRZewnIcXt/PNtS7SAGtDkVR7znm/p4DxEy489f0eNU4aFA6y92go5FmUwbTXjme4zT47NrOvWjpvh8wSEJPw8wtwAtbnYgF+mhbnBIC18VupBU0nlpeqRByjSZVhLSkCEPQ6cV/OM4n6xchhLzAj4evnF4/e+F3Y1d1uOsLDDXdy+oPzdGt/elx/5/xklgt+R1tvFI40YizLEi77YSQihB0E9hAx9opaWTzXlVYSCs2XWnyd25SKfTO7hTvEHoxhssogxi1pqBmv1oVH24CSXZNdSP9DqGk8F+r9/Jyi6skbrHtMrmKGOtzjqe62dszHoDWevkbUO48wArgR7u9HJYzH7rBpJtju9DZKtSkZKX4axLuqvF5iND8KengppHyQ7ue9M6YfSZ/iDDy7MNSxGssEFgSBng/erAtKHmYGMQ9EtjIPVheQ91qIZisljHbtBtLCEmQwWBuYlWjuiKiq2L5UiQbmySDoS65eyVrnsnCy/tjfugxIIc/TrugRcO0bdXUC/UWYxq0FL0ob3z9nQN6ZmhY5EwLv7Ht3AqRBq1Qs0TMxPc96YSeicPO0CScH11H7r9/dsUpwj+aUls+KpkwoPlen9i/flARMdXlwQKVe5RE7p3UJm3m0k6/3WMxK1FLXtIW5IvXFPKATK4v3ZcsXrbBur2/oAAmBVagGEHtw6qgpPw7JaDTJqITScxEMusSn9Er8FRXTECZn90ULS9Nr8vpoJ6QHZoC4yJYkrHhfa4bqSnXar+YfMe9I6FXnEbAFFMe/jCWJ/egNjdLvEJR4d6zB/YqI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB3464.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(66446008)(66556008)(66946007)(66476007)(86362001)(82960400001)(71200400001)(186003)(6506007)(166002)(76116006)(64756008)(38100700002)(38070700005)(55016003)(9686003)(7696005)(2906002)(966005)(8676002)(508600001)(83380400001)(316002)(26005)(33656002)(5660300002)(52536014)(8936002)(6916009)(122000001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: h77jW4+o9V1MI4wlYAkPUHFmUJPCScZU6noyBdRbdd2M1uADxu6887PCzd6ZzQfiVb98S/ZB78yxP63EBGCPiDey4+OrNQ3Ubga2o+wXhU/XfE7Ci3PeAkhr/IGZkj88LAQk776+xy/CUVfJZJoJopeHlr+RHqGtZECYUaGxDtuf8/3ngSrSiqk4IcLSlkx1NtUtuZF9FDRVi5d1GXexOpBqc5tcS05KaOHKiKlIc2sPyrFNJJfJ9Ux/6ngGBGbg+dPYxzWul7+oGDR0fYILe1r2xamFMelcXTdrsJQ759bv6OTzqhNMQdKdAFsf/jrM6QtG0fff194/5l9ISmVu7NBlk9Kz8zsmgEst02Q9KIohydC3GoG/z5zJyALvWPqpOzMLAQ5Ll1J3ERrqxSFdPi5R2tocilmea0pO5l0e1A5pzllOgrJTAWkn0JbyqtL+aP7waGs9aTlnIn8UgJnW9RL9SgrmcICyNDyyNfkoSsGErHQ5Ycj5vFB0SpJ3F9RV5mpxWxlcpC/2HQDq0BOOYDHcmoxGX1E3/Xm7u2DauJr7IzXyLhS64V+I1r/2mSs/xedDPOLOA6MYIPZWhBF04ptPZMXEBQJAE+41QEsoGS7zUSZsTDLma6cIuJnBGanR6quprQiFUo0xYbf4dQJfgkhNtZUMJv878jRApgQQ2cZQaomoNG0TODhLehwpiKBEJadAIY5IXfimTmLMlOYjIQmig18xLXtP1jBpdv2AU40Uj0r5k2gVHbWO9uUl01mgMHh3E7Gl2IEpMokng2WyphAS5i+wT9UtFwcwZ4fuLEvAM3JatlKbzHF/haz221booUeC6lNJosACc2bnZRMdeHwQOew4xF92rlgUdStmtZwZjHGMtK56J/2lOt4RG8OsJjYws9n5ODOrqitrT39oERCXbcVYxPkN3sW+1FmNe4U0eeimlob4+Ogx2LJEndX7mmV+TdI9UkzHFv8W8z5HJ6ij7HYAxIbPFG35PTfSSCw0vvXMTTLoCQmBgEdK4npg0aJdakyPoPnASwHLbZXsx070iMv9ktJDsSUdCG2R9i7JFvdH404dQRZrIa5lu3HUzuN949xuNxAjogk5IQR//o5MxoRMxAeKLcXojq3NUKrkggQvxJwJtDhOEVi/iNpUp0U9HaWYHhmQF0WIXHBKvdw4Qji//lrAsW27ICp0dy4k/j8MXESojZIlEEwyAAUM/jmS71Q5ExCdu7sON2zZ95h/9Y914xuMcyvGXJznGJOU/PyUGhLxIId7xdpUPHHd9umPOsdO2nkW4RXrnvcVv9SUocPPTJ/C/C5ZdOlCIzWsPp6eP89EgYxozz/pRh26/4GWUfGPy7Npz6/VUPJLfNldc7SS/K6IKDMEeYc/ESbfAi8iOvurfHifWkX2PpT+7y15X/Wx+vSEpLvWtx0egV+8OMGFCV9b0xqtyZVOBuB6kP3tDbvll8KzX+OGSNs98lwXA6UopSPDPySkYB33yk2/LGkjMEoSwfMIrW4VGcQOi2jRBq29FbjA7mnzt0l93bobwWF1X2J6AjjJy5yDs+DHiYRim+82+QqoBYBW68Ueq70wkuitkvdm/0x1ZfHrG9TXctziM9gMtRWDfIxOVa/ewtb0MrMK1Zha7pF2PYVKNKZSFWwsVI3ewRNgNe6k5p8bl49+e4xsOjCsaqevH54Hgr5YkBwPAqWq8fqf1cbuRR5LczgvbrQ+LN4SZZ3rOORMCWDqXv6rDNqckd2kw6CwdaBjn/cquoO6eVhcWfg=
Content-Type: multipart/alternative; boundary="_000_BYAPR11MB346406C206A4A863AB1A822EF8DD9BYAPR11MB3464namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3464.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8892ac27-b0c0-4661-b478-08da423022bf
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 May 2022 11:32:53.4730 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9Zuum4LFMQvEOahjyHev5Qb69pOXIkaf5yIfMKQzOhort49BxABEBLTuNr3LQyFzAEJf3dsS19xjU7QNLLPHtLZoa+dD22/JhqEMmIb1EtE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR11MB3168
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6i7F5sBJRL8D68CQsTXQxKVM1j8>
Subject: Re: [TLS] DTLSv1.3: Record Number in AEAD computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 May 2022 11:33:04 -0000
Hi all, I am also struggling a bit with the nonce construction for DTLS 1.3 now that we have moved to a 128-bit record_number. The TLS 1.3 per-record nonce for the AEAD construction is formed as follows: https://datatracker.ietf.org/doc/html/rfc8446#section-5.3 1. The 64-bit record sequence number is encoded in network byte order and padded to the left with zeros to iv_length. 2. The padded sequence number is XORed with either the static client_write_iv or server_write_iv (depending on the role). In a prior version of the DTLS draft specification my understanding was we had the following: Based on the above TLS 1.3 construction, the DTLS 1.3 per-record nonce for the AEAD construction is formed as follows: 1. The 16-bit epoch and 48-bit record sequence number is encoded in network byte order and padded to the left with zeros to iv_length. 2. The padded sequence number is XORed with either the static client_write_iv or server_write_iv (depending on the role). I believe the change to 128-bit RFC sequence number records results in the following: The DTLS 1.3 per-record nonce for the AEAD construction is formed as follows: 1. The 64-bit record sequence number is encoded in network byte order and padded to the left with zeros to iv_length. 2. The padded sequence number is XORed with either the static client_write_iv or server_write_iv (depending on the role). Is my understanding correct here or am I misinterpreting the specification? I am also wondering other than the 2-bits of epoch in the AAD data for the AEAD function, what are going to use the upper 48-bits of the epoch field for? * is it solely used for the ACK/Plaintext messages now? Regards Andy On Mon, May 02, 2022 at 10:58:50AM +0200, Marco Oliverio wrote: > Hi all, > > In the RFC9147, in the last paragraph of Section 4 it's stated: > > """ > This 128-bit value is used in the ACK message as well as in the > "record_sequence_number" input to the Authenticated Encryption with > Associated Data (AEAD) function. > """ > > But the very last sentence of the same paragraph states: > > """ > In DTLS 1.3 the 64-bit sequence_number is used as the sequence number > for the AEAD computation; unlike DTLS 1.2, the epoch is not included. > """ > > Aren't these statements contradictory? > > I think only the 64-bit sequence number is meant to be used and the > first paragraph is a replace-error done while increasing the epoch > size from the last draft. Yes, the sequence number in AEAD is meant to be 64-bit. 128-bit sequence number is not compatible with any mainstream TLS 1.3 ciphersuite (since it would require nonce at least 16 octets, but all main ciphers have 12 octet nonces). And there are further problems. What is the "record_sequence_number" input? That sentence is the only match for 'record_sequence_number' in RFC9147, and there are no matches in RFC8446. I also found this in section 4.1: "If the first byte is alert(21), handshake(22), or ack(proposed, 26), the record MUST be interpreted as a DTLSPlaintext record." I presume "proposed" should not be there (ACK is indeed ContentType 26). -Ilari -------------------------------------------------------------- Intel Research and Development Ireland Limited Registered in Ireland Registered Office: Collinstown Industrial Park, Leixlip, County Kildare Registered Number: 308263 This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.
- [TLS] DTLSv1.3: Record Number in AEAD computation Marco Oliverio
- Re: [TLS] DTLSv1.3: Record Number in AEAD computa… Ilari Liusvaara
- Re: [TLS] DTLSv1.3: Record Number in AEAD computa… Cunningham, Andrew