Re: [TLS] Choice of Additional Data Computation

chris - <chrispatton@gmail.com> Sat, 25 April 2020 17:58 UTC

Return-Path: <chrispatton@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B0983A0FCB for <tls@ietfa.amsl.com>; Sat, 25 Apr 2020 10:58:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id foLJ26cUQp-b for <tls@ietfa.amsl.com>; Sat, 25 Apr 2020 10:58:42 -0700 (PDT)
Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18F013A0FCA for <tls@ietf.org>; Sat, 25 Apr 2020 10:58:42 -0700 (PDT)
Received: by mail-ot1-x332.google.com with SMTP id m18so18524697otq.9 for <tls@ietf.org>; Sat, 25 Apr 2020 10:58:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=p/kWuVRf3zldESSResazLHIR05HopKEgp2z8hY/N3sg=; b=qpjXucK3IAc36IFmaBp5dfnR7Fox2SDVnFrTbeywNzokcu4Z5ugwQL3ayr8l/KjQR3 U1RbFyR3aT6Pi3LQXXvBy6uG4S8UYM6Q29FRu0+r9Ky/Tynd14hbZLSvah2xyH3hqfmc u9cgqbTiOJYJGRqH02BYnrdkizko35cHnJv3dkPtJHhwt2aGqK2vq3ouKsBEURsadaFi +9adRCfh5AvBoZ2ml8K06La+upK4QI6mE77+XMPGLt3/kaVo2xlFulWOksceiezdYlv8 RS4P6fiK7moolJmrsos50hiZ7PmIJBwz2XKw2DxW2pffD4UUYkG3VLq+bJdhQtIoLtIZ afeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=p/kWuVRf3zldESSResazLHIR05HopKEgp2z8hY/N3sg=; b=KcrSYBXFJ+Z9xMrgOl3l37Bz5ym+avJkN8Y1k1ScDTtQj4oFrzhhmjFxjjK8ngvFUl mQC82DFUNGQHlYXpPbKE6Z62mOnJyhj4PA4gF2Q0T6BZ5aEZGqItUjPMmBEW7Qcc0K6S kbZujEFnO1C37h7ONYFwmVAKmyfpyIfgsvkKdsnVx+FqJft2UJT7u7zuWQNzLsiph7oU clB5+OMPG/2IC7znHJ7QIsFk+VjMsGScwzhF7t9A7P3cRZ9jKhI0UfDpJThv3IF1SRJB 6e2fzWLq/vQGOnKpfSegJLfZm7fuUZLSCNKh6KPgBzDWokPE7I4QWhZENQTTIok7RtmZ pu5g==
X-Gm-Message-State: AGi0Pubo5BS6jjBjdqycfB1/YvDs9aHhUKwEbCvqBznL1Uc6q2BVmy+W jY6F08nfSfInoXYp7IXh3l5L6dqwLoD9AUCHyUs=
X-Google-Smtp-Source: APiQypIxUHOHZP//TB8C8cmaMzdQOI7B1AFReaeVAkyCRnA2NVI2cpjL9dcTDovWguRG3Ck47vH19LkLUDkEWzSlMvE=
X-Received: by 2002:aca:57d6:: with SMTP id l205mr10617617oib.20.1587837521123; Sat, 25 Apr 2020 10:58:41 -0700 (PDT)
MIME-Version: 1.0
References: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <93042b37-37e1-5b6a-3578-a750054d0507@gmx.net> <AM0PR08MB3716541F4825F8D43DC3D308FAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <CACLV2m4-Qcx-xKWP201VCY73HVyjCzHVCb6PrntnBWhA8fBQYg@mail.gmail.com> <AM6PR08MB3318B6ABD411C8C476C3D10B9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBOwK7m465LsbY3U+bHv0XA2rcGOTEBStTtTNkwAYvWeQA@mail.gmail.com> <CACLV2m5Md2+Ffc978ZJ+BeZwRgcXTV3xE0vXzmvNgnot_c71xQ@mail.gmail.com> <AM6PR08MB331862B6F143652F4B4C10EE9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBMKoVrcN-=aTvy6py5bhOwOVrhgVLmtX2tthc=Oa54b_Q@mail.gmail.com> <CACLV2m7knyt-gQoQq2v1Kz-J62DPjCpb6faJFfDgJ-8mprHwxQ@mail.gmail.com> <CABcZeBMwQHdRuvcs5pmE59SCUj=cwWCtrBhyh9w_L0U1ZDoJ8Q@mail.gmail.com> <AM6PR08MB3318AFD0C1FC4011ED2A81919BD00@AM6PR08MB3318.eurprd08.prod.outlook.com>
In-Reply-To: <AM6PR08MB3318AFD0C1FC4011ED2A81919BD00@AM6PR08MB3318.eurprd08.prod.outlook.com>
From: chris - <chrispatton@gmail.com>
Date: Sat, 25 Apr 2020 13:58:29 -0400
Message-ID: <CACLV2m7P-=ztPLt+eZjEpcZW=TbNj4wU6hOywhAyMx5ZRrahUw@mail.gmail.com>
To: Hanno Becker <Hanno.Becker@arm.com>
Cc: Eric Rescorla <ekr@rtfm.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000685e7e05a4213b0b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BIh0ZeHyKHn9E2IxmwZoqXWiw5U>
Subject: Re: [TLS] Choice of Additional Data Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Apr 2020 17:58:45 -0000

> So far I fail to understand, on an intuitive level, why it easier to
> analyze the protocol when the AAD can take multiple forms potentially
> truncating or omitting the underlying data, but then I don't know the
> details and you're the expert here. If you have time though to explain a
> bit more where the flaw in my thinking below is, that would be great,
> provided it's possible.
>

I don't know that there's a flaw in your thinking. At the moment, all that
I can speak to is how authenticating the header (or not) might impact
security of DTLS. We can't directly extrapolate from what we know about
TLS, because the security goal is not to the same. That said what I know
about TLS is the following: the contents of the record header doesn't
matter for security goal considered in [1], as long as (1) the header is
authenticated; and (2) it correctly encodes the length of the next
ciphertext. But since the security goal of DTLS is not the same, the
details of the spec that are (ir)relevant to security are likely to differ.



> For example, another thing which I would expect to be more complicated to
> verify in full rigor is epoch authentication: If the epoch is reduced to
> its two low order bits in the DTLS 1.3 header and thus (at the moment) also
> in the AAD, arguing that decryption can only succeed for the correctly
> expanded epoch involves knowing that all epochs having different keys.
> That's of course true but this fact wouldn't be needed if the full numeric
> epoch was always explicitly authenticated in the AAD. This isn't a real
> issue in the end, but I would expect it to be a nuisance in a formal proof?
>
In terms of what you mentioned regarding decoding details, it seems that
> adding the underlying logical header to the AAD ensures more directly that
> decryption can only succeed if header decoding (that is, filling in
> implicit data or expanding truncated data) was done correctly, whereas it
> is less clear with the truncated or omitted data in AAD, as in the epoch
> example above. Is it possible to explain what the flaw is here intuitively?
>

I'm afraid I would need to absorb spec and think about its intended
security properties in order to answer these specific questions. I'm sorry
if this answer is unhelpful; Ekr asked that I chime due to my prior work on
TLS. But I don't think there's a simple answer here, and unfortunately I
don't have the time to think it through at the moment.

For now, I'll just leave you with this. I'm a fan of the following design
principle: whenever there is a branch in your code that depends on a bit
read from the wire, that bit should be authenticated if possible. To your
example, if a decision you're about to make depends on you agreeing with
the peer on the current epoch, the principle says that the epoch had better
be authenticated. Whether it's necessary or appropriate to do so here (via
AEAD decryption) depends very much on the context, i.e., the protocol
details and the security goal.


Chris P.