Re: [TLS] DTLS ChaCha20 header protection

David Benjamin <davidben@chromium.org> Thu, 07 November 2019 01:20 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55210120121 for <tls@ietfa.amsl.com>; Wed, 6 Nov 2019 17:20:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.249
X-Spam-Level:
X-Spam-Status: No, score=-9.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xlbc3vRaDXZr for <tls@ietfa.amsl.com>; Wed, 6 Nov 2019 17:20:12 -0800 (PST)
Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5EE3120801 for <tls@ietf.org>; Wed, 6 Nov 2019 17:20:12 -0800 (PST)
Received: by mail-pf1-x42b.google.com with SMTP id n13so916770pff.1 for <tls@ietf.org>; Wed, 06 Nov 2019 17:20:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Dt4UgWcKJNJXRxMvBX2EFiqhkxDOoDoRRyEY7UPFsx4=; b=TAy1TvM1/h5s0d+V/icixJp/39bMLn8CxG5oK5WGr4KdRuk0PTf9Fzqsbsh5AhAGA3 2AAp/EVcz+WZRzifSvnVMhB8F6TYWjAnDEQhUHExE7tSfXhXxhIOIZW+Kn6FYbgdKLVL mNoNWpBkTRbDp1noXtxojuEd+QX577LN4eldQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Dt4UgWcKJNJXRxMvBX2EFiqhkxDOoDoRRyEY7UPFsx4=; b=XP9sG2wyG87JkPlevtzUauzGUCbCWHlZZbcshuJl0oUJjvmo/X12/ltAX0vfmqqP/n 7dX5EHTET9Qkgd9xzdH49sGjn9Lcg4LafG/wpurWXxS/JwpPGMZWx/CU9i4mCDEmVHRG 0hAIxphMu8oE0FORzShV99kc9R/z17BR9ZSICLRFSa6MOJpIJmlBEVILpyeI1PGr9sIq U5iRkHeQ+noAkvYoomC2slsQhgXrnA9JRrw0wk2NDgFaNLyPZkX+MOethBLyHqueLfo7 H3lSjgmJjA+jbwx/UcLRXxT2QkmTM5XEumQfSZ1wI50AwgzgAM6xtwGWr95B/VCDM0Gy BGwA==
X-Gm-Message-State: APjAAAV+/lFeA8wVWu0cLeBKr55L91c9PJ7/BldGPntJyLmWPfVW+QMl QXuio/IlpnrAZTU6PD98v8zZ4xCczg57nQifsPyM
X-Google-Smtp-Source: APXvYqzS/zOnv0N9Qg27cF7Tjtjl5kvS8lpj8uozY6yAfvVCUf7fe2L6XHSx9imK/jBTzcChPR8UoY+gCkOBoudgiLg=
X-Received: by 2002:a62:830a:: with SMTP id h10mr497835pfe.6.1573089611995; Wed, 06 Nov 2019 17:20:11 -0800 (PST)
MIME-Version: 1.0
References: <a647e348-f48d-4d54-95c0-0827e585a494@www.fastmail.com>
In-Reply-To: <a647e348-f48d-4d54-95c0-0827e585a494@www.fastmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 6 Nov 2019 20:19:56 -0500
Message-ID: <CAF8qwaB1Ua70CmUMgW4p5Fi31V6tpnHsNiM0+A37YpC96HokmA@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000865f900596b777cb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/C0l3sLyKMMUy9JeRRCpW5soWkdU>
Subject: Re: [TLS] DTLS ChaCha20 header protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2019 01:20:15 -0000

I believe DTLS is wrong. ChaCha20 is little-endian with the counter going
first and the nonce afterwards. See also RFC 8439, section 2.3, where the
block count is placed before the nonce.
https://tools.ietf.org/html/rfc8439#section-2.3

(Well, "wrong". Both are perfectly well-defined, but the DTLS construction
results in swapping parts of the sample, which is silly.)

On Wed, Nov 6, 2019 at 7:09 PM Martin Thomson <mt@lowentropy.net>; wrote:

> It was pointed out to me that the header protection in QUIC and DTLS 1.3
> are different in a non-useful way:
>
> https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#hp-chacha says
> that the first 4 bytes of the sample are the counter, i.e., `counter[4] ||
> nonce[12]`.  DTLS 1.3 says that the last four are, i.e., `nonce[12] ||
> counter[4]`.
>
> This seems like a pointless difference that will only cause pain.  I
> suspect that the right answer is that QUIC is wrong here, but I want to
> highlight this issue and want to ensure that this doesn't get baked in
> before we resolve it.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>