IETF Logo Mail Archive

Re: [TLS] DTLS 1.3 AEAD additional data

Eric Rescorla <ekr@rtfm.com> Wed, 22 April 2020 01:24 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F22AC3A090D for <tls@ietfa.amsl.com>; Tue, 21 Apr 2020 18:24:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gGxmm4_2CsbA for <tls@ietfa.amsl.com>; Tue, 21 Apr 2020 18:24:19 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 992333A08B6 for <tls@ietf.org>; Tue, 21 Apr 2020 18:24:00 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id g10so248022lfj.13 for <tls@ietf.org>; Tue, 21 Apr 2020 18:24:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+DhhP9q9QYeaGLrknaVHSgHDP2eowXK+D5jRMH7A8dw=; b=q8d5vPuz/F/keXcfZD4plP9/m9lAUGehhsZVsxPe/BnfNErfH0Tij99HManizssAGk sEnLI3cTtoZWseuo3oCkyLpJosJJsm9oRg5wVOn63ze6czoQGLG/P2CZCCg62ai2grsT Xz4y09L2OczEuN9Z9bCcXazKk8op1qrNouEocWJhqvX0a3A3MxRzKG14uJHzWGpyvFV+ T+SGLZr8NfMzIUVNUJYjc4N8o/z1gjhlatxCIdOkXnmSxUPixVe7U58ntTnaKwInfjI8 vZ/I73ybfAdeDXkSO6Wj7mvmbeYk5s3NWSmOawDgAZnM7TUBUAT3xdWhHFBVb6lNB1i3 FRAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+DhhP9q9QYeaGLrknaVHSgHDP2eowXK+D5jRMH7A8dw=; b=R/GXo8QmSSz5hfHXnOUbOm5eGGfxVgDr0Ast3V73HUr4LHQ+CYvNgLq09aEzPfSWH0 blqmDOsi+EnhNg2eoxtWc6j8SwmWQwopKl7nGzL+Z13jvMT6vYE1E/WgaWqxZJjb5kqN IiYcVykPxPn1mHMaZAIpFtnTSw/C2VnNxNpUPnf/doZlaHpw3QI9Gi8kYQD6mniRPdjS rQLjzSA6plLQRm0noPZl+lFX9MwqjcNRTGPOj1Yd9cc69y3DSC1XR2ePgytMyfW4MSY2 w9kZUJjhlq8PjJA77/1v8605H4WmeSZt+2yxFfjkIEw7eSxzlFgnB6kOJP9QhIJMWc7B XCvA==
X-Gm-Message-State: AGi0PuaLOhudWmkV+e0xs/NDbEZQ1KcdwP0bMlD2mlKcZtbCphjZXESc 2LFL4TjMqoOuzMaebWckMdzmrGFc1Ibm5kUHwRF5w8LmP2qvuQ==
X-Google-Smtp-Source: APiQypLyYSom7j+d2xcoqpTQO/RhwL7VxIQvMA4gafnnSe6KZln3i/5nsQOR+EE0yDJAa43bhJ9C9c3hgxR1s9zgRx8=
X-Received: by 2002:a19:40d0:: with SMTP id n199mr15455342lfa.161.1587518638738; Tue, 21 Apr 2020 18:23:58 -0700 (PDT)
MIME-Version: 1.0
References: <AM6PR08MB3318911C71C0DDB90480694A9BD50@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBMs+o4BU5VhqJKmQvnkEe9RkQXRv7Ej6pVD1-e1vdMoyA@mail.gmail.com>
In-Reply-To: <CABcZeBMs+o4BU5VhqJKmQvnkEe9RkQXRv7Ej6pVD1-e1vdMoyA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 21 Apr 2020 18:23:22 -0700
Message-ID: <CABcZeBM9Ri=Rz5kbWn08Vk-Y14MVSALwB1Bd9QV=HfWoq3XqSA@mail.gmail.com>
To: Hanno Becker <Hanno.Becker@arm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000089632505a3d6fcdf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/CoNKcRfC9gxJDxS4QvycFK_POKg>
Subject: Re: [TLS] DTLS 1.3 AEAD additional data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 01:24:21 -0000

I think there are two potential resolutions to your CID issue:

1. Cryptographically protect it as in
https://github.com/tlswg/dtls13-spec/pull/143
2. Forbid implicit CIDs (my preference) see:
https://github.com/tlswg/dtls13-spec/issues/144

Would like to hear what others in the WG think.

-Ekr


On Tue, Apr 21, 2020 at 10:59 AM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Tue, Apr 21, 2020 at 8:39 AM Hanno Becker <Hanno.Becker@arm.com> wrote:
>
>> Hi all,
>>
>> To my understanding, DTLS 1.3 defines AEAD additional data for record
>> protection
>> as the record header as seen on the wire. Quoting Draft 37, Section 4:
>>
>> ```
>>    The entire header value shown in Figure 4 (but prior to record number
>>    encryption) is used as as the additional data value for the AEAD
>>    function.  For instance, if the minimal variant is used, the AAD is 2
>>    octets long.  Note that this design is different from the additional
>>    data calculation for DTLS 1.2 and for DTLS 1.2 with Connection ID.
>> ```
>>
>> I would like to suggest that DTLS 1.3 uses a structured representation
>> of the record header instead, as do all other versions of [D]TLS as
>> far as I understand.
>>
>
> I am not in favor of this change as proposed. I think it is better to
> protect the data that is actually on the wire than to allow for changes in
> the on-the-wire representation that are not reflected in the integrity
> check.
>
>
> The reasons for this are as follows, in decreasing order of
>> my perception of importance:
>>
>> - Omission of Connection ID
>>
>>   Regarding the presence of Connection IDs in multiple records within
>>   a single datagram, Draft 37 says:
>>
>> ```
>>    Implementations which send multiple records in the same datagram
>>    SHOULD omit the connection id from all but the first record;
>>    receiving implementations MUST assume that any subsequent records
>>    without connection IDs belong to the same assocatiation.
>> ```
>>
>>   This means that the Connection ID for non-initial records in a
>>   datagram containing multiple records is _not_ part of the AEAD
>>   additional data for those records, which seems wrong. Concretely,
>>   one could inject such non-initial records into other datagrams
>>   using different CIDs, and the record protection wouldn't notice it.
>>
>
> This seems like a reasonable point, though it's not clear to me that there
> is an actual problem here. I'd be in favor of explicitly including the CID
> in the AD as well as the header.
>
>>
>>
>>   One might argue that CID shouldn't be part of the AEAD in the first
>>   place, but in any case, I believe the treatment should be uniform
>>   and not distinguish between initial and non-initial records in
>>   a datagram.
>>
>
> We're not distinguishing it. The AD is protecting the record on the wire.
>
>
> - Modularity
>>
>>   Decoupling the wire-presentation of the record header from
>>   record protection allows to implement record protection and
>>   the choice of record header independently: One piece of
>>   the implementation can take care of record protection -
>>   using the structured presentation of the record header - while
>>   another takes care of the wire-encoding. It is even possible
>>   to change the record header format in transit.
>>
>
> This seems like a defect, not a feature.
>
>
> - Simplicity
>>
>>   At first it seems that using the record header as an
>>   unstructured binary blob for AEAD makes things simpler,
>>   but I don't think this is the case: Prior to record
>>   decryption, the record sequence number needs to be
>>   decrypted, and for that purpose, the record header already
>>   has to be parsed. Hence, at the time of record decryption,
>>   the record header is already be present a modified, structured
>>   form, and retaining the corresponding modified binary form
>>   appears to create additional complexity which would be
>>   avoided if record protection would use the structured
>>   header presentation.
>>
>
> I've implemented this for QUIC (I can't remember who at Mozilla did it for
> DTLS) and it's not particularly difficult.
>
>
> - Uniformity with other [D]TLS versions
>>
>
> I don't find this argument at all persuasive. To the contrary: we should
> break with  DTLS 1.2 in any case where it's an improvement and not too
> onerous.
>
> -Ekr
>
>
>>
>>
>> Let me know what you think,
>>
>> Best,
>> Hanno
>>
>> IMPORTANT NOTICE: The contents of this email and any attachments are
>> confidential and may also be privileged. If you are not the intended
>> recipient, please notify the sender immediately and do not disclose the
>> contents to any other person, use it for any purpose, or store or copy the
>> information in any medium. Thank you.
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>

v2.23.0 | Report a Bug | By Email