IETF Logo Mail Archive

Re: [TLS] Late DLS 1.3 issue

Martin Thomson <mt@lowentropy.net> Wed, 06 October 2021 01:35 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C09353A0FC7 for <tls@ietfa.amsl.com>; Tue, 5 Oct 2021 18:35:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=UsY1At21; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=e6XwMTnM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cDOPFnXfbuxQ for <tls@ietfa.amsl.com>; Tue, 5 Oct 2021 18:35:47 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EF5E3A0FC6 for <tls@ietf.org>; Tue, 5 Oct 2021 18:35:47 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 04C983201D40 for <tls@ietf.org>; Tue, 5 Oct 2021 21:35:45 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute5.internal (MEProxy); Tue, 05 Oct 2021 21:35:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=uPa11mnXbB9/Tio1MSsRK+n63G6xquS lM6u+dkt9arc=; b=UsY1At210awQ9L/NVWYzFQoK10m6yxyAjmDzeg7AmFf5BHX v1aE4Shq67CEnJrYXIE33ppshr9oJwg8bjq/YL53i0atz2cfcpIa4PVyNFBF81S1 LLPpgYVMnS/M4HAVgrXrbvO1ciK20nXJDnxjthk4eYveLYCTAwDTPI1UARVdtSLa /BIuhJXPpreNYaLK4zrSdFRugNtKMlpX0VMlrcYg4EypsS+xtog3oOB8bAN2R4XC eNOSE2y5nb9Mo96SoAC58CUpT45c8nOgbN32K/ldvwb0xexpAfolfTSeWDcjtoX/ /jrFApj0H8UrxGD6d0+bkx7FUn/asmfLh76mzWA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=uPa11m nXbB9/Tio1MSsRK+n63G6xquSlM6u+dkt9arc=; b=e6XwMTnMqUhp+e6UASdGha nMh32T6u8rmAeZo1hAqpjAus58RNnK0CMwYvWzuRhN/zyI7k4N1/V8wkjU47p1B8 q/ToBW9ooP5uAQ4oihHVYfiySW3x1IShAniDoXbXUxhvUEekTyrHJt0joYw/zofH rjU0GXTbCImwHfGjwOKM4SAhNRlQm/oM/vCnaoAjDzXWRQFMCXUnQOJLshwthM0i TJ4zFyGb5kYf0SnmaOzef2buL6Vfnf//9w0GFD3YGnkBOchhf4jHYQiTER3N2Ra2 jcgFIUdg4jM2Fdk3POO7zO/KNCkBr8n3y/Z6+ivvII/+2UpYU0UCQ5lsMxJQS+AQ ==
X-ME-Sender: <xms:cf1cYe0coFlE9CyKZJX58KDdfZ7lLwXCQzW-htw8BLE7umFNC0X-Qw> <xme:cf1cYRFbm3scGexQvGC6Is6e_IPV3-gVh0oj1B651BnnSF0n6c7ZNFXQec-mPoGXr -in4WN9D6uSQj0dsdU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudelhedggeehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeffveekgeetvdeuvedtve evtdeuleegveejhfehgfetffeiiefgveefleffteeuleenucffohhmrghinhepghhithhh uhgsrdgtohhmpdhivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrh grmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:cf1cYW5kA97zLu9E9LCJfSX-G7S4kFbysbGeIL2vRo9L5j7PC22tPA> <xmx:cf1cYf0C-NF8k8pWUZabZa3XtERG4lfmItltaNCLXQyviD8ihSyoFQ> <xmx:cf1cYRFYyJzJ27yWUVgM-dp2TW6UGovBJOCZoHSiS5191kgvT9Atgg> <xmx:cf1cYVRYLO3aTwaibjl4VCzG21sF4L5HEt5Vws5dBEzCuW05DucZyA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 6C8803C0246; Tue, 5 Oct 2021 21:35:45 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-1331-g5ae342296a-fm-20211005.001-g5ae34229
Mime-Version: 1.0
Message-Id: <2dc51976-ee00-449c-b954-23b53d3607b7@www.fastmail.com>
In-Reply-To: <3e98642a-a232-471f-aacc-2f7a723be320@www.fastmail.com>
References: <3e98642a-a232-471f-aacc-2f7a723be320@www.fastmail.com>
Date: Wed, 06 Oct 2021 12:34:50 +1100
From: Martin Thomson <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/E3QWDEwunm6fCWji7oB6Gyu3F9M>
Subject: Re: [TLS] Late DLS 1.3 issue
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 01:35:53 -0000

I left a comment, but I don't think that the fix, as it is specifically proposed, works.

The general shape of the proposal seems credible.  A larger epoch space, of which we only send the least-significant bits, would seem to address the concern.  But the proposal doesn't specify what to do with the per-record nonce.

If we go with a 48-bit epoch we get a few more records (2^32 times as many I suppose), which is probably enough.  And the value would fit in the per-record nonce.  Then you just need a bunch more text that explains how to encode that nonce.

A 64-bit epoch doesn't fit in any nonce we currently use.  We could truncate, which would need more analysis (my intuition is that it would be OK, but I'd like more than a gut feeling).  We might use the expanded nonce options that some (not all) AEAD ciphers have, but that would be a very bad idea.

Anyhow, this is all independent of how annoying this will be to implement.  This change is likely to be VERY disruptive to our implementation.  From memory, we have exposed an epoch size through interfaces that we can't change.  Has anyone looked at making the proposed changes in a serious implementation?

On Wed, Oct 6, 2021, at 10:14, Christopher Wood wrote:
> Hi folks,
>
> There's one late breaking issue we need to resolve for DTLS 1.3 before 
> it proceeds to publication:
>
>    https://github.com/tlswg/dtls13-spec/issues/249
>
> Based on discussions with some people involved in the security analysis 
> of TLS 1.3, a proposed fix is here:
>
>    https://github.com/tlswg/dtls13-spec/pull/255
>
> We'd like to merge this to resolve the issue and continue forward 
> progress. To that end, please review the issue and change and indicate 
> whether or not it is workable for you. Barring objections, we'll merge 
> the PR on Friday, October 15. 
>
> Best,
> Chris, for the chairs
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email