Re: [TLS] Choice of Additional Data Computation

Hanno Becker <Hanno.Becker@arm.com> Fri, 24 April 2020 18:17 UTC

Return-Path: <Hanno.Becker@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF0E33A118C for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 11:17:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=lyINHHhx; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=lyINHHhx
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dc6pilyIxSL8 for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 11:17:45 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80089.outbound.protection.outlook.com [40.107.8.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A47FD3A107F for <tls@ietf.org>; Fri, 24 Apr 2020 11:17:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mpNkzWggRhyZnv1THxKPetBonhH/pJV14Dv9s71EUlA=; b=lyINHHhxJUFtqYDQyD/Nevp6tSCnVGcUp91Wxd3NecCIQeB/qc+huD4MT0iXMK5tnVDqUXGbUCulY8NQ0dtQwSrKHQTPq0+RLVKhcmRqP28rDOKoh76hkTcfNJA/8WQ0y0gLcItDtAoX4j5mXaU4Yz22wBFvTrQG1FwcehybVMw=
Received: from AM0PR06CA0075.eurprd06.prod.outlook.com (2603:10a6:208:fa::16) by AM0PR08MB3842.eurprd08.prod.outlook.com (2603:10a6:208:109::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13; Fri, 24 Apr 2020 18:17:41 +0000
Received: from AM5EUR03FT032.eop-EUR03.prod.protection.outlook.com (2603:10a6:208:fa:cafe::fc) by AM0PR06CA0075.outlook.office365.com (2603:10a6:208:fa::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13 via Frontend Transport; Fri, 24 Apr 2020 18:17:41 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT032.mail.protection.outlook.com (10.152.16.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.19 via Frontend Transport; Fri, 24 Apr 2020 18:17:41 +0000
Received: ("Tessian outbound 11763d234d54:v54"); Fri, 24 Apr 2020 18:17:40 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 5a103f6a15095cb5
X-CR-MTA-TID: 64aa7808
Received: from 1ce6c0f18745.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id C55E4D46-7455-4B53-80FD-067F373E6811.1; Fri, 24 Apr 2020 18:17:35 +0000
Received: from EUR03-VE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 1ce6c0f18745.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 24 Apr 2020 18:17:35 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mEvT1L2CcQjFEQcC+srcUKs0oQAxW42n+aVfa7Nljkt1EXk6eVC457N04ACeqe4te0sM/7kuH1WHM2JTf50e4SY7roWTxJcrkXGdf9ZwcaF45q1cnTUBE+DdBq4/t/P+b9m9y/imzoFmwt4oXWOtwYOJ1NUdbdp0xRzt7RTzJC0PjWnR0qUG5B0Qs3Em7Nt3d7eGmA4gmgc1IHmQKd/j43/uEdzvV1urYlnp+em28KqfrZIAWcA0slbx/hlTx2QrOGCP1PVBxZdC8o2a+yciwHsShDoJqoHbUIY0kTmlRI2GucBFs/LZkybNES2MXWITOAeyXOjIXE4GbGH3M5Xm4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mpNkzWggRhyZnv1THxKPetBonhH/pJV14Dv9s71EUlA=; b=m4q0INC6z0fjrV2i5/BHyQTQgEtViwGd6k4ABETo5MMZ48du/Hi/7kXgL9DUZzbiPphs6lCRwAXmBBDBbw8gFDnc3sUhmpxxCQwzI+gH2tMz+MDHs/KJ4wk/m+GcTk0+9Y3y3xZtxT2fRqj/0cpZpT089nLyxvRGsq6N6BbjVBX4z3f/MtpfUNAua81qzD3LpWs4cB3rfAixVbOlDSfWP1sF09Cgq09VoCiXuADznMYlLI6+Dee9NPhyMB/dhk2fmN50XBgdW3FKo2o8TZcTEbkpxmZ5Yk8uQnbTdv24hzBUIGDPbmfo1/8G1Yq34zJ08QErvQCGDcoXzFhZS1VA0w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mpNkzWggRhyZnv1THxKPetBonhH/pJV14Dv9s71EUlA=; b=lyINHHhxJUFtqYDQyD/Nevp6tSCnVGcUp91Wxd3NecCIQeB/qc+huD4MT0iXMK5tnVDqUXGbUCulY8NQ0dtQwSrKHQTPq0+RLVKhcmRqP28rDOKoh76hkTcfNJA/8WQ0y0gLcItDtAoX4j5mXaU4Yz22wBFvTrQG1FwcehybVMw=
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com (2603:10a6:209:45::15) by AM6PR08MB3957.eurprd08.prod.outlook.com (2603:10a6:20b:a2::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13; Fri, 24 Apr 2020 18:17:33 +0000
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::1579:b7d9:f543:200d]) by AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::1579:b7d9:f543:200d%5]) with mapi id 15.20.2937.020; Fri, 24 Apr 2020 18:17:33 +0000
From: Hanno Becker <Hanno.Becker@arm.com>
To: chris - <chrispatton@gmail.com>, Eric Rescorla <ekr@rtfm.com>
CC: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Choice of Additional Data Computation
Thread-Index: AdYaKASVCp3JPFQuSaOSMkwtz/VZZwAEUEsAAAN7oaAAAnFQAAAASY9CAAFcJQAAAoyFgAAAY+d9
Date: Fri, 24 Apr 2020 18:17:33 +0000
Message-ID: <AM6PR08MB331862B6F143652F4B4C10EE9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com>
References: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <93042b37-37e1-5b6a-3578-a750054d0507@gmx.net> <AM0PR08MB3716541F4825F8D43DC3D308FAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <CACLV2m4-Qcx-xKWP201VCY73HVyjCzHVCb6PrntnBWhA8fBQYg@mail.gmail.com> <AM6PR08MB3318B6ABD411C8C476C3D10B9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBOwK7m465LsbY3U+bHv0XA2rcGOTEBStTtTNkwAYvWeQA@mail.gmail.com>, <CACLV2m5Md2+Ffc978ZJ+BeZwRgcXTV3xE0vXzmvNgnot_c71xQ@mail.gmail.com>
In-Reply-To: <CACLV2m5Md2+Ffc978ZJ+BeZwRgcXTV3xE0vXzmvNgnot_c71xQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
x-originating-ip: [217.140.99.251]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 7d65bb5a-cbc7-419a-ac8d-08d7e87bc6d9
x-ms-traffictypediagnostic: AM6PR08MB3957:|AM6PR08MB3957:|AM0PR08MB3842:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <AM0PR08MB3842E4B6B4BD98C0718B34FB9BD00@AM0PR08MB3842.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 03838E948C
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB3318.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(376002)(346002)(136003)(396003)(366004)(66476007)(64756008)(66556008)(66446008)(966005)(9686003)(478600001)(71200400001)(66946007)(33656002)(26005)(76116006)(55016002)(2906002)(4326008)(316002)(8936002)(7696005)(54906003)(186003)(86362001)(5660300002)(110136005)(53546011)(6506007)(81156014)(19627405001)(8676002)(52536014); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: NuJBULRsT2pJ2QL9l8unVrtKDB/X2KGjoh60NKq28zMV91ojocTlc8Ly07g3HWkLmZi58YdBHCaRwDRv5vVTCKWN6cTZMWhIuJMoPQgetXPveiZzLRBmon2p8baF3u/P2o2HfdmULyXf3EjFEu/qW3ntm8X+tWKUYlKkX2nxzWQEpxDX3m3UP/nf3sNvnA0WQH6tTYN8x/ADms5D28EI8I2dR2SQ79bEKtrLR6YgO6CbnZGs9cXuzjCAmt/4C3D7dORMd/1WOJs6xnwypDkon3zYaLxaozObjkl/HGhEaC7xf2JrpNLJN2QMDAQfzJyQ4n3eqmQsV+UsSHVU0aQarQDSTpH3fCNcOQRB9rgeITw68mv0K92bPaVHseTQ2MJn+L1vcymmob4ym9T+Gfnf9Z1Lh5QqEGBAYwhfqSXgcuFJKDjXeoiGRb9NpawIkMH0RPRA62I7J0wKPnK3CcIihUXej0Ma98GsYdENS7A0Au6IV6P/FoY4oC/IimlSSnvfsmuwNoQFpf3jC7vHa/X8tQ==
x-ms-exchange-antispam-messagedata: +OliRY2ej0MrWYKKbV+DjlbARRNac/Dfj6BDYEdjW96RTMaBV2uR3MBlBVZF/9sZjy5lNgGwjXrBGUiV6A8LeZczrcCYhERnNIBR8aZTgN1weFz8TMvxh+8EzYPXPdXx7tPVCugkEQbwz3S1fkbejQ==
Content-Type: multipart/alternative; boundary="_000_AM6PR08MB331862B6F143652F4B4C10EE9BD00AM6PR08MB3318eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3957
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT032.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(346002)(39860400002)(376002)(136003)(396003)(46966005)(36906005)(54906003)(5660300002)(9686003)(2906002)(26005)(70206006)(110136005)(86362001)(70586007)(19627405001)(52536014)(55016002)(33656002)(82740400003)(8676002)(7696005)(6506007)(81156014)(478600001)(82310400002)(316002)(356005)(81166007)(8936002)(336012)(47076004)(53546011)(966005)(186003)(4326008); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 340c29a0-4e2f-4091-c48e-08d7e87bc250
X-Forefront-PRVS: 03838E948C
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: xONE7/KTp0+st1mMRSy8SqPGLyZZiaOHKMaAq8abebnr+eTtKXieBcDf2IQpIlwv4LtTxw85KaQX2a5Zr2FmJZfxGJYUd7f9scJWjHmEAZMADhLLGoHYwH8A+VgNbsG3a06awZSLBWuJpQ3k8XKnQSigBEBE9JIA988nVbU7TYOf1vhFfyhtfDjKNWGK5GpskXLzQeZFRsJK7rXIGlG/JdiC3IaxdbBSB2V/WTmkK/jNNxJwldg4AJgOurtqu6bhZe4WzQWAC56pHnHqqBpF/5LK478fE9v+leNIf5dzplRIldGcEBZnYw7PmeU/6fNt3jrWiLH83BaCQlXZzgcUOMH1Lsf4BpyudUQWAv36EH8QnkUv8o+vwtKAw8QL68Bwjja2+DkZGvEz+mcdLRyxScG3zy1hAyQUdMvDVj8zzk8yiimLypqzab5fFPreJDmjjTbPXJgBfFVAiyhhXVTCTAzvCudWt0piMugUZzwA7ncEX5reV6F+JpGlDdZpw/MR3IWZ3JdKV31UexAyryBJpAt44oRTElRg+S+6oIsHgqtVC3ysdfZpIZhwSNtLGotDGq8vkcSaYmIPwSM0mPpJnQ==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Apr 2020 18:17:41.0230 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7d65bb5a-cbc7-419a-ac8d-08d7e87bc6d9
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3842
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Fse34Tbi7rYMgh12Sl3pl4WD4FE>
Subject: Re: [TLS] Choice of Additional Data Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 18:17:48 -0000

Hi Chris and Ekr,

> I'm not sure if it's straightforward, but I would note that in TLS 1.3, we did *implicitly* authenticate the length because AEAD provides that, but nevertheless one of Chris's recommendations was to include it in the AAD.

I don't know if this recommendation still holds for DTLS (though Chris' last reply sounds
like it), but DTLS 1.3 currently deviates from it: The length is explicitly authenticated only
for records using header formats which contain the length, while for the most compressed header
form omitting the length one relies on implicit length authentication via AEAD.

> In the case of TLS 1.3, authenticating the entire header (including the length, opaque type, and legacy record version) allowed us to effectively ignore most of the header details in the security proof [1]:

If the security analysis shall be agnostic of header details, then in the case of
DTLS 1.3 with its various header formats (https://tools.ietf.org/html/draft-ietf-tls-dtls13-37#section-4)
it sounds to me as if using a pseudo-header containing all header information for AAD would fit better (?).

Best,
Hanno

________________________________
From: chris - <chrispatton@gmail.com>
Sent: Friday, April 24, 2020 6:57 PM
To: Eric Rescorla <ekr@rtfm.com>
Cc: Hanno Becker <Hanno.Becker@arm.com>; Hannes Tschofenig <Hannes.Tschofenig@arm.com>; tls@ietf.org <tls@ietf.org>
Subject: Re: [TLS] Choice of Additional Data Computation

It doesn't seem straightforward to extrapolate from that case since the 'pseudo-header'
and on-the-wire header are the same here, as TLS 1.3 doesn't have any header
data which is shortened or omitted on the wire. In DTLS 1.3, in contrast, various
fields can be dropped or shortened, such as the length, sequence number, CID.

It's certainly true that we can't extrapolate the security of DTLS from the existing proof for TLS. In the first place, the threat model is different because in DTLS we need to tolerate dropped/out-of-order packets. Nevertheless, I think the general principle of "authenticate all the bits" is the right way to go here, unless there's a compelling reason not to.

In the case of TLS 1.3, authenticating the entire header (including the length, opaque type, and legacy record version) allowed us to effectively ignore most of the header details in the security proof [1]: all we cared about is that the header correctly encodes the length of the next ciphertext to decrypt. We might be able to provide a similar argument for DTLS 1.3. In particular, I'm betting that it doesn't matter what the contents of the header are or how long it is, so long as (a) the entire header is part of the AAD and (b) it correctly encodes the length of the next ciphertext.

I might be missing something, however. In any case, new definitions are needed (if they don't already exist) and so too a fresh proof.

Chris P.

[1] https://eprint.iacr.org/2018/634.pdf

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.