[TLS] DTLS ChaCha20 header protection

"Martin Thomson" <mt@lowentropy.net> Thu, 07 November 2019 00:09 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED17712004A for <tls@ietfa.amsl.com>; Wed, 6 Nov 2019 16:09:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=oUp1HTJF; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Ia9cJ0O1
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OMafYIajbWhp for <tls@ietfa.amsl.com>; Wed, 6 Nov 2019 16:09:45 -0800 (PST)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4158A120025 for <tls@ietf.org>; Wed, 6 Nov 2019 16:09:45 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 8C1F64E3 for <tls@ietf.org>; Wed, 6 Nov 2019 19:09:44 -0500 (EST)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Wed, 06 Nov 2019 19:09:44 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:date:from:to:subject:content-type; s= fm3; bh=jV3ZWBDSSoVD0UoI3lQHVsOXhbBnOuOUXQkLvHXlyho=; b=oUp1HTJF 9RVt+WQVTQ+Hd/V3+Rai3A1jdPcqHiHN489BMg+ukejUH3hH31TNaVtp0Ni4gU+S KNOQ4lNBnrgVGyVD80tgMwYbHdZM4277+uavtFqUwLF3jnioFUADbUdjr9kHpWVM 4j1il1i/oSusQml/SEJjawaJ6G7f/iwRRT3NTddgvrkWnv6OWAfTl/KaNs1s0haR q1XLqQ/AjtG/DLM/OyPvJlFCmRFCwBvuw6ys+CLf4laTAWaiUmnhOtctxquWRrmM q6pHjmy/NjKaw+aJrl61/yEVeoDrFeqWKKnE+o7HPwIwX25gE+Al4D7e0g2AzUDp dJ5IKNFlGN18dQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=jV3ZWBDSSoVD0UoI3lQHVsOXhbBnO uOUXQkLvHXlyho=; b=Ia9cJ0O1dMtdARwOymcrVC6h7EXUy29umLjhizTUokyQU 4Krh82BYcskgOrk/jwBNsmfyySVwV71K4mO7pt6x//EOWjbYZh9pt9+orkYJ3sf2 IKnyhSnrMh61fGSdzVhAVNNsqBwO4PMTlhZlEC6A6NWyYXhhjvxRkH+CFKrplC8W MyCqJ8J2Q5R+6FvN7WN0+gH8KfjrFsgFrJgrXafsq75QhnywpoWnMk0w0oq3DTTQ n+A+R0Ui7PXUGL6ELVTzz3Lbq/iByCm8wIqyL+riLAW60sq9XhWsHdB7a7KNS+9e 00+meo1XP16iBmoMKUG4C3UbtcGsuTAhTXKoWtuYw==
X-ME-Sender: <xms:x2DDXVxH7RDMVLlSJw4IIy5sQgiiaKVqaglQo04tV_pBE-EOup2Azw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedruddukedgudekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfffhffvufgtsehttdertd erredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigv nhhtrhhophihrdhnvghtqeenucffohhmrghinhepqhhuihgtfihgrdhorhhgnecurfgrrh grmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvghtnecuvehluhhs thgvrhfuihiivgeptd
X-ME-Proxy: <xmx:x2DDXZj_GJXC-WVHn8ow2hCzb-qNzDfLEuYMzIm4tBsjzVfB2SmyeQ> <xmx:x2DDXaVQEiOev731c7H17uOou9zvbZzdGTQJAESRqZBXMjXNKvsHng> <xmx:x2DDXb2dW-CWtGBiBWu_DQLigbYrZCEa6ZYRWagJ4MPtF5aOdYpDlA> <xmx:yGDDXQoNYeJYlACOvdt9LC5-yOvbFGwX35a6Sq0-n1D7bv_Jh5UpHw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id A23A2E00A3; Wed, 6 Nov 2019 19:09:43 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-509-ge3ec61c-fmstable-20191030v1
Mime-Version: 1.0
Message-Id: <a647e348-f48d-4d54-95c0-0827e585a494@www.fastmail.com>
Date: Thu, 07 Nov 2019 11:09:24 +1100
From: "Martin Thomson" <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HFx-IFbAT1EIruoMEHH6MQhzGeQ>
Subject: [TLS] DTLS ChaCha20 header protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2019 00:09:47 -0000

It was pointed out to me that the header protection in QUIC and DTLS 1.3 are different in a non-useful way:

https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#hp-chacha says that the first 4 bytes of the sample are the counter, i.e., `counter[4] || nonce[12]`.  DTLS 1.3 says that the last four are, i.e., `nonce[12] || counter[4]`.

This seems like a pointless difference that will only cause pain.  I suspect that the right answer is that QUIC is wrong here, but I want to highlight this issue and want to ensure that this doesn't get baked in before we resolve it.