Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 04 December 2015 13:34 UTC
Return-Path: <prvs=9780d99152=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B18F11B3188 for <tls@ietfa.amsl.com>; Fri, 4 Dec 2015 05:34:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.208
X-Spam-Level:
X-Spam-Status: No, score=-4.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GMfMnrG55U6T for <tls@ietfa.amsl.com>; Fri, 4 Dec 2015 05:34:22 -0800 (PST)
Received: from mx1.ll.mit.edu (MX1.LL.MIT.EDU [129.55.12.45]) by ietfa.amsl.com (Postfix) with ESMTP id D31CD1B3187 for <tls@ietf.org>; Fri, 4 Dec 2015 05:34:21 -0800 (PST)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by mx1.ll.mit.edu (unknown) with ESMTP id tB4DXgLJ017828; Fri, 4 Dec 2015 08:34:05 -0500
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Valery Smyslov <svanru@gmail.com>, Bryan Ford <brynosaurus@gmail.com>
Thread-Topic: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)
Thread-Index: AdEumG8ZFHboNUopsEeqgRivNm8DvQ==
Date: Fri, 04 Dec 2015 13:34:00 +0000
Message-ID: <20151204133409.17788988.58221.38550@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="===============1084548272=="
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.15.21, 1.0.33, 0.0.0000 definitions=2015-12-04_06:2015-12-03,2015-12-04,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1511060000 definitions=main-1512040222
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/HfxoaEu0sOrw1esUjZaq1UqjvlQ>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 13:34:28 -0000
I'm with Valery here. IMHO the proposed mechanism makes little sense because (politics notwithstanding) it offers little gain in return of a significant (possibly unacceptable) burden to important use cases. Personally I'm firmly against it. <proper disclaimers> Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. From: Valery Smyslov Sent: Friday, December 4, 2015 07:57 To: Bryan Ford Cc: tls@ietf.org Subject: Re: [TLS] Fully encrypted and authenticated headers (was Re: Encrypting record headers: practical for TLS 1.3 after all?) As far as I understand your proposal makes impossible to use this trick, if we consider packets loss and reordering. Actually, if I’m understanding correctly how you’re doing this per-datagram rekeying, I think it still should be compatible with the hash-table-based approach I proposed. Assuming you’re using some key derivation function that takes a master key and sequence number as input and produces a per-datagram key, the receiver just needs to pre-compute the per-datagram keys for the sequence numbers within the current window, and encrypt the sequence numbers with those respective per-datagram keys, in order to populate its hash table. I don’t think anything breaks at least. I would say that the hash-table-based approach would work in theory. In practice it either implies too much burden on the receiver or would fail in some situations. Consider, for example, situation when the sender skips large amount of sequence numbers (say 2^32) for some reason. It would be difficult for receiver to build such a hash table. Regards, Valery Smyslov.
- Re: [TLS] Fully encrypted and authenticated heade… Blumenthal, Uri - 0553 - MITLL