Re: [TLS] TLS 1.3 - ignoring version values in record protocol header

Martin Thomson <martin.thomson@gmail.com> Thu, 12 March 2015 00:31 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C00621A895A for <tls@ietfa.amsl.com>; Wed, 11 Mar 2015 17:31:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A2tf6IFS_1_i for <tls@ietfa.amsl.com>; Wed, 11 Mar 2015 17:31:11 -0700 (PDT)
Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B4721A88F4 for <tls@ietf.org>; Wed, 11 Mar 2015 17:31:11 -0700 (PDT)
Received: by oifz81 with SMTP id z81so11053753oif.0 for <tls@ietf.org>; Wed, 11 Mar 2015 17:31:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=9YqYrx0roZ5lYGebdNvFNVeXHZx37J8eXH5yIHT2LFg=; b=cVBwXpx0/3oSYiVXUwk7Vn+yB89nujOeqHdLjxg3nC+RQ7l3uBRQu3OemuI5wAcoIz XA3I2hfReC4cl6ksvSk6g4yhH4Wfdm30OU1mAuEvwY3coqW8un0rasb44pmGx2blC4DX M6Bej1Msat+3RpZcs3+eelqKj316agYYtUgWsWf/phR7+tOih4YwCwRCylmgENHBUdiN Pg0AaQnkcH3XrFFwsudzA4ljwA4NVOYBcHsbpJqUfL6ABJ0M7SS9seCSgxCq5I08jtyh aGXI4W+vpjTpi6hCHHTy+4Eykd7PSEtY2Sic6I6kv4qfDugU+JNHJldH7+78/V2c0W1m umiQ==
MIME-Version: 1.0
X-Received: by 10.182.213.38 with SMTP id np6mr31622708obc.34.1426120270922; Wed, 11 Mar 2015 17:31:10 -0700 (PDT)
Received: by 10.202.225.135 with HTTP; Wed, 11 Mar 2015 17:31:10 -0700 (PDT)
In-Reply-To: <D126211F.8BD8%d.holmes@f5.com>
References: <D126211F.8BD8%d.holmes@f5.com>
Date: Wed, 11 Mar 2015 17:31:10 -0700
Message-ID: <CABkgnnUTbwj5qijhyj5HuXdku3e+kDUX+Dry=tq3c-5-gfANaQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: David Holmes <d.holmes@f5.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/KjppLOyb4Jnb8j4XAXr4SqCA1MA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 - ignoring version values in record protocol header
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2015 00:31:12 -0000

On 11 March 2015 at 16:43, David Holmes <d.holmes@f5.com> wrote:
> In draft 5, if the version bytes are still included in the AEAD
> computation, they shouldn¹t be ignored, right?

This is largely conjecture without proper analysis, but would like to
suggest the following:

1. We make the version number part of the PRF (HKDF) info string
(i.e., "TLS 1.3" or something that is unique to this protocol is part
of all expansion phases.  That will make the keying material dependent
on the version number.

2. Content type be moved from the AD to the actual data so that it is
not just authenticated, but also encrypted.

3. And then, since the sequence number was agreed to comprise the
entirety of the IV (the 5116 nonce) with zero pad to the requisite
size, it too can be removed.

... that means that ALL of the AD can be removed.

Yes, this could mess up middleboxes, but the sense I got was that we
might try this out and see how much damage this really does.