[TLS] Integrity bounds in DTLS
Martin Thomson <mt@lowentropy.net> Fri, 01 May 2020 04:51 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B4553A003D for <tls@ietfa.amsl.com>; Thu, 30 Apr 2020 21:51:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=TXjnTbTu; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=uzCSp4Ug
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SaEPtrbwg18I for <tls@ietfa.amsl.com>; Thu, 30 Apr 2020 21:51:32 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1506B3A003C for <tls@ietf.org>; Thu, 30 Apr 2020 21:51:32 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 00D5B5C02DE for <tls@ietf.org>; Fri, 1 May 2020 00:51:31 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute2.internal (MEProxy); Fri, 01 May 2020 00:51:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:date:from:to:subject:content-type :content-transfer-encoding; s=fm2; bh=1WO/NRhm1cdH0Quj/D7PtTtsog VNaJi2As9JAgD/giI=; b=TXjnTbTu+giBT+wmbqD77Wj56OYnj0SMGHUU/AeI1f jV1JuXJG0G/6FjiQ8gtOOTd3Jf2H7onYaaW7fLakmVFTE7js6MTEgZJMh2DC65VO ZeEq+/siTbw+RZEyUnaUl3qeHTzLY0yC/0hs4dJO+LluvwGVhvGhCdAIOokEe+3h /Kc5q1g4sz2DdOeJ21n7raTTs4t30MAAjqMxMjZyaufcIOzEvZdoQkRC8rUGchO2 vpcvc2YPjkeBUESTddHQqhYQVlQYnGH4wgKuxH+hG+irDwALujMbA2myHesTfrct q6+wQRT3Bc874Q/Xtt0L7ZPMXEsG+YQwboiFKEY429Qg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=1WO/NR hm1cdH0Quj/D7PtTtsogVNaJi2As9JAgD/giI=; b=uzCSp4UgQAZIIdP/lfNl1S B4dakcNqESOWT95fKajcRxjOK6+ujCpyjTVA3ohdrl4t5XlbA6F4/z+PEIXBsLsO MzeCeHxvWKffRZ/zKIlZg9Gphse9zvLxff57GKf8DsT8UY2SwrEX7rINkt4WfhPF aTk+LcLerzkP9UAo+pCCvOI2nahrfNOErizdu51Vs4GEZnaFGv4Ir5iA7YtmlG4N DhTsUK4RJmqXlvtsxoXsLBLym6PzJ3iB7/gG7vOof7qrciTGrrJ6MI8fp4mUBnh0 OPaC7OJm7YXvruXbUTw2haj2lvpoYBlkLQrIkn1yi1NnCMOdpep8vFNmGwofmS8Q ==
X-ME-Sender: <xms:0qqrXjgoaVwxED6ZPanyu8Ow5dp_tWMtGoDlV5jBKZhhVVNfrnTveQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrieeigdekhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkfffhvffutgfgsehtqhertd erreejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigv nhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpefggfetfefgvedvhefhhfehhe ehfeekveehgeduveehjeevteeggfevheelhffgjeenucffohhmrghinhepghhithhhuhgs rdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:0qqrXou99-j2Z1ZX6W9LgnOvTif6pznqtTLTG4s1gOomBWutF2laoA> <xmx:0qqrXjArcP-m4Ppb_ihacmZKJKsgbdoM0ehdRB4iSVFLogJwSRpy9g> <xmx:0qqrXsx7MccpsCPshiwrnGWD3dF7gZALMee0xTnDHyjDKFYo3EFM9w> <xmx:0qqrXoSIExwS6d7KULJNtWnL9LUotB_sHtOgxmRrDReYbps1dRCa6w>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 878B8E00A9; Fri, 1 May 2020 00:51:30 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-351-g9981f4f-fmstable-20200421v1
Mime-Version: 1.0
Message-Id: <0a9e740f-c20a-4def-9a61-d256cbcbf07c@www.fastmail.com>
Date: Fri, 01 May 2020 14:51:11 +1000
From: Martin Thomson <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QpV0KZILrwUxeEZ3_QUoz74r-P8>
Subject: [TLS] Integrity bounds in DTLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2020 04:51:35 -0000
Thanks to some good work from Felix Günther, Marc Fischlin, Christian Janson, and Kenny Paterson we now have a new result to share about the integrity limits in QUIC. There is a long write-up in https://github.com/quicwg/base-drafts/issues/3619, the conclusion of which is that endpoints need to count the number of failed decryptions and stop using keys once a certain limit is reached. Key updates can be used to avoid this. The same concern applies to DTLS. I believe that the same solution - or at least a similar solution - is therefore necessary for DTLS. I know that we're past WGLC, but this is an important result regarding a key distinction between TLS and DTLS.
- [TLS] Integrity bounds in DTLS Martin Thomson
- Re: [TLS] Integrity bounds in DTLS Martin Thomson
- Re: [TLS] Integrity bounds in DTLS Martin Thomson
- Re: [TLS] Integrity bounds in DTLS Thomas Fossati
- Re: [TLS] Integrity bounds in DTLS Martin Thomson
- Re: [TLS] Integrity bounds in DTLS Thomas Fossati