IETF Logo Mail Archive

Re: [TLS] Choice of Additional Data Computation

Felix Günther <mail@felixguenther.info> Tue, 05 May 2020 17:45 UTC

Return-Path: <SRS0=Z+9a=6T=felixguenther.info=mail@cdc02.comdc.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 108E33A0B09 for <tls@ietfa.amsl.com>; Tue, 5 May 2020 10:45:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ktY3Ja47Nll for <tls@ietfa.amsl.com>; Tue, 5 May 2020 10:45:00 -0700 (PDT)
Received: from cdc02.comdc.de (cdc02.comdc.de [136.243.4.87]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5B743A0B08 for <tls@ietf.org>; Tue, 5 May 2020 10:44:59 -0700 (PDT)
Received: from cdc02.comdc.de (cdc02.comdc.de.local [127.0.0.1]) by cdc02.comdc.de (Postfix) with ESMTP id 82B7A4F2007F for <tls@ietf.org>; Tue, 5 May 2020 19:44:57 +0200 (CEST)
Received: from [192.168.178.40] (160.94.254.84.ftth.as8758.net [84.254.94.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mail@felixguenther.info) by cdc02.comdc.de (Postfix) with ESMTPSA id 633734F2007E for <tls@ietf.org>; Tue, 5 May 2020 19:44:57 +0200 (CEST)
To: tls@ietf.org
References: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <93042b37-37e1-5b6a-3578-a750054d0507@gmx.net> <AM0PR08MB3716541F4825F8D43DC3D308FAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <CACLV2m4-Qcx-xKWP201VCY73HVyjCzHVCb6PrntnBWhA8fBQYg@mail.gmail.com> <a18b8223-ca9e-4a06-97fc-448865023376@www.fastmail.com>
From: Felix Günther <mail@felixguenther.info>
Autocrypt: addr=mail@felixguenther.info; keydata= xsDiBE04qkIRBADtFenVz1DuqethtPkoKAazBeKjyrr5Znbi8mQT1gOrkuli6i0/umf2uJ9V uI6NgjR0uM68UFGIHZlAoWk5Nfo8BTkYsdXl4R08pePmwRwwtq9LALZrGkeLeQtOFdLJt7G2 iQgqq2XpZc9AXW3/+j0I6MmsWMQKCkCA1s6IRLtH+wCgk85oP1adRYaEpi82Z3oG7vztEOkE AMccj8RgnjWcbB13HxxRk2C/4mgLEmCBWO3nmcCPZP5t/5GZSe7Kt5HQoygjxxcro/2e+9wF YsYwLUpHKMOjyvtcU0jLtIv0m6I+GQ3HOz89erVpa7G7EUoEsbQ7FEuyW4mVEaQZ3XE1Mxvp /3Ca1rBJjoxXhxKaDJYWsc5fdO6RA/44xXLdiE2f6NDoTJY7Z97VXUnJskpDNnwePOJyX4GT DwII2kl6JSYOAmkcOpINOSVsS0XDLZpBuKqsibUF/t53BkNfR/aF/BzIUJ5dykqrHvi75aQb ltSum1+kIo8Q6ZI+MzAAwmbqLfuRHZP5y0fjxdHLhfMrvacrNHnaoUWrVc0oRmVsaXggR8O8 bnRoZXIgPG1haWxAZmVsaXhndWVudGhlci5pbmZvPsKTBBMRAgA8AhsjBgsJCAcDAgYVCAIJ CgsEFgIDAQIeAQIXgBYhBCuuSm95RkYbcAFhs1KvAgDT8XAOBQJdE93OAhkBACEJEFKvAgDT 8XAOFiEEK65Kb3lGRhtwAWGzUq8CANPxcA5VLACfRCZFjMy2oVl6MKcxqSLOqxpYcmUAniNH ecOrDmHcK3hfLPUIRCtR0mDPzsNNBE04qkIQEAD1M2gM5rQ9UIBa+323DToxTD4PQ+gCGSXW OU0TN41q0sNCp/ph6Ec6C2OmADy2m6UMlSr+jc03XkmxQHV6XqhCN7rjijCqEQUPxXTY2zdk rqEaAFEa6mnpErCDvQXjPi6QrAJLvz2tl3Bqry35ffs1FQ/jVjnfuSB83ZHUEUsHQDX1Bvna exqd4FRKAYte7f1vEOsei6eguMyK0lrXQBNFy5GfLx4nMC5cjyUJRE2MI9YlWNc3eCz7PqwD 95uvaKctBPrpYhBmLlDfUE3I8Z5pqL7u3shul+SGqdscBMOrq+0zyUJ6b6uxhzcy03VbiNBn n0AIjeJ67cyi4yg3hbmanRuMHqg2I7VNNgPdlRgF5XshNfjuVqDsD0w/MHBtEZ160A3XJTkc O/uaBp16L+gWXALj+EPXyRiO4cRTEqIKiiRllo9AQxMqMGkeGumFKyVNeX+1aYwkGhWyB52C FbJ/f2jxk5MGxBDXAfCE70Nz5/BP9DYHDqN1lLPBBUkbXeGD+4LoerGFh+Ioe2yIy6qdvk4g zSqRZrdD9e1FyWiSTx6VOMdgggz4cF2LbGPKzwP7WBU8jyzg3A9ECNzmb+QBfLNutuD6n5lV 7cglMTgz+F5KEvOygWtmiugTZPfyu9NayJ2j/zMlkLEn4ksBHynwFgpgEl6X+key9EXBJhs4 QwADBg/+P3Tm8Bn8wmUusSVDp5XBTZcgGEWaw61BxWaHcJnDRC5cwDUBCxB7cosslJ8EQ/wu PPz9j2Y827zCa+HDTg/HSjs2zrI4S6+/gLJDNpnAka+fSUjhRqNLvLiaAYWR3UCY+LX/h6X1 inibLzxWU5xJ7+Zpybj4wIgAwN6A0vEnMStmA4xAlV1LPitVhpZOhMT8NW9EWS4RmBk2e8i/ wbjo4Jm2edEW/VdAOi7Fqna07zIYFD4HEFleqte3J5XPXB44EhUfJxTGL2QZFDkz301+tm4i dHXfzZb1hiGqJWC+a9YSwtkVGgauHzDXJWTLHDogaKRaWTCrxMsZWUCKoDwAQ1ln1sklU6fn uV3oO/PxzxS8em9KlRu3djeN/QYlsOeWPi/dmsjFwjdGZQgZ/QJANKmqtQemmArCIE9IstFF Cu4bDuPMukyq7tqv7Z+E1AHcYtKbKCKR1hdE5+YgirQnmD+tktIVDUZmYvdLympL2wlCHQpk RQT7U+3MChhRin1u1HkmjelvICfoz+BI2VI0NTBrYRqLp/Ld8G7UpPUBiCe0vNXImvZD9Z3z kyMX9r0YjlfyWae89IAn+h9Ij9tGMurI2Pp+souvO0VX25xaEpChB3iIT2p7bzgpip1CrgFl SE7gnaeXatZsSq6gV70AJ0hUEi5GgIcRSut4wbS13KbCSQQYEQIACQUCTTiqQgIbDAAKCRBS rwIA0/FwDqNgAJ9h3wSRXwbvSK4+TIAcxlnxbyVZSgCgkSUHgTNTyiliLBDDTYdG9b+pi4k=
Message-ID: <6b074b76-2977-fbc1-99d7-f9acb79466e3@felixguenther.info>
Date: Tue, 05 May 2020 19:44:53 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <a18b8223-ca9e-4a06-97fc-448865023376@www.fastmail.com>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="WoiLjjNrWcpaqyUQ0qyLIVqLkLQkoBMIN"
X-Virus-Scanned: ClamAV using ClamSMTP
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Ri33zZmFNb1kZ4HToDHs9cDDTPY>
Subject: Re: [TLS] Choice of Additional Data Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 17:54:35 -0000

Hi,

Sorry for chiming in with delay (thanks @Chris for pinging me); I'm not
following the list very closely, feel free to additionally CC me in case.


First of all, let me make sure I correctly understand that
 * "on-the-wire header" is what's exemplified in Fig. 4 of the draft
 * "pseudo-header" would be a superset, esp. including full epoch, full
sequence number, length, connection ID, ... -- what else?

Further, I understand there is _no_ unique mapping from pseudo-header to
on-the-wire header (as the latter may be compressed in different ways).

The latter, to me, suggests that authenticating the pseudo-header alone
may not be sufficient. It would at least allow on-path modifications to
the on-the-wire header, which I don't expect is intended.


As for the current authentication of the on-the-wire header: We [1] did
an analysis of the record layer of DTLS 1.3 (and QUIC) in which
 + we establish confidentiality, integrity and robustness ("correct
operation under adversarial manipulation")
 + of the record layer deprotecting packets with encoded/abbreviated
sequence numbers to payload fragments
 + under an adversary that can arbitrarily tamper with the packets (in
particular truncate ciphertext, i.e., modify lengths)
 + based on standard AEAD security.

However, our work did not consider
 - epochs or key updates (analysis under one key only)
 - the full header (only model encoded sequence number entering the AAD)
[- processing of payload fragments into the actual multiplexed data
streams (as in the TLS-related models Chris mentioned [2,3]; this only
applies to QUIC's application interface, and arguably is beyond the
cryptographic operations).]


Our analysis supports the arguments that:

 1) The length is implicitly authenticated through the ciphertext itself
-- tampering with the ciphertext, in particular its length, will make
AEAD decryption fail.

 2) The full sequence number is implicitly authenticated through the
nonce -- decoding the wrong sequence number will (offset by the IV)
yield a different nonce, leading AEAD decryption to fail.


As said, we didn't consider connection IDs or epochs, but for both I'm wary:

 3) Implicit connection IDs clearly aren't authenticated. I'm not sure I
fully understood the concept, but this sounds like a bad idea.

 4) I slightly disagree with "epochs determine the key" (true) as, what
I understand is, an argument that "the full epoch is implicitly
authenticated by using the right key", at least in its absoluteness. My
*guess* would be that, due to the key schedule, this argument comes down
to the probability of keys colliding (which is anyway to be avoided, so
probably fine). Still, from a security analysis point of view, showing
security with key updates might be easier if the (full) epoch was
authenticated as part of the AAD.


So, overall I guess my tendency would be to authenticate both what's on
the wire and the reconstructed context. At least from a crypto
perspective, this would be the safest bet. But again, this is
extrapolating beyond what our analyses cover, hence just my two cents.

Best,
Felix


[1] Marc Fischlin, Felix Günther, Christian Janson. Robust Channels:
Handling Unreliable Networks in the Record Layers of QUIC and DTLS.
Preprint for QUIPS 2020 Workshop at https://felixguenther.info/Q20_RC.pdf

[2] Marc Fischlin, Felix Günther, Giorgia Azzurra Marson, Kenneth G.
Paterson. Data Is a Stream: Security of Stream-Based Channels.
https://eprint.iacr.org/2017/1191

[3] Christopher Patton, Thomas Shrimpton. Partially Specified Channels:
The TLS 1.3 Record Layer without Elision. https://eprint.iacr.org/2018/634


On 2020-04-27 02:13 +0200, Martin Thomson <mt@lowentropy.net> wrote:
> A few of the submissions to QUIPS addressed this question for QUIC (which has a similar construction to DTLS) and concluded that this was broadly OK.  What changes is the degree to which we rely on the strength of the AEAD for prevention of spoofing.
> 
> (I'm sorry, but I can't find the paper that was most directly applicable, perhaps Felix can help out.  https://eprint.iacr.org/2020/114.pdf does a pretty good job, though it is a broader treatment.)

v2.23.0 | Report a Bug | By Email