Re: [TLS] DTLSv1.3: Record Number in AEAD computation
Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 02 May 2022 09:30 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBF27C1594A8 for <tls@ietfa.amsl.com>; Mon, 2 May 2022 02:30:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Or0BEFkyHGrv for <tls@ietfa.amsl.com>; Mon, 2 May 2022 02:30:41 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 662E8C1594A7 for <tls@ietf.org>; Mon, 2 May 2022 02:30:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id D2C9914BB0 for <tls@ietf.org>; Mon, 2 May 2022 12:30:37 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id 0RbjLzVSZN86 for <tls@ietf.org>; Mon, 2 May 2022 12:30:37 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id AC7827A for <tls@ietf.org>; Mon, 2 May 2022 12:30:36 +0300 (EEST)
Date: Mon, 02 May 2022 12:30:36 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: tls@ietf.org
Message-ID: <Ym+kvDkHYLbZ0Tov@LK-Perkele-VII2.locald>
References: <15bba75f-fc21-9df7-8987-5e8823220144@wolfssl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <15bba75f-fc21-9df7-8987-5e8823220144@wolfssl.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VAXo8axuBLBfyq7XNSOBjfz3HzE>
Subject: Re: [TLS] DTLSv1.3: Record Number in AEAD computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2022 09:30:45 -0000
On Mon, May 02, 2022 at 10:58:50AM +0200, Marco Oliverio wrote: > Hi all, > > In the RFC9147, in the last paragraph of Section 4 it's stated: > > """ > This 128-bit value is used in the ACK message as well as in the > "record_sequence_number" input to the Authenticated Encryption with > Associated Data (AEAD) function. > """ > > But the very last sentence of the same paragraph states: > > """ > In DTLS 1.3 the 64-bit sequence_number is used as the sequence number > for the AEAD computation; unlike DTLS 1.2, the epoch is not included. > """ > > Aren't these statements contradictory? > > I think only the 64-bit sequence number is meant to be used and the > first paragraph is a replace-error done while increasing the epoch > size from the last draft. Yes, the sequence number in AEAD is meant to be 64-bit. 128-bit sequence number is not compatible with any mainstream TLS 1.3 ciphersuite (since it would require nonce at least 16 octets, but all main ciphers have 12 octet nonces). And there are further problems. What is the "record_sequence_number" input? That sentence is the only match for 'record_sequence_number' in RFC9147, and there are no matches in RFC8446. I also found this in section 4.1: "If the first byte is alert(21), handshake(22), or ack(proposed, 26), the record MUST be interpreted as a DTLSPlaintext record." I presume "proposed" should not be there (ACK is indeed ContentType 26). -Ilari
- [TLS] DTLSv1.3: Record Number in AEAD computation Marco Oliverio
- Re: [TLS] DTLSv1.3: Record Number in AEAD computa… Ilari Liusvaara
- Re: [TLS] DTLSv1.3: Record Number in AEAD computa… Cunningham, Andrew