[TLS] DTLS 1.3 AEAD additional data
Hanno Becker <Hanno.Becker@arm.com> Tue, 21 April 2020 15:27 UTC
Return-Path: <Hanno.Becker@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6526F3A0F1B for <tls@ietfa.amsl.com>; Tue, 21 Apr 2020 08:27:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=izwwS7jt; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=izwwS7jt
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wOvc4widFGmq for <tls@ietfa.amsl.com>; Tue, 21 Apr 2020 08:27:33 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60062.outbound.protection.outlook.com [40.107.6.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFDF83A0EB7 for <tls@ietf.org>; Tue, 21 Apr 2020 08:24:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VJ+D05+O1if0APTbtOGIp1/+GWju/dztbvc0xvvkI2s=; b=izwwS7jt7OpvfMsJg8WW0HoujZB990t4GWYz0xu9nt87yb5WpJ1t7ffw8d2AJAgmJGymQNZ3D7lppGZlyzsz9L06bGoosSOvXh/dYguK8wj6+BUuv8LxxHLfphmLL3g9CeceIqbtwTGg396NyyK7dLs5+bCH/bdlp08supTCCNM=
Received: from AM6P195CA0106.EURP195.PROD.OUTLOOK.COM (2603:10a6:209:86::47) by AM6PR08MB5175.eurprd08.prod.outlook.com (2603:10a6:20b:ef::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.29; Tue, 21 Apr 2020 15:23:41 +0000
Received: from VE1EUR03FT005.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:86:cafe::bf) by AM6P195CA0106.outlook.office365.com (2603:10a6:209:86::47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.25 via Frontend Transport; Tue, 21 Apr 2020 15:23:41 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT005.mail.protection.outlook.com (10.152.18.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.18 via Frontend Transport; Tue, 21 Apr 2020 15:23:40 +0000
Received: ("Tessian outbound 3a3e6dcbad0e:v53"); Tue, 21 Apr 2020 15:23:40 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: eadc22710a68a93f
X-CR-MTA-TID: 64aa7808
Received: from 559b08a151d8.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 7C760627-665C-416A-9B13-EC76FA990172.1; Tue, 21 Apr 2020 15:23:35 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 559b08a151d8.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 21 Apr 2020 15:23:35 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l+xTgq5kuoNJ6r92/g8OXk8Lku7PNAH9DNm/zgMFoP8BdgoEVcCZEYCltBQtoHymKKIm1twHuifDoAzvPrJPq1a6sKYbx5BdquFSf8rAATVomO2Sd7PK+bOgoR+3PY5oNkyzvNrnXyWR9yAdSF4APXh9Ygi36wr0JTyOrwDHWemmVZOXWDSqFlza4u6tstIpPSQh963Smr923I30C3XCgx2lKrHf7bwz5dc1HzHSriNf6EUxqDUlaVVhiYl058VXmpjAhr5F3zq6tKzhvaaL/Gevkplqrw/PP4CrKVVr0rshZ7TqUO4/WFuvhpoWlP4mvDZMlMM+yYP+DuwV1soupg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VJ+D05+O1if0APTbtOGIp1/+GWju/dztbvc0xvvkI2s=; b=GaCsL1Zsql+BAsa7X0jhs4cA5UjIL35OSwWYOVhSneXE67nu99UnShQ14N5y3v4+G1ZOCBEW6eShyv1htkvP9h03OoQK/kD6VfXDi2S49BV66ZqoEq/Z5baTXTURtxGUREGi+gnBH9E4pVvMi86C5jQ2rS8po0G1d3FIgh0seAzUmHcDPMxyxpjQnbTlcI5M+8Muu9jTUm4wXR9edXIDMc1SQe+XFMiz1s+9g26c+B3RltAOtrp4nx14/ZdHEn1TarFJQ0GG+Yvj9FRhvvUny2a73afgL+PI5NxvmUd9Ls/uH3zUwOaIUY2PaKHI+7ET1PHPtO6Zaocr4QyYcdHFZQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VJ+D05+O1if0APTbtOGIp1/+GWju/dztbvc0xvvkI2s=; b=izwwS7jt7OpvfMsJg8WW0HoujZB990t4GWYz0xu9nt87yb5WpJ1t7ffw8d2AJAgmJGymQNZ3D7lppGZlyzsz9L06bGoosSOvXh/dYguK8wj6+BUuv8LxxHLfphmLL3g9CeceIqbtwTGg396NyyK7dLs5+bCH/bdlp08supTCCNM=
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com (2603:10a6:209:45::15) by AM6PR08MB3400.eurprd08.prod.outlook.com (2603:10a6:20b:42::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.29; Tue, 21 Apr 2020 15:23:33 +0000
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::1579:b7d9:f543:200d]) by AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::1579:b7d9:f543:200d%5]) with mapi id 15.20.2921.030; Tue, 21 Apr 2020 15:23:33 +0000
From: Hanno Becker <Hanno.Becker@arm.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] DTLS 1.3 AEAD additional data
Thread-Index: AQHWF+iN1gKILcDltkmRr5OfopCaAQ==
Date: Tue, 21 Apr 2020 15:23:33 +0000
Message-ID: <AM6PR08MB3318911C71C0DDB90480694A9BD50@AM6PR08MB3318.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
x-originating-ip: [86.177.220.146]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 63717662-5c0e-4b9c-8e9b-08d7e607f8df
x-ms-traffictypediagnostic: AM6PR08MB3400:|AM6PR08MB5175:
X-Microsoft-Antispam-PRVS: <AM6PR08MB5175B2259AAD04AB28DF9ECC9BD50@AM6PR08MB5175.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
x-forefront-prvs: 038002787A
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB3318.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(396003)(346002)(39860400002)(136003)(366004)(376002)(55016002)(71200400001)(186003)(26005)(19627405001)(478600001)(86362001)(2906002)(66946007)(66476007)(66556008)(7696005)(64756008)(76116006)(66446008)(316002)(8936002)(33656002)(8676002)(81156014)(9686003)(6506007)(5660300002)(6916009)(52536014); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: QGlQGei96cjn3uwI8m5G5z1ZYjvVrqRRF7ehUSPrj9pkxn2o0XeWUXV0f689kQmL+6Eb1MBpMQw6k6ZGzT5kW+zod27yv3/LsLOIboUCh2O1Pa+MN1ITyu05ebPUL6+bYBRiCzcjAZSoMLrjYBpjsYxwJgsbusGdv5iTFFDnwHq87SgjHNxqG913ljMQETdVHF5Zi/Y26lCV/RX5usA6OtRO9lAJk7Y2geeqtavPOtpiPfWnmnpg8p02chcxCX0HXrLM9PfUZm4EIuYiGh5OAzVlXDHuQXw9EOuxlhybyiCN0durZFlVgCqzPKFaePDkOCSzjk38OjsC3m7nTf0lH3lzB3zWBUjKv0nJ45azPY9j6mX3Wa3QxHE/fvqvjJB+OXa2qXU3kTbxKCVdkysjMbhJCeZfcLbd1c0CJsbb8FszPRadER8kxcxz7coqtXG5
x-ms-exchange-antispam-messagedata: wBc5/iHUuOLGYCN3ykfJffu2GP9XxbHGupgWL0m0+wW/AjpJRFLdCHJWGol94I6qcfRdsb2LJ99V4ieeJaGbPGuOKqxCf1BtlDaOMwM5FqKShUzARrKXIMCR+s60qR6mQnn4WtdYIbciimPbnL4PxQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM6PR08MB3318911C71C0DDB90480694A9BD50AM6PR08MB3318eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3400
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT005.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(376002)(346002)(136003)(39860400002)(396003)(46966005)(7696005)(70586007)(26005)(19627405001)(52536014)(70206006)(336012)(8676002)(6916009)(186003)(81166007)(33656002)(9686003)(55016002)(5660300002)(81156014)(2906002)(86362001)(82740400003)(478600001)(316002)(36906005)(8936002)(47076004)(6506007)(356005); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 71ac3bf9-d11b-4420-987b-08d7e607f44d
X-Forefront-PRVS: 038002787A
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: SoYAuycTWNT4gmPv0OLJw+2RgblpiBR8h1EEc+gNK0SVTZIGa5Vds1MdqRVpqUgRnNjNof0cFA7XH59hfny6RcZYjwPS1JtrhK/vtsgZt6st3jn3zBW7TyQYU5ZaZiTpa5kGGnzVj2+fT86YdGQnEOa59spErReNpX7z+N1+lTNFd/KkRgCg2PnYILjUTkv5nXWcFQonoda1DB2zKywaDvzXyuxQcKgRl7bm2QYZJVoCC4MVUgvL0TlPsZ0ot6YXPMKDAqFmkC10eC1JTG73CsGCIV4P4ibhsPy3N+NcvBnDIGD7vK0u26U4beOHxQ1Re+XizWh20G64+VtXDpbu9e2HISvIEAlcafGj95wAKqx2unmKC2qgSgiCTcQKouxs1M4y8jT0BHoU69cyB83vaKVKXsbUdRHaSn//sVSeopsyXpbmF9wbUCgxMJrBvQWFV5vyrhnNlIrDY/Jj91/GoWzRiSSwsevXhwZAxXy+EsJhiClzgATAKR5v6kZvLsXkDRB5XBuLLyeV7Mn3lfFeHw==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Apr 2020 15:23:40.9413 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 63717662-5c0e-4b9c-8e9b-08d7e607f8df
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB5175
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/eCVbam4xdLw5k0muR-Bwxt54RKE>
Subject: [TLS] DTLS 1.3 AEAD additional data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2020 15:27:43 -0000
Hi all, To my understanding, DTLS 1.3 defines AEAD additional data for record protection as the record header as seen on the wire. Quoting Draft 37, Section 4: ``` The entire header value shown in Figure 4 (but prior to record number encryption) is used as as the additional data value for the AEAD function. For instance, if the minimal variant is used, the AAD is 2 octets long. Note that this design is different from the additional data calculation for DTLS 1.2 and for DTLS 1.2 with Connection ID. ``` I would like to suggest that DTLS 1.3 uses a structured representation of the record header instead, as do all other versions of [D]TLS as far as I understand. The reasons for this are as follows, in decreasing order of my perception of importance: - Omission of Connection ID Regarding the presence of Connection IDs in multiple records within a single datagram, Draft 37 says: ``` Implementations which send multiple records in the same datagram SHOULD omit the connection id from all but the first record; receiving implementations MUST assume that any subsequent records without connection IDs belong to the same assocatiation. ``` This means that the Connection ID for non-initial records in a datagram containing multiple records is _not_ part of the AEAD additional data for those records, which seems wrong. Concretely, one could inject such non-initial records into other datagrams using different CIDs, and the record protection wouldn't notice it. One might argue that CID shouldn't be part of the AEAD in the first place, but in any case, I believe the treatment should be uniform and not distinguish between initial and non-initial records in a datagram. - Modularity Decoupling the wire-presentation of the record header from record protection allows to implement record protection and the choice of record header independently: One piece of the implementation can take care of record protection - using the structured presentation of the record header - while another takes care of the wire-encoding. It is even possible to change the record header format in transit. One might of course turn this argument around and say that such modifications are unwanted and using the header on-the-wire as the AEAD allows to detect them, but I don't yet see the concrete problem with them so far. - Simplicity At first it seems that using the record header as an unstructured binary blob for AEAD makes things simpler, but I don't think this is the case: Prior to record decryption, the record sequence number needs to be decrypted, and for that purpose, the record header already has to be parsed. Hence, at the time of record decryption, the record header is already be present a modified, structured form, and retaining the corresponding modified binary form appears to create additional complexity which would be avoided if record protection would use the structured header presentation. - Uniformity with other [D]TLS versions Let me know what you think, Best, Hanno IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [TLS] DTLS 1.3 AEAD additional data Hanno Becker
- Re: [TLS] DTLS 1.3 AEAD additional data Eric Rescorla
- Re: [TLS] DTLS 1.3 AEAD additional data Eric Rescorla
- Re: [TLS] DTLS 1.3 AEAD additional data Hanno Becker
- Re: [TLS] DTLS 1.3 AEAD additional data Eric Rescorla
- Re: [TLS] DTLS 1.3 AEAD additional data Hanno Becker
- Re: [TLS] DTLS 1.3 AEAD additional data Eric Rescorla
- Re: [TLS] DTLS 1.3 AEAD additional data Hanno Becker
- Re: [TLS] DTLS 1.3 AEAD additional data Martin Thomson
- Re: [TLS] DTLS 1.3 AEAD additional data Christopher Wood
- Re: [TLS] DTLS 1.3 AEAD additional data Eric Rescorla
- Re: [TLS] DTLS 1.3 AEAD additional data Martin Thomson
- Re: [TLS] DTLS 1.3 AEAD additional data Eric Rescorla
- Re: [TLS] DTLS 1.3 AEAD additional data Hanno Becker
- Re: [TLS] DTLS 1.3 AEAD additional data Martin Thomson
- Re: [TLS] DTLS 1.3 AEAD additional data Hanno Becker
- Re: [TLS] DTLS 1.3 AEAD additional data Martin Thomson
- Re: [TLS] DTLS 1.3 AEAD additional data Thomas Fossati
- Re: [TLS] DTLS 1.3 AEAD additional data Eric Rescorla
- Re: [TLS] DTLS 1.3 AEAD additional data Christopher Wood
- Re: [TLS] DTLS 1.3 AEAD additional data Thomas Fossati
- Re: [TLS] DTLS 1.3 AEAD additional data Thomas Fossati
- Re: [TLS] DTLS 1.3 AEAD additional data Thomas Fossati
- Re: [TLS] DTLS 1.3 AEAD additional data Christopher Wood
- Re: [TLS] DTLS 1.3 AEAD additional data Thomas Fossati