IETF Logo Mail Archive

Re: [TLS] Choice of Additional Data Computation

Hanno Becker <Hanno.Becker@arm.com> Sun, 26 April 2020 09:43 UTC

Return-Path: <Hanno.Becker@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD9EF3A0E98 for <tls@ietfa.amsl.com>; Sun, 26 Apr 2020 02:43:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.718
X-Spam-Level:
X-Spam-Status: No, score=-2.718 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=gBLfvph+; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=gBLfvph+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IZQvogDa0uXh for <tls@ietfa.amsl.com>; Sun, 26 Apr 2020 02:43:33 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80051.outbound.protection.outlook.com [40.107.8.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 083FD3A0E94 for <tls@ietf.org>; Sun, 26 Apr 2020 02:43:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Sp/L52Bsbh2Ev4VYicGTvJIsp16cl/gDBcLMFo1XWq8=; b=gBLfvph+g3qPqlhKRTTYfCmLEJCZEuJxRKsY+dBy3ibVz+9Wc8biUHJ9nrKrfvDAKrxeqHJvBCXKZa+2m8W1BMITntAuET2jpcMq1ErvGpd9kSr9tu0O6545UWuXGgD+J4zfRMWJD9ezj2HDMoE9lnsZVyoIBxpMrR+XS+I2VpY=
Received: from DB6PR0202CA0025.eurprd02.prod.outlook.com (2603:10a6:4:a5::11) by VI1PR08MB3518.eurprd08.prod.outlook.com (2603:10a6:803:7a::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Sun, 26 Apr 2020 09:43:29 +0000
Received: from DB5EUR03FT050.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:a5:cafe::16) by DB6PR0202CA0025.outlook.office365.com (2603:10a6:4:a5::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13 via Frontend Transport; Sun, 26 Apr 2020 09:43:29 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT050.mail.protection.outlook.com (10.152.21.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.19 via Frontend Transport; Sun, 26 Apr 2020 09:43:29 +0000
Received: ("Tessian outbound ff098c684b24:v54"); Sun, 26 Apr 2020 09:43:29 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: d79acfa38b1d1ce3
X-CR-MTA-TID: 64aa7808
Received: from b398d8389341.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 88B55679-B5ED-4436-8AC4-1F6783DC1DD0.1; Sun, 26 Apr 2020 09:43:23 +0000
Received: from EUR05-AM6-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id b398d8389341.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Sun, 26 Apr 2020 09:43:23 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=md536OK6wuUKF/y37abqiJgtPaduRld1muUVSdABOLREIoDEY+Lxz8u2iXmu96PPMNh/G10G3liKwLlwElRwVwmJXuvlXjbW5RdvgVyk/W28wphYJE5hxBGC4lEgwSF2Un9qqUbW4syJiXiOYa54UKngu3gUzRhaQjDnPFUjTMPWH8SGQSdYbBYAzbxnR/c+eWkO47m7EELltzNg56bDg+crmrDU/SdgwUjHn0YPtLk0Vy8qUCYdhL3k5Ck7o2b005omQoDocTNYS+ByjZ+PKeT7aqEnc3rxgXpEwYPiuSWI26qWpcOWAfySuKmOGJx2DU7ElomfU3UdTI9wOCxsiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Sp/L52Bsbh2Ev4VYicGTvJIsp16cl/gDBcLMFo1XWq8=; b=lSdEmY2A4Z5SxDtB619pxv6I5WrKcXJij2w74KVtBENV4j0sEYJyoJOygpg4NBOLCV51yeIU9hELlxdNxbt2eHnl6modELyf3lGOnoEWRpnpsxKKfjkEMti0Sw59tCxgCc0x2K7/RGOGnZai9kPypmTuy9xG9xuhO2TvOysgDLMuOfR89NCSdO8QYbt/QIIQvD9qCJXsvubOayuopgbnFdadKaSS46WbAJfs/brhTWRommAJoncZpTmVQkuaadQ+7B3J/7wkWnCKHFuOk6zeR4qzPIVBJ9sGFbPx2wuY5Gxhy5HZSDygqWH+dexlo2FiV5Xxweo/CUM0m7mpSUhNrA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Sp/L52Bsbh2Ev4VYicGTvJIsp16cl/gDBcLMFo1XWq8=; b=gBLfvph+g3qPqlhKRTTYfCmLEJCZEuJxRKsY+dBy3ibVz+9Wc8biUHJ9nrKrfvDAKrxeqHJvBCXKZa+2m8W1BMITntAuET2jpcMq1ErvGpd9kSr9tu0O6545UWuXGgD+J4zfRMWJD9ezj2HDMoE9lnsZVyoIBxpMrR+XS+I2VpY=
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com (2603:10a6:209:45::15) by AM6PR08MB3702.eurprd08.prod.outlook.com (2603:10a6:20b:8e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Sun, 26 Apr 2020 09:43:21 +0000
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::1579:b7d9:f543:200d]) by AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::1579:b7d9:f543:200d%5]) with mapi id 15.20.2937.023; Sun, 26 Apr 2020 09:43:21 +0000
From: Hanno Becker <Hanno.Becker@arm.com>
To: chris - <chrispatton@gmail.com>
CC: Eric Rescorla <ekr@rtfm.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Choice of Additional Data Computation
Thread-Index: AdYaKASVCp3JPFQuSaOSMkwtz/VZZwAEUEsAAAN7oaAAAnFQAAAASY9CAAFcJQAAAoyFgAAAY+d9AADW9gAAAKxogAAAKW2AAAULeAAAKztBgAAIVeEa
Date: Sun, 26 Apr 2020 09:43:21 +0000
Message-ID: <AM6PR08MB33185190928734FAFCEDFFCE9BD10@AM6PR08MB3318.eurprd08.prod.outlook.com>
References: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <93042b37-37e1-5b6a-3578-a750054d0507@gmx.net> <AM0PR08MB3716541F4825F8D43DC3D308FAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <CACLV2m4-Qcx-xKWP201VCY73HVyjCzHVCb6PrntnBWhA8fBQYg@mail.gmail.com> <AM6PR08MB3318B6ABD411C8C476C3D10B9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBOwK7m465LsbY3U+bHv0XA2rcGOTEBStTtTNkwAYvWeQA@mail.gmail.com> <CACLV2m5Md2+Ffc978ZJ+BeZwRgcXTV3xE0vXzmvNgnot_c71xQ@mail.gmail.com> <AM6PR08MB331862B6F143652F4B4C10EE9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBMKoVrcN-=aTvy6py5bhOwOVrhgVLmtX2tthc=Oa54b_Q@mail.gmail.com> <CACLV2m7knyt-gQoQq2v1Kz-J62DPjCpb6faJFfDgJ-8mprHwxQ@mail.gmail.com> <CABcZeBMwQHdRuvcs5pmE59SCUj=cwWCtrBhyh9w_L0U1ZDoJ8Q@mail.gmail.com> <AM6PR08MB3318AFD0C1FC4011ED2A81919BD00@AM6PR08MB3318.eurprd08.prod.outlook.com>, <CACLV2m7P-=ztPLt+eZjEpcZW=TbNj4wU6hOywhAyMx5ZRrahUw@mail.gmail.com>
In-Reply-To: <CACLV2m7P-=ztPLt+eZjEpcZW=TbNj4wU6hOywhAyMx5ZRrahUw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
x-originating-ip: [86.169.222.218]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: b7f2b1f5-b235-4363-c3af-08d7e9c64678
x-ms-traffictypediagnostic: AM6PR08MB3702:|AM6PR08MB3702:|VI1PR08MB3518:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <VI1PR08MB35181FBBA54E265F0C3E54AE9BAE0@VI1PR08MB3518.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 03853D523D
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB3318.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(376002)(39860400002)(136003)(396003)(346002)(186003)(66946007)(86362001)(26005)(76116006)(66446008)(66556008)(6916009)(4326008)(64756008)(5660300002)(66476007)(71200400001)(33656002)(19627405001)(9686003)(53546011)(8936002)(55016002)(316002)(7696005)(2906002)(8676002)(478600001)(52536014)(54906003)(6506007)(81156014); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 6ox/xb07jiSoPZ7Bxa8GEVvXRz5I0KQ9lmySPxNVCukryS061wkIg9XN2JoWygYAG3vujt40EIzoRtLJSW1rGCPbvom6pgax64ItdQseIzjqnjldzYJknyI+IaCPV05N1s0uZEZeO6Ol/S3xnWopxrP0ktOiGiiuG4x5Q41t0mEW9LMVT77XFMpyP+2rbGhZZbr9monVaP/UfaCv3USTH25RLnA43SftZagsSiQtwgLoKxydi0YdD+8QLGCF2gWinskYW8tudwk5QwplLnfHBObU9okLxOTac+vsv2WmO2sH6uHlq/7EBoJlM7hP8pTaUtvxXB0oDpTHNTET36+rDSHkgSLhdOafSqO+0rFn8b5DvWl6lKBMDejUZwXORTY5vcLeyAfNP4QzJvmXhadSESqYw8gPENrQtfMqgZxQngu7Za4ERbHqhE2YZsE2C8fs
x-ms-exchange-antispam-messagedata: xpGvoipQ88Hy8S8KlgSeRWAeA6CWQyWbpA9Ulwwz7Vt/rrVYKbGIuvW8UyI/l31wtqGqHEI0aDCkZpHJLaZ1tsIJhcM+wxy21r3tc1GLqe5Si50cnvkVxODmrr0F/URoKdmzgsCZJmUGed2ZVoto128mS63G+t0PWWdRrqP68XB7qzCHTPjMpH7/ou2/Gm1V49Yl+LuCDiGa1D8tIpsGVQpF10JqqlhlQjxGnb3dEBK37oui7DmAY5qYVEdfmAysipi5p15zf2yOKtAfH3Ujh6AvYmZRAPmyLXGLhM3+l+brXXKro+RipnSkxITVdRBNgXsiv8yG5hn92AtzLPJBil8G2QIFBMjhyEzIgIqPvOSoLtwr/DS9zsnJYZbpkktxRPRxLUiBuIxdRVff9oG1/XjpWKObJK0Mk7ul2kG2xHY+ko2TpCYUMyq0upx3mB7W48TQzF+gzOrmc/Td1Tg7RQI6xtQlKITr7J2k8ASTElpzmkpCurhk80Bz0sIHdV1VxJqjbne0i0sxlspseq1N6IlILCmF9DNZIcgDoZVNWhsijv2+Mc7mFIaiF49FWMtP9jL4g4+kZ38Hd5SZbvV/JHygvokGfzo8QJDBw7JI3zz2Os62qquZbuUc4JhAUYEKfB0XszbrxLlRYZEem7X6fU5LklcgUZ4gFX3Vr3Dg8vNFjhZbaHErmhslXgPlJRcqtJ9YtqjJuYiBYXTUtAwuYKt8pFnnMhspS07XjuesP1UJRZ5b+4dS0VE/N1lhCHecvW/QAYoV3Jr3DMkyP72WMInZRaNPm3p6ujt/ksah68M=
Content-Type: multipart/alternative; boundary="_000_AM6PR08MB33185190928734FAFCEDFFCE9BD10AM6PR08MB3318eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3702
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT050.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(136003)(346002)(396003)(39860400002)(376002)(46966005)(8676002)(52536014)(81156014)(55016002)(8936002)(54906003)(7696005)(6862004)(4326008)(70586007)(70206006)(47076004)(336012)(82740400003)(186003)(9686003)(5660300002)(86362001)(356005)(33656002)(81166007)(82310400002)(19627405001)(2906002)(26005)(53546011)(6506007)(478600001)(316002); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: ca6267c6-ce00-4852-b1e2-08d7e9c641f5
X-Forefront-PRVS: 03853D523D
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ydb+9adxt+FNop3gLGg3ZKJ4d12JMpYmRBI/KkiHj3Q+duTsjqjue03DS2Y1D/CpJRDFRLn+SNd4f/tS4AMWfvgnNFSGGiu+uH1fOmy506hoyoIQfwVAq1pTV/MpEMctjY1wh6iTc138oxC+jVH004KEhbS8hd4vTqkAI71Jyhmx+NdES2RCtz6x6+3PGbubrGk0VTvRrZgmqWPEEj/uZfXOYLSFX6HGDFVO6xwyjZa6hQzb2toxfbHtc6WWRxpvho3HkF3nM47Z5ns7x8AfMufm8/jMMYCB56bJ5wqGuciTHBmxnEuL4oTOtmix/ekcAfSMzEgI30Q/H4rGIfxY0kIRQFHQnCU6QqWgStNLo5dlQnWG+f2EJwGYY0IcsEJhhuYGkVwTamGjCytZWX8QkT0Lnmu7iIQ8YvUsbk9R/9zTb5oT7Smb0KhlyzZxQnVvnwEMJbn3TYWO8Ka1MOQwJw7NOLVVXr5iayvA6gcDDFYtMt653JU6098CqA1lIv/H9XAu1+zw14X7kYO83UGTgw==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Apr 2020 09:43:29.1255 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b7f2b1f5-b235-4363-c3af-08d7e9c64678
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3518
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kVh9cqtGGa89AvOiKev0KQZobCM>
Subject: Re: [TLS] Choice of Additional Data Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2020 09:43:36 -0000

Hi,

Thanks Chris for your thoughts.

Yes, it seems that specific formal analysis is needed, since we're dealing with the new
situation that - in contrast to TLS 1.3 - shortened or omitted fields in the DTLS 1.3 headers
(e.g. epoch, length, CID) introduce a notion of implicit context to a record which wasn't
present before. This requires analysis of the desired properties of this implicit context
and their implications on the protocol design.

For example, such a property might informally be that a party able to decrypt a record
must have correctly reconstructed the full implicit context of the record, such as the full
epoch when it was shortened in the header, the CID when it was omitted, or the length
when it was omitted. This seems most directly achieved by cryptographically binding this
context to the record through AAD, while protecting only the explicit context makes reasoning
that the party has the correct context either less straightforward (see the epoch example) or
impossible (current CID issue allowing to decrypt a record in a context with different CID).
To me it therefore still appears preferable to use a pseudo-header as the AAD.

Hopefully some more people from the protocol verification community
will join in here and give their thoughts.

Best,
Hanno
________________________________
From: chris - <chrispatton@gmail.com>
Sent: Saturday, April 25, 2020 6:58 PM
To: Hanno Becker <Hanno.Becker@arm.com>
Cc: Eric Rescorla <ekr@rtfm.com>; Hannes Tschofenig <Hannes.Tschofenig@arm.com>; tls@ietf.org <tls@ietf.org>
Subject: Re: [TLS] Choice of Additional Data Computation


So far I fail to understand, on an intuitive level, why it easier to analyze the protocol when the AAD can take multiple forms potentially truncating or omitting the underlying data, but then I don't know the details and you're the expert here. If you have time though to explain a bit more where the flaw in my thinking below is, that would be great, provided it's possible.

I don't know that there's a flaw in your thinking. At the moment, all that I can speak to is how authenticating the header (or not) might impact security of DTLS. We can't directly extrapolate from what we know about TLS, because the security goal is not to the same. That said what I know about TLS is the following: the contents of the record header doesn't matter for security goal considered in [1], as long as (1) the header is authenticated; and (2) it correctly encodes the length of the next ciphertext. But since the security goal of DTLS is not the same, the details of the spec that are (ir)relevant to security are likely to differ.


For example, another thing which I would expect to be more complicated to verify in full rigor is epoch authentication: If the epoch is reduced to its two low order bits in the DTLS 1.3 header and thus (at the moment) also in the AAD, arguing that decryption can only succeed for the correctly expanded epoch involves knowing that all epochs having different keys. That's of course true but this fact wouldn't be needed if the full numeric epoch was always explicitly authenticated in the AAD. This isn't a real issue in the end, but I would expect it to be a nuisance in a formal proof?
In terms of what you mentioned regarding decoding details, it seems that adding the underlying logical header to the AAD ensures more directly that decryption can only succeed if header decoding (that is, filling in implicit data or expanding truncated data) was done correctly, whereas it is less clear with the truncated or omitted data in AAD, as in the epoch example above. Is it possible to explain what the flaw is here intuitively?

I'm afraid I would need to absorb spec and think about its intended security properties in order to answer these specific questions. I'm sorry if this answer is unhelpful; Ekr asked that I chime due to my prior work on TLS. But I don't think there's a simple answer here, and unfortunately I don't have the time to think it through at the moment.

For now, I'll just leave you with this. I'm a fan of the following design principle: whenever there is a branch in your code that depends on a bit read from the wire, that bit should be authenticated if possible. To your example, if a decision you're about to make depends on you agreeing with the peer on the current epoch, the principle says that the epoch had better be authenticated. Whether it's necessary or appropriate to do so here (via AEAD decryption) depends very much on the context, i.e., the protocol details and the security goal.


Chris P.


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email