Re: [TLS] DTLS 1.3 AEAD additional data
Eric Rescorla <ekr@rtfm.com> Wed, 22 April 2020 14:47 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B0F93A0DE2 for <tls@ietfa.amsl.com>; Wed, 22 Apr 2020 07:47:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5-USASerfJpo for <tls@ietfa.amsl.com>; Wed, 22 Apr 2020 07:47:49 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F6323A0DDC for <tls@ietf.org>; Wed, 22 Apr 2020 07:47:48 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id 198so1896330lfo.7 for <tls@ietf.org>; Wed, 22 Apr 2020 07:47:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7A5YeVQze+TH2xkZPjF893Ye08jdgV4GyLsOyS4zcgs=; b=zoQhNu5WuWePfFZRPNOuCUzCO8bK7RbfzGV+JuhmPMfA7U586zspA+msIvCl8VT47e MrQOsv9/QyuwbBCjMrjlyMw26DJJEujTQ5SeflZOBsFHETQRbhBEBjmZpm40B04FGMRE iohvk5Gn+bFy2ut/dWY7EDwxBERFwggmRgbPERojb/hcF9AT2QmZGkuZpKSrLx9eNkex 3ugXUo1MVLdloFQppQLG2BvfM3ZJjyQ3Pc0fS1C+mjLR++mQTKMMaGeQybQYM+nFYrlX ZwE+NrwCqqS1cmVVUzJie1+/5RlWfUhGIVa1FCXHwdVbMrRgHQplOjldAI/TihG1PjI0 82Hw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7A5YeVQze+TH2xkZPjF893Ye08jdgV4GyLsOyS4zcgs=; b=ehm3quLR2s+KDYue/7r0Cu/mP9McjnZ5PGuQikylU4/hHIeFz9rarSuB6pI+/q71qD pBxz26c+1FiV2x3IxHhLx6WLhAiXkNF5A123XO6+o/i1WQa3uzkcQWN4XHl7wMlHlV5/ jScOkBNsUIHuDFc7w6+/GxmHqJ5YlZVwcPv3zC+8VMyLD1KioXX+7MMjSwLvBZ0YXqW+ +hUOdRpc8oTqgOvB04v45zvvWoFjcMRavldB+lBxaYwTSal+oQNoGgAiVIinkOdwK4cT rH6LzktY19rDO79tHMD1G9ioBFZIStse1grW/UzFkCxekBH46pmt6NuZPOkCfE2zK1j1 fo2g==
X-Gm-Message-State: AGi0Puae/eat/2HtdEzIH7b6nFF3qSZ697lwMULy8DcD7kdgikHqXCxO lru/GF6xkZtRpKcM3+qj4B8wvGyljhVW/zwZSSDpSw==
X-Google-Smtp-Source: APiQypJ9lTO3dHqjnG1L/Xm6aCDSs3ELN2Vj3zIc+P/Dn1j+HJitXo/ZBX78lKYOJJqbuU8b8K4xPEFiSvonD0kKRpY=
X-Received: by 2002:a19:f806:: with SMTP id a6mr17409850lff.201.1587566866717; Wed, 22 Apr 2020 07:47:46 -0700 (PDT)
MIME-Version: 1.0
References: <AM6PR08MB3318911C71C0DDB90480694A9BD50@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBMs+o4BU5VhqJKmQvnkEe9RkQXRv7Ej6pVD1-e1vdMoyA@mail.gmail.com> <CABcZeBM9Ri=Rz5kbWn08Vk-Y14MVSALwB1Bd9QV=HfWoq3XqSA@mail.gmail.com> <AM6PR08MB33184161239B6383EA7D776C9BD20@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBM4wVkH_pdTZMakyV9Y=tk8PNDknHTFhjwX-sw3GOOaZw@mail.gmail.com> <AM6PR08MB3318D6A11587449627F6EA679BD20@AM6PR08MB3318.eurprd08.prod.outlook.com>
In-Reply-To: <AM6PR08MB3318D6A11587449627F6EA679BD20@AM6PR08MB3318.eurprd08.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 22 Apr 2020 07:47:10 -0700
Message-ID: <CABcZeBNcODKehe217nr2jSedy6N6Gun+QYcksFp2Oqv6gLrzzw@mail.gmail.com>
To: Hanno Becker <Hanno.Becker@arm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000025ef9a05a3e237eb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WPZrEs0rGFPpd_yYak2ol9aAyAU>
Subject: Re: [TLS] DTLS 1.3 AEAD additional data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 14:47:53 -0000
On Wed, Apr 22, 2020 at 7:31 AM Hanno Becker <Hanno.Becker@arm.com> wrote: > > Considering the effort spent on shaving off bytes in the DTLS header, > > I think re-introducing the explicit CID should be avoided. It seems > > perfectly acceptable to me to have implicit header data which is > > protected via AAD. > > > This is only relevant if there is a common useful case in which you would > need to put multiple > DTLS records in the same datagram. Are you aware of such a case? > > > I can see the following uses: > 1) Replying to KeyUpdate with Ack;;KeyUpdate, or replying to > RequestConnectionID with Ack;;NewConnectionId > 2) Sending multiple (short) app records if the application protocol > doesn't provide its own framing. > Neither of these seem particularly compelling to me. The first happens very infrequently, and I'm not really aware of a lot of cases of the second. > > 1. Cryptographically protect it as in > https://github.com/tlswg/dtls13-spec/pull/143 > > > This seems to be a mixture of logical and on-the-wire representation, which > > moreover duplicates the CID in case it is explicitly present in the header. > > > Yes, so? > > > Isn't this less efficient > Trivially. and undoes the arguable benefit of the current solution that there's > no need to piece together an AAD buffer manually, because now you'd have > to? > I don't recall making that argument. -Ekr > Best, > Hanno > > > Looking forward to hearing other WG member's views, > Hanno > ------------------------------ > *From:* Eric Rescorla <ekr@rtfm.com> > *Sent:* Wednesday, April 22, 2020 2:23 AM > *To:* Hanno Becker <Hanno.Becker@arm.com> > *Cc:* tls@ietf.org <tls@ietf.org> > *Subject:* Re: [TLS] DTLS 1.3 AEAD additional data > > I think there are two potential resolutions to your CID issue: > > 1. Cryptographically protect it as in > https://github.com/tlswg/dtls13-spec/pull/143 > 2. Forbid implicit CIDs (my preference) see: > https://github.com/tlswg/dtls13-spec/issues/144 > > Would like to hear what others in the WG think. > > -Ekr > > > On Tue, Apr 21, 2020 at 10:59 AM Eric Rescorla <ekr@rtfm.com> wrote: > > > > On Tue, Apr 21, 2020 at 8:39 AM Hanno Becker <Hanno.Becker@arm.com> wrote: > > Hi all, > > To my understanding, DTLS 1.3 defines AEAD additional data for record > protection > as the record header as seen on the wire. Quoting Draft 37, Section 4: > > ``` > The entire header value shown in Figure 4 (but prior to record number > encryption) is used as as the additional data value for the AEAD > function. For instance, if the minimal variant is used, the AAD is 2 > octets long. Note that this design is different from the additional > data calculation for DTLS 1.2 and for DTLS 1.2 with Connection ID. > ``` > > I would like to suggest that DTLS 1.3 uses a structured representation > of the record header instead, as do all other versions of [D]TLS as > far as I understand. > > > I am not in favor of this change as proposed. I think it is better to > protect the data that is actually on the wire than to allow for changes in > the on-the-wire representation that are not reflected in the integrity > check. > > > The reasons for this are as follows, in decreasing order of > my perception of importance: > > - Omission of Connection ID > > Regarding the presence of Connection IDs in multiple records within > a single datagram, Draft 37 says: > > ``` > Implementations which send multiple records in the same datagram > SHOULD omit the connection id from all but the first record; > receiving implementations MUST assume that any subsequent records > without connection IDs belong to the same assocatiation. > ``` > > This means that the Connection ID for non-initial records in a > datagram containing multiple records is _not_ part of the AEAD > additional data for those records, which seems wrong. Concretely, > one could inject such non-initial records into other datagrams > using different CIDs, and the record protection wouldn't notice it. > > > This seems like a reasonable point, though it's not clear to me that there > is an actual problem here. I'd be in favor of explicitly including the CID > in the AD as well as the header. > > > > One might argue that CID shouldn't be part of the AEAD in the first > place, but in any case, I believe the treatment should be uniform > and not distinguish between initial and non-initial records in > a datagram. > > > We're not distinguishing it. The AD is protecting the record on the wire. > > > - Modularity > > Decoupling the wire-presentation of the record header from > record protection allows to implement record protection and > the choice of record header independently: One piece of > the implementation can take care of record protection - > using the structured presentation of the record header - while > another takes care of the wire-encoding. It is even possible > to change the record header format in transit. > > > This seems like a defect, not a feature. > > > - Simplicity > > At first it seems that using the record header as an > unstructured binary blob for AEAD makes things simpler, > but I don't think this is the case: Prior to record > decryption, the record sequence number needs to be > decrypted, and for that purpose, the record header already > has to be parsed. Hence, at the time of record decryption, > the record header is already be present a modified, structured > form, and retaining the corresponding modified binary form > appears to create additional complexity which would be > avoided if record protection would use the structured > header presentation. > > > I've implemented this for QUIC (I can't remember who at Mozilla did it for > DTLS) and it's not particularly difficult. > > > - Uniformity with other [D]TLS versions > > > I don't find this argument at all persuasive. To the contrary: we should > break with DTLS 1.2 in any case where it's an improvement and not too > onerous. > > -Ekr > > > > > Let me know what you think, > > Best, > Hanno > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. >
- [TLS] DTLS 1.3 AEAD additional data Hanno Becker
- Re: [TLS] DTLS 1.3 AEAD additional data Eric Rescorla
- Re: [TLS] DTLS 1.3 AEAD additional data Eric Rescorla
- Re: [TLS] DTLS 1.3 AEAD additional data Hanno Becker
- Re: [TLS] DTLS 1.3 AEAD additional data Eric Rescorla
- Re: [TLS] DTLS 1.3 AEAD additional data Hanno Becker
- Re: [TLS] DTLS 1.3 AEAD additional data Eric Rescorla
- Re: [TLS] DTLS 1.3 AEAD additional data Hanno Becker
- Re: [TLS] DTLS 1.3 AEAD additional data Martin Thomson
- Re: [TLS] DTLS 1.3 AEAD additional data Christopher Wood
- Re: [TLS] DTLS 1.3 AEAD additional data Eric Rescorla
- Re: [TLS] DTLS 1.3 AEAD additional data Martin Thomson
- Re: [TLS] DTLS 1.3 AEAD additional data Eric Rescorla
- Re: [TLS] DTLS 1.3 AEAD additional data Hanno Becker
- Re: [TLS] DTLS 1.3 AEAD additional data Martin Thomson
- Re: [TLS] DTLS 1.3 AEAD additional data Hanno Becker
- Re: [TLS] DTLS 1.3 AEAD additional data Martin Thomson
- Re: [TLS] DTLS 1.3 AEAD additional data Thomas Fossati
- Re: [TLS] DTLS 1.3 AEAD additional data Eric Rescorla
- Re: [TLS] DTLS 1.3 AEAD additional data Christopher Wood
- Re: [TLS] DTLS 1.3 AEAD additional data Thomas Fossati
- Re: [TLS] DTLS 1.3 AEAD additional data Thomas Fossati
- Re: [TLS] DTLS 1.3 AEAD additional data Thomas Fossati
- Re: [TLS] DTLS 1.3 AEAD additional data Christopher Wood
- Re: [TLS] DTLS 1.3 AEAD additional data Thomas Fossati