Re: [TLS] Choice of Additional Data Computation

Achim Kraus <achimkraus@gmx.net> Fri, 24 April 2020 13:07 UTC

Return-Path: <achimkraus@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B869C3A0CC0 for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 06:07:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pq1VLkZ3-4GT for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 06:07:20 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCBB33A0CBC for <tls@ietf.org>; Fri, 24 Apr 2020 06:07:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1587733636; bh=wF3KxI1u0dafCffoCPFYyfNNWz1xzu5aENHx5fedgZY=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=d2R8CjXf+gMmxJLQQTKk4sQFh2rDDbGKNLavkEEd+4xVnTB0IBQKPAyI/ulbG9UYo NWQPe5SRfquH80p+6qw6KVmzIGHLN6vM/Ga1tapr+4jZleIzzIMrTm2BSAElorcsKE RPBASQP41JI848mLiHDR/kJAUBCumH2Zr7tesNxM=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.45] ([178.10.206.187]) by mail.gmx.com (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MbirE-1ivO7W0bGQ-00dIA1; Fri, 24 Apr 2020 15:07:16 +0200
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "tls@ietf.org" <tls@ietf.org>
References: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com>
From: Achim Kraus <achimkraus@gmx.net>
Message-ID: <93042b37-37e1-5b6a-3578-a750054d0507@gmx.net>
Date: Fri, 24 Apr 2020 15:07:14 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:WheUExxnSfZVsJj6G5j+wED6ee10blZligDCKGiHO07KlDH4JNQ 4sqXNV6p8JwZFOv8poZNwscuBhZxcHQ4DAbHLU1cxvrLeOdY3hy6T0YXWYnkw/oCNdVqFdu 8/f3oZRAiKAz+mcO4a92gsCcGiXMwEHbSk+4Idq16hG/cYWhaaS64uhoYNRJbuneNFEmV7I XPZRJQoWhSFOerDBjX78A==
X-UI-Out-Filterresults: notjunk:1;V03:K0:BOv+BbJ8BfU=:SI2xWMeBtzt0Aa1t+nXZbv cwtQx9fbr3wQpXA0JobTfm0LfMrglNE3Z54LuwAMqqbczr2hmij2CY0PfzZCr4lQY4xBhMRLj 3liQD8eTq5DFfMjoVhd+xC4m+DgEZzajJY3oT6Ys0UdXRAjRLUkbdHa16wgtKkHV3pmQPmcbv NHM5KlZ6caFE2Gy227f3W6BPVXzFBPLuJ9AZBy9JSELqpzDFna6Ahm1cI1FE8oZmW/hFCkNqN kpwAv7LGhqpjtxmS3Opx06cTIsmyJF7a1T8WlZ5h7ewB5kpAMHh2kGARn64GJJXBylLN3DAcb iI5QFjC5CsSM20L365fWVh9k4SiG+o0urE288X5kFCHqRPaR8+VRwvcMtOMvSv2wLM4m/F6El ceODxdKgRjQiCz3sP0q/zHqNILy+7D7bZSfmnj5BAkQDUr5D4L4ADbSTaIOqABw40MBD6+u9d ZDqqGdq1O7tB0GVfdy1vd4xtaeM8qY1r/hdC4NjozV3BQb/lcJvPv3Td34Xm6mX3gl7+T7oxV HMKGyCUxT+0l04whq0u5q/rSzlGlcxgL/9mj4825IhIVa4OIhe9gEAeMDZQbdIr5qG1ISA6S4 tFFGUMd0AAD3sOlUD7oe/QB490tFv08O2dy6bUn9jLUCM35tMmvH/34wtvIi4ICgtUn6J6hn1 51OUQiMQw+O1zB92IIJSljRZcBqf57P7rzjdirupsEGL4obQn2RbGYck1DXZQmYs9i8/ftBEx TA9lC6sTfF04cnlgjGImh6Jz0PBjDDeuf0sQ89u8t+qaJYwz+8SnBWAFdqwGek4NvYtzg6mSO vctCj1jSfctQN2kQSFRGEkP8iWUXnTm6mlmu8EBfbAD8ueyZyln3ltHiqzQBAki5bmDfcKhpU RjugrpoIdXYkdXRav2xs3c8xThwc2hvF/kc4TE20w+5C4ttuKznoYtDyXc/2TQ525Iar4eGIG 4MSrOrUYansZcfEAgwkkaJlKxLuWMFtFmI/gn0ZKHjSCDHnJEl5V5lPK7Ba4d9GePBZU/jhPI RLWFGFw8RjpH9h+XVWol0EWCQgh9C4XiKcJj2E6wqY8teM2r5K9GlRE264LYiKuahg7yciKYO JCoMz9EynEB3B7IKeqjq4nX+2nhRXgoMzYTDHAuGvTRMAkORH9unN1dJQkOb+beS2694VFtxY sUvKYP6FqdN2vPYRUwQB8gLUuafUQNoqy9yUItT3eAXNOOADQyMVLHpW4zy0jSFxC9TS3zEOU k9WDlvaXFXVikDvXy
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XJvZ4vPtsJ8iKkp1_xw5WvaHHiw>
Subject: Re: [TLS] Choice of Additional Data Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 13:07:22 -0000

Hi Hannes,
Hi list,

as input for the discussion:

https://github.com/tlswg/dtls-conn-id/issues/25

A longer "comment-flow", the conclusion was, the CID is on the wire, so
it's in the MAC.
(ekr: "authenticating the whole header is just good practice.")

My arguments was, that the CID is always included in the MAC, either
explicit, or implicit (implicit, because the CID selects the "mac-keys"
or "cipher-keys" and gets included equal to the address:port before).

best regards
Achim

Am 24.04.20 um 13:04 schrieb Hannes Tschofenig:
> Hi all,
>
> the thread on the AEAD commutation in DTLS 1.3 and the construction of
> the additional data raised two interesting questions. I believe those
> would benefit from a formal analysis or at least a security investigation.
>
> Here are the questions:
>
>  1. Generic question: Should the construction of the additional data be
>     dependent on what is transmitted over the wire or should it be based
>     on a “pseudo header”? DTLS 1.2 uses a pseudo header and DTLS 1.3 the
>     data transmitted over the wire in the additional data calculation.
>  2. Specific question: Should the CID be included in the additional data
>     calculation, particularly for the case where it is only implicitly
>     sent? Asked differently, are there attacks possible?
>
> Your feedback would be appreciated to advance the discussion. I believe
> there is a chance to provide generic guidance for security protocol
> designers here.
>
> Ciao
>
> Hannes
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy
> the information in any medium. Thank you.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>