Re: [TLS] Choice of Additional Data Computation
chris - <chrispatton@gmail.com> Fri, 24 April 2020 17:57 UTC
Return-Path: <chrispatton@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92D373A10D3 for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 10:57:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pT4sssiN6UVF for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 10:57:15 -0700 (PDT)
Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com [IPv6:2607:f8b0:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB9E13A0E61 for <tls@ietf.org>; Fri, 24 Apr 2020 10:57:15 -0700 (PDT)
Received: by mail-ot1-x32e.google.com with SMTP id j4so13888721otr.11 for <tls@ietf.org>; Fri, 24 Apr 2020 10:57:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sBHkNTox1wwJ4IZzgbwJaeF+zNd+iWaWMXZPqmHHK1k=; b=ja5oAUFLadGxZWP0oIvMkERFf1ngfIezS9kZBhSzTCFZ6GKQmc6zGVOe7JX0Ke/Gyp P99sIsbolZU3TXp3v9KFAs1l79u6h/bpSAO4bu8FiVoZEhHTsONbN6fZWpZ9zljBRKM2 wrHul0vkZADpYy8skYRd0c200a6OKcGHlvFvJXCkVKLD6aL9+lOl1jBeYwWzwfecrVLp AXkBSQnEIjLsuW0DS+OnOXqePlTt90npjAhNEKVn18xG/w/HUWi9Bb+oI6eqYAlI4M34 BwpHNJMEthpI3fwmKI39w/fNfHEngkamzmSsPkZywVoWZdIJMXqAbd7LOsqX0NMeW13R OjjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sBHkNTox1wwJ4IZzgbwJaeF+zNd+iWaWMXZPqmHHK1k=; b=VivSfCaWGCqISc/eh1cXeOrL8HMHm6Pqxk/BY9xR7J8XI0NvD/BcsDuxAkRt0rhhAd +HBN1VAh9vMU0THM208Dyde9kQeoC+gOLwYUY0SlfzEnWIiZQf0YTry1lroyMtxMHLZL JUvDLjAJv38qLv1I1tXyhJT8vMpZpLVWEv+EyBVRLeLTJMEzGVuplwvP4SK8UEpgpkAe RDI58MuOxqKHrWhqWy9ct4h7LRhq/DCSYQuxyF7pUo5NlLfnHmHam+MEwEOVzu+UzEfH G7iHwls+cbn1XxXvJWPrKfyT+ZcU6afxaBnm/1BKAUMuLMm2LnaQzWsKsAxA2q+LRA/m bZ8Q==
X-Gm-Message-State: AGi0Pubr+nZE3VxucbgCqZenmnxiJ/E4zJrKkcqCdoS8HMxClUfD6xt9 SN1skkyxM+sPtUGyjZkxrR22wYmCbICt33QpZXM=
X-Google-Smtp-Source: APiQypKU7KixYMl6d2KZfOeii5CojnWxSYnFbI3dBr1QQvhqpXcHdE5hEKW2MyoTec54KQ/yqaxLd5uu59LIkpDq2Tg=
X-Received: by 2002:aca:b2d6:: with SMTP id b205mr8136918oif.137.1587751034382; Fri, 24 Apr 2020 10:57:14 -0700 (PDT)
MIME-Version: 1.0
References: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <93042b37-37e1-5b6a-3578-a750054d0507@gmx.net> <AM0PR08MB3716541F4825F8D43DC3D308FAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <CACLV2m4-Qcx-xKWP201VCY73HVyjCzHVCb6PrntnBWhA8fBQYg@mail.gmail.com> <AM6PR08MB3318B6ABD411C8C476C3D10B9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBOwK7m465LsbY3U+bHv0XA2rcGOTEBStTtTNkwAYvWeQA@mail.gmail.com>
In-Reply-To: <CABcZeBOwK7m465LsbY3U+bHv0XA2rcGOTEBStTtTNkwAYvWeQA@mail.gmail.com>
From: chris - <chrispatton@gmail.com>
Date: Fri, 24 Apr 2020 13:57:03 -0400
Message-ID: <CACLV2m5Md2+Ffc978ZJ+BeZwRgcXTV3xE0vXzmvNgnot_c71xQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Hanno Becker <Hanno.Becker@arm.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000065760d05a40d18b3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Z-8BPhPDkYoYpIfaq3hyzxBl4Zc>
Subject: Re: [TLS] Choice of Additional Data Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 17:57:18 -0000
> It doesn't seem straightforward to extrapolate from that case since the > 'pseudo-header' > and on-the-wire header are the same here, as TLS 1.3 doesn't have any > header > data which is shortened or omitted on the wire. In DTLS 1.3, in contrast, > various > fields can be dropped or shortened, such as the length, sequence number, > CID. > It's certainly true that we can't extrapolate the security of DTLS from the existing proof for TLS. In the first place, the threat model is different because in DTLS we need to tolerate dropped/out-of-order packets. Nevertheless, I think the general principle of "authenticate all the bits" is the right way to go here, unless there's a compelling reason not to. In the case of TLS 1.3, authenticating the entire header (including the length, opaque type, and legacy record version) allowed us to effectively ignore most of the header details in the security proof [1]: all we cared about is that the header correctly encodes the length of the next ciphertext to decrypt. We might be able to provide a similar argument for DTLS 1.3. In particular, I'm betting that it doesn't matter what the contents of the header are or how long it is, so long as (a) the entire header is part of the AAD and (b) it correctly encodes the length of the next ciphertext. I might be missing something, however. In any case, new definitions are needed (if they don't already exist) and so too a fresh proof. Chris P. [1] https://eprint.iacr.org/2018/634.pdf
- [TLS] Choice of Additional Data Computation Hannes Tschofenig
- Re: [TLS] Choice of Additional Data Computation Achim Kraus
- Re: [TLS] Choice of Additional Data Computation Hannes Tschofenig
- Re: [TLS] Choice of Additional Data Computation chris -
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation chris -
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation chris -
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation Thomas Fossati
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation chris -
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Thomas Fossati
- Re: [TLS] Choice of Additional Data Computation chris -
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation Martin Thomson
- Re: [TLS] Choice of Additional Data Computation Hannes Tschofenig
- Re: [TLS] Choice of Additional Data Computation Martin Thomson
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Felix Günther
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation Felix Günther
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Felix Günther
- Re: [TLS] Choice of Additional Data Computation Felix Günther