IETF Logo Mail Archive

Re: [TLS] Choice of Additional Data Computation

Eric Rescorla <ekr@rtfm.com> Fri, 24 April 2020 16:44 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAD863A0EED for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 09:44:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tlul16YvUKGr for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 09:44:43 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8034B3A0F60 for <tls@ietf.org>; Fri, 24 Apr 2020 09:44:42 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id y4so10627976ljn.7 for <tls@ietf.org>; Fri, 24 Apr 2020 09:44:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NVLSC6Syv4v/qvuKkC/2T/cV1cvanei0DVvychIqRxc=; b=0+k09gVeHiCqrxHbvWf4qwhNHcnPNxv2xDB2DM2s+5T5fOTD69zWb3dEoEKPHIqRYe F6yB/ksUTSYN46Vmj6AtHBH3Zcpu7xETxRNIm/NJ7h2l22S+74wBWaGS0x34BotzJwzG dHKQKRNOmgR8UNoT/QN/4/PaljmOPNwo1PMD1CoGgRDEjwoLwvE6+dpVgirA4KLPylJd mjADCTxyzaH/km8BhujbcSxwMGenztB8uXxI829ZbR/zqSvsPrOW5Qd9svOhRYFKeE9F QbJPGatJ6K1WdPcLoshPpdVSTRwVFFZhgyElBi3znVQLgrMVTKNSrUqE1FymIoOLHtP3 avdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NVLSC6Syv4v/qvuKkC/2T/cV1cvanei0DVvychIqRxc=; b=Fr+TA+p/9lpsL1c1/eGdSkj18ONdVuW76cH/xom9nkFxsn31vpNUCjAnc0WPv57sxp tjI/wL6Yl8eL1urJ/uflMbxCshsLwXAaSN1CLzj/e+aSDHf0vtHZ7tYPXzBsi8NQWPDz 1sVP+vHQ6MiWqiUFy60+2lGBvFqkt+0X0pnbsrYcnMvIy+/iKUm6M9SbK+CbVok7A3KQ XniegRSy3XAroI4txSJTUUgcOayAAZiLAiii0lCNHf8rLesjWbbNTb4jwlc2ebLdYC15 Q9nmTmivbPBcgMDVFL7x6P4OjaMuBwTg0nx+YT+C4rstOJT2g8IgBaFZLvgpWQg9a1aK SFqw==
X-Gm-Message-State: AGi0PuaSvsPFKfXw1eKsLZRyLIM1rSiL1Asw/WUpE1vfhCpTRYlouAck COBUtRT5Hi09N51jxGziLajm3Cqe4KBYCfvel0+4PA==
X-Google-Smtp-Source: APiQypICnWzXMAzFvy3+4rnx3gxW47Dm5K2Jz3NhgI17tMhfZmoSSmQXmfqNKB4OTxm9C34nA7pO2NHn+GCDQAl+F7w=
X-Received: by 2002:a2e:b0ee:: with SMTP id h14mr6686876ljl.35.1587746680769; Fri, 24 Apr 2020 09:44:40 -0700 (PDT)
MIME-Version: 1.0
References: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <93042b37-37e1-5b6a-3578-a750054d0507@gmx.net> <AM0PR08MB3716541F4825F8D43DC3D308FAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <CACLV2m4-Qcx-xKWP201VCY73HVyjCzHVCb6PrntnBWhA8fBQYg@mail.gmail.com> <AM6PR08MB3318B6ABD411C8C476C3D10B9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com>
In-Reply-To: <AM6PR08MB3318B6ABD411C8C476C3D10B9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 24 Apr 2020 09:44:04 -0700
Message-ID: <CABcZeBOwK7m465LsbY3U+bHv0XA2rcGOTEBStTtTNkwAYvWeQA@mail.gmail.com>
To: Hanno Becker <Hanno.Becker@arm.com>
Cc: chris - <chrispatton@gmail.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6a40c05a40c14cd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cDmPhRVUC8TnZNx7_wl9I61Dvrc>
Subject: Re: [TLS] Choice of Additional Data Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 16:44:52 -0000

On Fri, Apr 24, 2020 at 9:20 AM Hanno Becker <Hanno.Becker@arm.com> wrote:

> Hi Chris,
>
> Just a note on the comparison with TLS 1.3.
>
> > I'd like to point to some related work that could shed light on this
> question.
> > The decision for TLS 1.3 was to authenticate all data that is written to
> the wire,
>
> It doesn't seem straightforward to extrapolate from that case since the
> 'pseudo-header'
> and on-the-wire header are the same here, as TLS 1.3 doesn't have any
> header
> data which is shortened or omitted on the wire. In DTLS 1.3, in contrast,
> various
> fields can be dropped or shortened, such as the length, sequence number,
> CID.
>

I'm not sure if it's straightforward, but I would note that in TLS 1.3, we
did *implicitly* authenticate the length because AEAD provides that, but
nevertheless one of Chris's recommendations was to include it in the AAD.

-Ekr


> Best,
> Hanno
> ------------------------------
> *From:* TLS <tls-bounces@ietf.org> on behalf of chris - <
> chrispatton@gmail.com>
> *Sent:* Friday, April 24, 2020 4:56 PM
> *To:* Hannes Tschofenig <Hannes.Tschofenig@arm.com>
> *Cc:* tls@ietf.org <tls@ietf.org>
> *Subject:* Re: [TLS] Choice of Additional Data Computation
>
> Hi all,
>
>
> >  1. Generic question: Should the construction of the additional data be
> >     dependent on what is transmitted over the wire or should it be based
> >     on a "pseudo header"? DTLS 1.2 uses a pseudo header and DTLS 1.3 the
> >     data transmitted over the wire in the additional data calculation.
>
> I'd like to point to some related work that could shed light on this
> question. The decision for TLS 1.3 was to authenticate all data that is
> written to the wire, as this allows for proving the record layer secure [1]
> in a strong model for secure channels [2]. However, the formal models of
> [1,2] assume reliable transport (i.e., TCP): failure to deliver packets in
> order is deemed an attack. Therefore, the definitions would need to be
> changed in order to account for the case of DTLS. (I'm not sure if this has
> been studied.) My hunch is that the same design pattern (i.e.,
> "authenticate everything on the wire") would be called for, but I've not
> seen formal evidence either way.
>
>
> >  2. Specific question: Should the CID be included in the additional data
> >     calculation, particularly for the case where it is only implicitly
> >     sent? Asked differently, are there attacks possible?
>
> Unfortunately I'm unfamiliar with the specific problem at hand, as I've
> not been following DTLS' development. (I'm in the middle of writing my
> thesis.) That said, I don't see a problem with having the AAD include
> *both* the record heard  *and*  something else, like the CID. And it may
> very well prevent an attack.
>
>
> Chris P.
>
> [1] https://eprint.iacr.org/2018/634.pdf
> [2] https://eprint.iacr.org/2017/1191.pdf
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email