Re: [TLS] Choice of Additional Data Computation
Eric Rescorla <ekr@rtfm.com> Fri, 24 April 2020 16:44 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAD863A0EED for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 09:44:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tlul16YvUKGr for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 09:44:43 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8034B3A0F60 for <tls@ietf.org>; Fri, 24 Apr 2020 09:44:42 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id y4so10627976ljn.7 for <tls@ietf.org>; Fri, 24 Apr 2020 09:44:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NVLSC6Syv4v/qvuKkC/2T/cV1cvanei0DVvychIqRxc=; b=0+k09gVeHiCqrxHbvWf4qwhNHcnPNxv2xDB2DM2s+5T5fOTD69zWb3dEoEKPHIqRYe F6yB/ksUTSYN46Vmj6AtHBH3Zcpu7xETxRNIm/NJ7h2l22S+74wBWaGS0x34BotzJwzG dHKQKRNOmgR8UNoT/QN/4/PaljmOPNwo1PMD1CoGgRDEjwoLwvE6+dpVgirA4KLPylJd mjADCTxyzaH/km8BhujbcSxwMGenztB8uXxI829ZbR/zqSvsPrOW5Qd9svOhRYFKeE9F QbJPGatJ6K1WdPcLoshPpdVSTRwVFFZhgyElBi3znVQLgrMVTKNSrUqE1FymIoOLHtP3 avdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NVLSC6Syv4v/qvuKkC/2T/cV1cvanei0DVvychIqRxc=; b=Fr+TA+p/9lpsL1c1/eGdSkj18ONdVuW76cH/xom9nkFxsn31vpNUCjAnc0WPv57sxp tjI/wL6Yl8eL1urJ/uflMbxCshsLwXAaSN1CLzj/e+aSDHf0vtHZ7tYPXzBsi8NQWPDz 1sVP+vHQ6MiWqiUFy60+2lGBvFqkt+0X0pnbsrYcnMvIy+/iKUm6M9SbK+CbVok7A3KQ XniegRSy3XAroI4txSJTUUgcOayAAZiLAiii0lCNHf8rLesjWbbNTb4jwlc2ebLdYC15 Q9nmTmivbPBcgMDVFL7x6P4OjaMuBwTg0nx+YT+C4rstOJT2g8IgBaFZLvgpWQg9a1aK SFqw==
X-Gm-Message-State: AGi0PuaSvsPFKfXw1eKsLZRyLIM1rSiL1Asw/WUpE1vfhCpTRYlouAck COBUtRT5Hi09N51jxGziLajm3Cqe4KBYCfvel0+4PA==
X-Google-Smtp-Source: APiQypICnWzXMAzFvy3+4rnx3gxW47Dm5K2Jz3NhgI17tMhfZmoSSmQXmfqNKB4OTxm9C34nA7pO2NHn+GCDQAl+F7w=
X-Received: by 2002:a2e:b0ee:: with SMTP id h14mr6686876ljl.35.1587746680769; Fri, 24 Apr 2020 09:44:40 -0700 (PDT)
MIME-Version: 1.0
References: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <93042b37-37e1-5b6a-3578-a750054d0507@gmx.net> <AM0PR08MB3716541F4825F8D43DC3D308FAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <CACLV2m4-Qcx-xKWP201VCY73HVyjCzHVCb6PrntnBWhA8fBQYg@mail.gmail.com> <AM6PR08MB3318B6ABD411C8C476C3D10B9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com>
In-Reply-To: <AM6PR08MB3318B6ABD411C8C476C3D10B9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 24 Apr 2020 09:44:04 -0700
Message-ID: <CABcZeBOwK7m465LsbY3U+bHv0XA2rcGOTEBStTtTNkwAYvWeQA@mail.gmail.com>
To: Hanno Becker <Hanno.Becker@arm.com>
Cc: chris - <chrispatton@gmail.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6a40c05a40c14cd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cDmPhRVUC8TnZNx7_wl9I61Dvrc>
Subject: Re: [TLS] Choice of Additional Data Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 16:44:52 -0000
On Fri, Apr 24, 2020 at 9:20 AM Hanno Becker <Hanno.Becker@arm.com> wrote: > Hi Chris, > > Just a note on the comparison with TLS 1.3. > > > I'd like to point to some related work that could shed light on this > question. > > The decision for TLS 1.3 was to authenticate all data that is written to > the wire, > > It doesn't seem straightforward to extrapolate from that case since the > 'pseudo-header' > and on-the-wire header are the same here, as TLS 1.3 doesn't have any > header > data which is shortened or omitted on the wire. In DTLS 1.3, in contrast, > various > fields can be dropped or shortened, such as the length, sequence number, > CID. > I'm not sure if it's straightforward, but I would note that in TLS 1.3, we did *implicitly* authenticate the length because AEAD provides that, but nevertheless one of Chris's recommendations was to include it in the AAD. -Ekr > Best, > Hanno > ------------------------------ > *From:* TLS <tls-bounces@ietf.org> on behalf of chris - < > chrispatton@gmail.com> > *Sent:* Friday, April 24, 2020 4:56 PM > *To:* Hannes Tschofenig <Hannes.Tschofenig@arm.com> > *Cc:* tls@ietf.org <tls@ietf.org> > *Subject:* Re: [TLS] Choice of Additional Data Computation > > Hi all, > > > > 1. Generic question: Should the construction of the additional data be > > dependent on what is transmitted over the wire or should it be based > > on a "pseudo header"? DTLS 1.2 uses a pseudo header and DTLS 1.3 the > > data transmitted over the wire in the additional data calculation. > > I'd like to point to some related work that could shed light on this > question. The decision for TLS 1.3 was to authenticate all data that is > written to the wire, as this allows for proving the record layer secure [1] > in a strong model for secure channels [2]. However, the formal models of > [1,2] assume reliable transport (i.e., TCP): failure to deliver packets in > order is deemed an attack. Therefore, the definitions would need to be > changed in order to account for the case of DTLS. (I'm not sure if this has > been studied.) My hunch is that the same design pattern (i.e., > "authenticate everything on the wire") would be called for, but I've not > seen formal evidence either way. > > > > 2. Specific question: Should the CID be included in the additional data > > calculation, particularly for the case where it is only implicitly > > sent? Asked differently, are there attacks possible? > > Unfortunately I'm unfamiliar with the specific problem at hand, as I've > not been following DTLS' development. (I'm in the middle of writing my > thesis.) That said, I don't see a problem with having the AAD include > *both* the record heard *and* something else, like the CID. And it may > very well prevent an attack. > > > Chris P. > > [1] https://eprint.iacr.org/2018/634.pdf > [2] https://eprint.iacr.org/2017/1191.pdf > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Choice of Additional Data Computation Hannes Tschofenig
- Re: [TLS] Choice of Additional Data Computation Achim Kraus
- Re: [TLS] Choice of Additional Data Computation Hannes Tschofenig
- Re: [TLS] Choice of Additional Data Computation chris -
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation chris -
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation chris -
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation Thomas Fossati
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation chris -
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Thomas Fossati
- Re: [TLS] Choice of Additional Data Computation chris -
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation Martin Thomson
- Re: [TLS] Choice of Additional Data Computation Hannes Tschofenig
- Re: [TLS] Choice of Additional Data Computation Martin Thomson
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Felix Günther
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation Felix Günther
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Felix Günther
- Re: [TLS] Choice of Additional Data Computation Felix Günther