IETF Logo Mail Archive

[TLS] Attack description ... was RE: DTLS 1.3 AEAD additional data

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Fri, 24 April 2020 08:31 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D3293A0FCD for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 01:31:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=n0zhmuO+; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=n0zhmuO+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SaMQAXHnOVai for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 01:31:45 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40085.outbound.protection.outlook.com [40.107.4.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E88F43A0FC5 for <tls@ietf.org>; Fri, 24 Apr 2020 01:31:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bo8V5HCw8f9Ue5f4zi1pnMAiOnske9UZYmYSCoKZdow=; b=n0zhmuO+47kjSD5PdCs4oUmeAdUAJk7GsMV6NtHkZVltP4KNXusqV/TwDQkt/JW1NaQXzRo4G23FOc4EH3LxE9XUSu3vxdnOuX/BAw/yFStYCubMftgfU98tPZhQgEzhexymVNJYeth/Ipv4kknKG9LgDYe5ekKHgqeDRSzCKGQ=
Received: from AM6P194CA0001.EURP194.PROD.OUTLOOK.COM (2603:10a6:209:90::14) by VI1PR08MB3757.eurprd08.prod.outlook.com (2603:10a6:803:b5::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.25; Fri, 24 Apr 2020 08:31:38 +0000
Received: from AM5EUR03FT021.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:90:cafe::5d) by AM6P194CA0001.outlook.office365.com (2603:10a6:209:90::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13 via Frontend Transport; Fri, 24 Apr 2020 08:31:38 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT021.mail.protection.outlook.com (10.152.16.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.19 via Frontend Transport; Fri, 24 Apr 2020 08:31:38 +0000
Received: ("Tessian outbound cbb03e3a1db0:v53"); Fri, 24 Apr 2020 08:31:38 +0000
X-CR-MTA-TID: 64aa7808
Received: from 2594576b912e.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id F7267266-4638-4953-B6C1-41AE332D0A9E.1; Fri, 24 Apr 2020 08:31:33 +0000
Received: from EUR02-VE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 2594576b912e.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 24 Apr 2020 08:31:33 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mOPbc+dkMGrhaVULOm8Klu/qG/c2ZwdjUpfuKcP9fODHKE3LFNH92MML0flFEqQ6ems0Z5aCeoWYFwZjM3TWZJTwLGrRf2X+Lq1pjRAuy4nJLURPR/XrOMFryhXeiAxvVB1EdtmbDKY2NyChPuY4HOMmwHKGLJAnFXNJsV9kNPkyIL+MQAs/0e6mXbAJv/yJ4v8978wYD+d+DynsWye/NCU9UpTwhg8QBwPZxhYLYd9MVRCTM4Hsz6CniE/Sr3Wy2LuCVyGZQjKyeV6DSgGgZtGrM15AxumbL3CG8spjuwuJ8TUtvv4ZziHku5od8D0i2J6QKadOgZc77cT7Iy1WIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bo8V5HCw8f9Ue5f4zi1pnMAiOnske9UZYmYSCoKZdow=; b=GalS6hR4AMX332UY+AVKB0tpQB/r5h795rQvUz8Hf/XUCVA+kYEqxzXFm+SZz5Co+pTUWl+qCqGnDWBNSTfP687pDQakZr8z6mvbYW9ucf6xYF5PxKTCxO4/O/ZlHbhjLFsM5+khRcekr5WvW7ewDi1cXLPAaIKfNmJnQx14WN+KNKjW9QooIY1InXwdZCGCHonPDUYXCWyKa5PDhbsluHQ5ImDm2Yd1v9TsE6O3pO3MjePrOg/r8PdA7Dqmpvd41FM6QgrrR4ySdTPG2GVC47kk8je/CvaLstmoG4GotlxfQsjnV0rGoQRXCHYCU2CpeaJjwtezgxw49514mjop4w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bo8V5HCw8f9Ue5f4zi1pnMAiOnske9UZYmYSCoKZdow=; b=n0zhmuO+47kjSD5PdCs4oUmeAdUAJk7GsMV6NtHkZVltP4KNXusqV/TwDQkt/JW1NaQXzRo4G23FOc4EH3LxE9XUSu3vxdnOuX/BAw/yFStYCubMftgfU98tPZhQgEzhexymVNJYeth/Ipv4kknKG9LgDYe5ekKHgqeDRSzCKGQ=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM0PR08MB3539.eurprd08.prod.outlook.com (2603:10a6:208:e2::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Fri, 24 Apr 2020 08:31:29 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::f501:c93e:1c20:8bee]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::f501:c93e:1c20:8bee%6]) with mapi id 15.20.2937.012; Fri, 24 Apr 2020 08:31:29 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Attack description ... was RE: [TLS] DTLS 1.3 AEAD additional data
Thread-Index: AdYaEN5kUL952VkXRUaptIdjWQF8VA==
Date: Fri, 24 Apr 2020 08:31:29 +0000
Message-ID: <AM0PR08MB3716173B73ABE156C5E22B08FAD00@AM0PR08MB3716.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: a9970946-5d80-431c-b72a-72c46374ead8.0
x-checkrecipientchecked: true
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.118.138]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 1c960929-e035-4108-493e-08d7e829e818
x-ms-traffictypediagnostic: AM0PR08MB3539:|VI1PR08MB3757:
X-Microsoft-Antispam-PRVS: <VI1PR08MB375792B068450773A199F2CEFAD00@VI1PR08MB3757.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 03838E948C
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(136003)(396003)(366004)(39860400002)(346002)(81156014)(110136005)(316002)(2906002)(5660300002)(66946007)(64756008)(66556008)(66476007)(66446008)(7696005)(8676002)(8936002)(71200400001)(186003)(86362001)(966005)(76116006)(478600001)(30864003)(33656002)(52536014)(55016002)(9686003)(53546011)(26005)(6506007); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: Pp/zYdoTzKaDF+IX/vMxZrXycFiK7lgR3hdZgiRCnyVthwtGyRIpxay5bnGbvJzsjIJqJUCv0WAVn7NO60HmzO0n8NYopzlqQb0zSZY4eBDWEPzCQCQQS3quSSAiCFvmlgwPD39lG50dOafdeHTlV3Xuc0WcugSCmqWCUrf3pdHm3IbwYYx3y80XcgdjzhmxKR/vKRm/9xM8G3dDWAeGUl/OJnAqVT5BU+CthegQQtNLQ0YwsnO+NBDp4X/yX3TuiXrDE6oaWWgZiFkk+I9OQv1fh0/xMv2d4AN9tNfqcxTP6dGBSJYyQORSI8brfpf4rGTSHhRWFFEFABz8olenWailDcrjWPa3YYFS0Os5y4DHEHAnUzADyhSqYl+pISv+H+Njc06Bc3ScuGT82DKXdJqsGnjChVYdMHaxHRjAGSv1avoaCMlM6WES6BS1gWHOh2Ui6ussRN2FQRuECDAc3RxN2xzHtLziBfj1bfweh/JXEXa2bUMJ4My6puQ9s/8V9UFBFoW5GxavoU2gGV4pwA==
x-ms-exchange-antispam-messagedata: rO1zMY3eM1COkvmhmgy+pNSpfbwtOWuzlvtFU+1HNPEUAqKn6VtEuvvdXmQf0f06DwfkOxSwVCy1hkZDA1Ae2odc+RraZFR7PTF2YHKxLeU23mRbc8QSHyF/FOsRwgwGoBo/b3jTL/Dv3G1E56M8Sw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3539
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT021.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(136003)(376002)(346002)(396003)(39860400002)(46966005)(55016002)(86362001)(26005)(52536014)(70206006)(9686003)(33656002)(81156014)(186003)(336012)(8936002)(966005)(47076004)(5660300002)(356005)(81166007)(82310400002)(70586007)(36906005)(2906002)(7696005)(53546011)(30864003)(82740400003)(316002)(478600001)(8676002)(6506007)(110136005); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 7df5115d-5b0e-4242-dcb5-08d7e829e321
X-Forefront-PRVS: 03838E948C
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: bH3jPuu+8oEFO5qyT1WY1XvTAa3Kt5n1gyrJ3IZQKyCsiFt49Wgn2kv0oV3fvB/68+sCYH4PjOLA5fBRT32JonGD9tVFJsGFbuWj4vme9x73fyOJpToVW+AHAcLyTtwHP1p5Gbc6wmeiNPG2JskeKHdt96ZLarKQb/I3YjQEml5rFDU1qlFvSPHDIpupENSI6uXy7kvK+A8K6g7LMOXyRARi1XjFAUR4U0DyRhOAqK56Q6RTKy02ugiMt7NksRpUJ21cZFdTUoe2hGYxXzLizhJQ9af8Bp4rqOS6yZFwEbJTuuySjA/78yp07PnGA9hW40HfvLMCaE9lGmNdCC5pNiY25DZJMTmoXIoX0e4o+2mUtZo+rUiHBi2gx8n9OlxQR9yNeWGmPVlcgSpzFlQNNXt9nAoUtBFA2SyP6w4bu9/QeEzEWcvtr6qJfC/7uByfEoAqCEKE8kqbVtft9ZFxv9LgcPMAQiqmtwOjiIWuzmc7Ale9Aa+S607CnVNbrAiv2pJty9tkjoSoBCqMLPJcXl2vAOncM2SWHm+FUh+UJMtqPGVg34uC/Nw6InnfA7eSNsUftmXr5nzZwpi1C5EKug==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Apr 2020 08:31:38.0663 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 1c960929-e035-4108-493e-08d7e829e818
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3757
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3cMUXayEbw9pmfKW8NBCg267rVw>
Subject: [TLS] Attack description ... was RE: DTLS 1.3 AEAD additional data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 08:31:48 -0000

Hi Martin,

I have a few questions regarding the attack you mentioned below.
I would like to understand whether it relates to the topic of how the additional data is constructed and what is included.

> Say that a connection spans two network paths.  CID A is used on path A; CID B is used on path B.
I guess you are considering a scenario where a device, of the lifetime of the communication with another peer, changes from CID A to CID B.
Is this correct?

> Let's assume that you need a connection ID to route (otherwise, why bother), but that the first record in each datagram is all that is needed for that purpose.
What do you mean by "route" here? The CID was primarily introduced to allow the receiving party to correctly find the correct security context to verify and decrypt the packet.

> If an endpoint sends a datagram on path A that contains two records where the second record omits the connection ID, then an attacker can strip that second record out and copy it into a datagram sent on path B.  With the current design, the receiver accepts that packet and maybe leaks some signal to the attacker that CID A and CID B really are the same connection.

If you copy the record that does not contain the CID and send it to the peer independently then with the current text in the spec the packet will be dropped.


Ciao
Hannes

-----Original Message-----
From: TLS <tls-bounces@ietf.org> On Behalf Of Martin Thomson
Sent: Thursday, April 23, 2020 1:54 AM
To: tls@ietf.org
Subject: Re: [TLS] DTLS 1.3 AEAD additional data

I prefer Ekr's solution, but I would go with that being a recommendation (SHOULD) as opposed to a requirement (MUST).

I was initially inclined toward doing nothing at all, but there is an attack of sorts that is worth avoiding here.

Say that a connection spans two network paths.  CID A is used on path A; CID B is used on path B.  Let's assume that you need a connection ID to route (otherwise, why bother), but that the first record in each datagram is all that is needed for that purpose.

The linkabliity confirmation attack allows an attacker that hypothesizes a correlation between CID A and CID Bto confirm that hypothesis.  It relies on side channel leakage from endpoints, but as this only involves measuring application reactions, I'm going to assume that it is feasible to extract some signal.

If an endpoint sends a datagram on path A that contains two records where the second record omits the connection ID, then an attacker can strip that second record out and copy it into a datagram sent on path B.  With the current design, the receiver accepts that packet and maybe leaks some signal to the attacker that CID A and CID B really are the same connection.  With Hanno's proposed fix, the receiver of that record will guess incorrectly that the datagram is bad and drop it, providing no signal about the relationship between the two CIDs.

But Hanno's proposal is a terrible thing to have to implement.  You have to assume that there is some way to recover which CID to use in decrypting any record.  You might save some datagram-local state, but that's awkward.  Stacks that I've worked on try very hard not to have state transmission between records for good reasons.  So this would be a fairly bad complication.  Separately, I hope that no one would be contemplating trial decryption for this, which would be terrible.

So I'm inclined toward cautioning against omitting the connection ID when one is used.

DTLS 1.3 already has fairly lightweight requirements around how linkability is avoided.  Activity on new paths does not strictly require the use of a different CID, it's just a recommendation. Allowing endpoints to omit a CID is consistent with that, even if we don't recommend that.  However, we do need to be careful to explain this risk so that people are aware of the consequences of omission.

I would also point out that we attempt to avoid creating correlators so that attackers can't create hypotheses about linkability.  Allowing confirmation of a hypothesis is not that bad when the existence of the hypothesis is itself what we are trying to avoid.  Given the relative cost of performing this attack to other means of confirming the hypothesis - dropping packets and observing the response would be much easier in many cases - I don't think that this warrants a strong response.

Cheers,
Martin

On Thu, Apr 23, 2020, at 02:23, Hanno Becker wrote:
>  Hi Ekr,
>
>  I still don't yet understand which concrete problems you see with the
> proposed solution. In particular, as mentioned in the last mail, I
> don't think there is a contradiction with any design choice for TLS
> 1.3 - in contrast, decoupling record header compression from record
> protection aligns with how cTLS proposes to compress TLS 1.3 without
> affecting any cryptographic computations and hence hopefully easing
> carrying over the security analysis of TLS 1.3. This decoupling
> doesn't hold for the current DTLS 1.3 draft, and we seem to agree that
> in the case of CIDs, it has already led to one missing cryptographic
> binding.
>
> Anyway, let's wait for more opinions.
>
>  Best,
>  Hanno
>
> *From:* Eric Rescorla <ekr@rtfm.com>
> *Sent:* Wednesday, April 22, 2020 3:47 PM
> *To:* Hanno Becker <Hanno.Becker@arm.com>
> *Cc:* tls@ietf.org <tls@ietf.org>
> *Subject:* Re: [TLS] DTLS 1.3 AEAD additional data
>
>
> On Wed, Apr 22, 2020 at 7:31 AM Hanno Becker <Hanno.Becker@arm.com> wrote:
> >
> >>> Considering the effort spent on shaving off bytes in the DTLS
> >>> header, I think re-introducing the explicit CID should be avoided.
> >>> It seems perfectly acceptable to me to have implicit header data
> >>> which is protected via AAD.
> >>
> >> This is only relevant if there is a common useful case in which you
> >> would need to put multiple DTLS records in the same datagram. Are you aware of such a case?
> >
> > I can see the following uses:
> > 1) Replying to KeyUpdate with Ack;;KeyUpdate, or replying to
> > RequestConnectionID with Ack;;NewConnectionId
> > 2) Sending multiple (short) app records if the application protocol doesn't provide its own framing.
>
> Neither of these seem particularly compelling to me. The first happens
> very infrequently, and I'm not really aware of a lot of cases of the
> second.
>
>
> >
> >>> > 1. Cryptographically protect it as in
> >>> > https://github.com/tlswg/dtls13-spec/pull/143
> >>>
> >>> This seems to be a mixture of logical and on-the-wire
> >>> representation, which moreover duplicates the CID in case it is explicitly present in the header.
> >>
> >> Yes, so?
> >
> > Isn't this less efficient
>
> Trivially.
>
>
> > and undoes the arguable benefit of the current solution that there's
> > no need to piece together an AAD buffer manually, because now you'd have to?
>
>  I don't recall making that argument.
>
> -Ekr
>
> >
> > Best,
> > Hanno
> >
> >
> >> Looking forward to hearing other WG member's views, Hanno
> >> *From:* Eric Rescorla <ekr@rtfm.com>
> >> *Sent:* Wednesday, April 22, 2020 2:23 AM
> >> *To:* Hanno Becker <Hanno.Becker@arm.com>
> >> *Cc:* tls@ietf.org <tls@ietf.org>
> >> *Subject:* Re: [TLS] DTLS 1.3 AEAD additional data I think there
> >> are two potential resolutions to your CID issue:
> >>
> >> 1. Cryptographically protect it as in
> >> https://github.com/tlswg/dtls13-spec/pull/143
> >> 2. Forbid implicit CIDs (my preference) see:
> >> https://github.com/tlswg/dtls13-spec/issues/144
> >> <https://github..com/tlswg/dtls13-spec/issues/144>
> >>
> >> Would like to hear what others in the WG think.
> >>
> >> -Ekr
> >>
> >>
> >> On Tue, Apr 21, 2020 at 10:59 AM Eric Rescorla <ekr@rtfm.com> wrote:
> >>>
> >>>
> >>> On Tue, Apr 21, 2020 at 8:39 AM Hanno Becker <Hanno.Becker@arm.com> wrote:
> >>>> Hi all,
> >>>>
> >>>> To my understanding, DTLS 1.3 defines AEAD additional data for
> >>>> record protection as the record header as seen on the wire. Quoting Draft 37, Section 4:
> >>>>
> >>>> ```
> >>>>  The entire header value shown in Figure 4 (but prior to record
> >>>> number
> >>>>  encryption) is used as as the additional data value for the AEAD
> >>>> function. For instance, if the minimal variant is used, the AAD
> >>>> is 2  octets long.. Note that this design is different from the
> >>>> additional  data calculation for DTLS 1.2 and for DTLS 1.2 with Connection ID.
> >>>> ```
> >>>>
> >>>> I would like to suggest that DTLS 1.3 uses a structured
> >>>> representation of the record header instead, as do all other
> >>>> versions of [D]TLS as far as I understand.
> >>>
> >>> I am not in favor of this change as proposed. I think it is better to protect the data that is actually on the wire than to allow for changes in the on-the-wire representation that are not reflected in the integrity check.
> >>>
> >>>
> >>>> The reasons for this are as follows, in decreasing order of my
> >>>> perception of importance:
> >>>>
> >>>> - Omission of Connection ID
> >>>>
> >>>>  Regarding the presence of Connection IDs in multiple records
> >>>> within  a single datagram, Draft 37 says:
> >>>>
> >>>> ```
> >>>>  Implementations which send multiple records in the same datagram
> >>>> SHOULD omit the connection id from all but the first record;
> >>>> receiving implementations MUST assume that any subsequent records
> >>>> without connection IDs belong to the same assocatiation.
> >>>> ```
> >>>>
> >>>>  This means that the Connection ID for non-initial records in a
> >>>> datagram containing multiple records is _not_ part of the AEAD
> >>>> additional data for those records, which seems wrong. Concretely,
> >>>> one could inject such non-initial records into other datagrams
> >>>> using different CIDs, and the record protection wouldn't notice it.
> >>>
> >>> This seems like a reasonable point, though it's not clear to me that there is an actual problem here. I'd be in favor of explicitly including the CID in the AD as well as the header.
> >>>>
> >>>>
> >>>>  One might argue that CID shouldn't be part of the AEAD in the
> >>>> first  place, but in any case, I believe the treatment should be
> >>>> uniform  and not distinguish between initial and non-initial
> >>>> records in  a datagram.
> >>>
> >>> We're not distinguishing it. The AD is protecting the record on the wire.
> >>>
> >>>
> >>>> - Modularity
> >>>>
> >>>>  Decoupling the wire-presentation of the record header from
> >>>> record protection allows to implement record protection and  the
> >>>> choice of record header independently: One piece of  the
> >>>> implementation can take care of record protection -  using the
> >>>> structured presentation of the record header - while  another
> >>>> takes care of the wire-encoding. It is even possible  to change
> >>>> the record header format in transit.
> >>>
> >>> This seems like a defect, not a feature.
> >>>
> >>>
> >>>> - Simplicity
> >>>>
> >>>>  At first it seems that using the record header as an
> >>>> unstructured binary blob for AEAD makes things simpler,  but I
> >>>> don't think this is the case: Prior to record  decryption, the
> >>>> record sequence number needs to be  decrypted, and for that
> >>>> purpose, the record header already  has to be parsed. Hence, at
> >>>> the time of record decryption,  the record header is already be
> >>>> present a modified, structured  form, and retaining the
> >>>> corresponding modified binary form  appears to create additional
> >>>> complexity which would be  avoided if record protection would use
> >>>> the structured  header presentation.
> >>>
> >>> I've implemented this for QUIC (I can't remember who at Mozilla did it for DTLS) and it's not particularly difficult.
> >>>
> >>>
> >>>> - Uniformity with other [D]TLS versions
> >>>
> >>> I don't find this argument at all persuasive. To the contrary: we should break with DTLS 1.2 in any case where it's an improvement and not too onerous.
> >>>
> >>> -Ekr
> >>>
> >>>>
> >>>>
> >>>>
> >>>> Let me know what you think,
> >>>>
> >>>> Best,
> >>>> Hanno
> >>>>
> >>>>  IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> >>>>  _______________________________________________
> >>>>  TLS mailing list
> >>>> TLS@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/tls
> >>  IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> >  IMPORTANT NOTICE: The contents of this email and any attachments
> > are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose
> the contents to any other person, use it for any purpose, or store or
> copy the information in any medium. Thank you.
>  IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose
> the contents to any other person, use it for any purpose, or store or
> copy the information in any medium. Thank you.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email