Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dtls-connection-id-07

Benjamin Kaduk <kaduk@mit.edu> Mon, 12 October 2020 19:57 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E53663A08AB for <tls@ietfa.amsl.com>; Mon, 12 Oct 2020 12:57:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gjg59_5AX477 for <tls@ietfa.amsl.com>; Mon, 12 Oct 2020 12:57:09 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 869963A08A6 for <tls@ietf.org>; Mon, 12 Oct 2020 12:57:09 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 09CJv2M7011115 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 12 Oct 2020 15:57:07 -0400
Date: Mon, 12 Oct 2020 12:57:02 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Michael D'Errico" <mike-list@pobox.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Message-ID: <20201012195702.GC1212@kduck.mit.edu>
References: <0da9b525-ec78-bef5-6ceb-5f377019ade4@gmx.net> <4ca7c2f9-1e9d-0d16-0089-649f013b4565@gmx.net> <20201008233454.GF89563@kduck.mit.edu> <6185242d-8ba8-2d2f-5938-afad46c2e854@gmx.net> <20201009212240.GK89563@kduck.mit.edu> <401a965c-69ee-455a-8c09-12a37f3b89dc@www.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <401a965c-69ee-455a-8c09-12a37f3b89dc@www.fastmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hCIXfYPhIjPK6MyomTLCnV83ras>
Subject: Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dtls-connection-id-07
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2020 19:57:11 -0000

Hi Mike,

On Sat, Oct 10, 2020 at 01:29:13PM -0400, Michael D'Errico wrote:
> On Fri, Oct 9, 2020, at 17:22, Benjamin Kaduk wrote:
> > [...]  The behavior we should demand from our cryptographic
> > constructions is that the cryptography itself correctly returns
> > "valid" or "invalid" based on the input message, provided that
> > the application inputs the correct key material.  (It should also
> > return "invalid" if incorrect key material is supplied, of course.)
> > The ability to produce two different messages for which the
> > cryptography returns "valid" violates this principle; even if we
> > do not see an obvious path by which a reasonable application
> > might supply those inputs to the cryptographic code, it is still
> > a flawed construction.
> 
> Hi,
> 
> I'd like clarification about this point, where the cryptography
> should return values of "valid" or "invalid".  This is a general
> question, not specifically about this draft.  (Please read at
> least the next 2 paragraphs.)
> 
> I remember a long time ago, it may have been the renegotiation
> info extension, where there was a lot of calculation being done,
> there were two complicated values each side had to compute.
> If they were equal, then everything was fine and the handshake
> could proceed.  If not, there was an insecure renegotiation
> happening.  (Or maybe it was the downgrade protection RFC,
> I can't remember now.)  But if the values were not equal, then
> something bad was happening and the handshake should not
> proceed.
> 
> The problem both Martin Rex and I discovered at nearly the
> same time (posts to the mailing list within minutes of each
> other) was that both sides could go through all the motions
> faithfully calculating all of the values, correctly, and then
> forget to compare them to see if the values were actually
> the same.  I noticed this because I wrote the code, and it
> seemed like an easy thing to overlook.
> 
> I remember suggesting that we somehow incorporate the
> calculated values into the derivation of the record layer keys
> so the MAC would fail, or maybe into the Finished message
> calculation so (if you remember to check that?) a failure is
> noticed later.  This suggestion was shot down by the author
> unilaterally for what I perceived at the time to be petty
> reasons.
> 
> I still believe that (D)TLS security should not rely on the
> implementer to check whether two values are equal.  This
> is too easy to forget to do.  Or you could do this in C:
> 
>     if (complex_value_a = complex_value_b) {
>         // we're in trouble....
>     }
> 
> I have not looked at the TLS 1.3 draft beyond the hour or so
> I've put in so far to see whether this reliance on checking is
> in there too.  I've also not checked whether the security

The TLS 1.3 handshake transcript is an input to the key schedule; manual
comparison of generated values is not necessary for security.

I would encourage you to continue in your efforts reading RFC 8446 -- in my
opinion we put quite a bit of effort in towards making it readable.  (With,
perhaps, the exception of stateless HelloRetryRequest as you have already
noted, since the main expected use case is in DTLS.)

-Ben