Re: [TLS] Choice of Additional Data Computation
Eric Rescorla <ekr@rtfm.com> Sun, 26 April 2020 21:09 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A0753A124B for <tls@ietfa.amsl.com>; Sun, 26 Apr 2020 14:09:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RfCLF61dk3_S for <tls@ietfa.amsl.com>; Sun, 26 Apr 2020 14:09:52 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC5593A124A for <tls@ietf.org>; Sun, 26 Apr 2020 14:09:51 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id f18so15461958lja.13 for <tls@ietf.org>; Sun, 26 Apr 2020 14:09:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sWQklTZnNTzryLE9rOuxfwAtCXs1ALD5kqlT2Ft2nFY=; b=TLcuYt8F/ucVQ94fRA+6KRrI5YvTjJwe0npG4qkCigozcllBNWRP6/Uuacg12J5/K9 DFks6ILEo7S22S6mHrM8+kQvxn3/MLRojWZv5tKxZR+RrIvgz8gSUR5svBOAF+NlNYEk JoGu+DSmg9kFOTwFzPQ4F7M6f1zkN9pxytnQO9PxH9yS1IeJItG2hmuWMBRO2FllNfN5 DsHdQm3ZQSl29grKySmSza9jQuhCkK9ARmO7ESCEv7QmuGlBfkqY/8GH+gqKKyVdEsVY E/A9lr/xsWoGUDyiOqxk7NfvY8g0O0erGZEYnelpyE0NPx/jhKE87V2SUj/NRuqPSRla T2ug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sWQklTZnNTzryLE9rOuxfwAtCXs1ALD5kqlT2Ft2nFY=; b=oIglYJSZgA3ogGKziT5H12p+Ko/tmTgIFCP0Su43laaYO+3NnuOdWI0dIXSq6ajpIP OH7nU/hnPefsJDDlc9aek9iSA9CFgrnlV6TgBWIrbduW0hjtaVwajyEZFwfYw+Vgr4Vr TRv4Pr0+nGd3VoMZ0vVcXiROhu5MdnxsML0cB7gxy4YSvhDPiTdDp/sfu4r5J1aKf6uy 3d+wzSp56K8dZ+BDphtGh/tRBe4gZ801uUGjHi8B/ibXRr3yRqraIeb7oBPL8BiUiHSE 4ss20kkUYly1aU1/JUpipWg1A+4iCDVeNCouMArhz0xeB8EItUWAFQduvIi+S2856TxQ N/tQ==
X-Gm-Message-State: AGi0Puaf6vRVDJ3Xc3nf0Onh2+7rQ+6F65z8TKcftUDt2oOI63SkzhOw NDdDkUz5NuMzOJWFyHAZ8RNWJli6HzcakgtykKOhzw==
X-Google-Smtp-Source: APiQypL9y3HqplA0RyMVV7fBsIMP57n8ADcIc2mRAfv65GRjEUuXQPbuskwENmx0RnAEMS4bltTkFQpzSKRuiVgUipY=
X-Received: by 2002:a2e:99ca:: with SMTP id l10mr12311831ljj.274.1587935389823; Sun, 26 Apr 2020 14:09:49 -0700 (PDT)
MIME-Version: 1.0
References: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <93042b37-37e1-5b6a-3578-a750054d0507@gmx.net> <AM0PR08MB3716541F4825F8D43DC3D308FAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <CACLV2m4-Qcx-xKWP201VCY73HVyjCzHVCb6PrntnBWhA8fBQYg@mail.gmail.com> <AM6PR08MB3318B6ABD411C8C476C3D10B9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBOwK7m465LsbY3U+bHv0XA2rcGOTEBStTtTNkwAYvWeQA@mail.gmail.com> <CACLV2m5Md2+Ffc978ZJ+BeZwRgcXTV3xE0vXzmvNgnot_c71xQ@mail.gmail.com> <AM6PR08MB331862B6F143652F4B4C10EE9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBMKoVrcN-=aTvy6py5bhOwOVrhgVLmtX2tthc=Oa54b_Q@mail.gmail.com> <CACLV2m7knyt-gQoQq2v1Kz-J62DPjCpb6faJFfDgJ-8mprHwxQ@mail.gmail.com> <CABcZeBMwQHdRuvcs5pmE59SCUj=cwWCtrBhyh9w_L0U1ZDoJ8Q@mail.gmail.com> <AM6PR08MB3318AFD0C1FC4011ED2A81919BD00@AM6PR08MB3318.eurprd08.prod.outlook.com> <CACLV2m7P-=ztPLt+eZjEpcZW=TbNj4wU6hOywhAyMx5ZRrahUw@mail.gmail.com> <AM6PR08MB33185190928734FAFCEDFFCE9BD10@AM6PR08MB3318.eurprd08.prod.outlook.com>
In-Reply-To: <AM6PR08MB33185190928734FAFCEDFFCE9BD10@AM6PR08MB3318.eurprd08.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 26 Apr 2020 14:09:13 -0700
Message-ID: <CABcZeBNtZrGRG1_z9V+fPsigmqehG_nvrCQ4_doSfAknYHyhOQ@mail.gmail.com>
To: Hanno Becker <Hanno.Becker@arm.com>
Cc: chris - <chrispatton@gmail.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d647f905a438040d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mb2JuqMGcn5O61WushPEKen49m0>
Subject: Re: [TLS] Choice of Additional Data Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2020 21:09:54 -0000
On Sun, Apr 26, 2020 at 2:43 AM Hanno Becker <Hanno.Becker@arm.com> wrote: > Hi, > > Thanks Chris for your thoughts. > > Yes, it seems that specific formal analysis is needed, since we're > dealing with the new > situation that - in contrast to TLS 1.3 - shortened or omitted fields in > the DTLS 1.3 headers > (e.g. epoch, length, CID) introduce a notion of implicit context to a > record which wasn't > present before. This requires analysis of the desired properties of this > implicit context > and their implications on the protocol design. > > For example, such a property might informally be that a party able to > decrypt a record > must have correctly reconstructed the full implicit context of the > record, such as the full > epoch when it was shortened in the header, the CID when it was omitted, or > the length > when it was omitted. > The epoch, the sequence number, and the length are all bound to the AEAD computation: - The epoch determines the key - The sequence number determines the nonce [note that this is actually implicit in TLS 1.3] - The length determines the input to the AAD. And I am proposing removing implicit CIDs. -Ekr This seems most directly achieved by cryptographically binding this > context to the record through AAD, while protecting only the explicit > context makes reasoning > that the party has the correct context either less straightforward (see > the epoch example) or > impossible (current CID issue allowing to decrypt a record in a context > with different CID). > To me it therefore still appears preferable to use a pseudo-header as the > AAD. > > Hopefully some more people from the protocol verification community > will join in here and give their thoughts. > > Best, > Hanno > ------------------------------ > *From:* chris - <chrispatton@gmail.com> > *Sent:* Saturday, April 25, 2020 6:58 PM > *To:* Hanno Becker <Hanno.Becker@arm.com> > *Cc:* Eric Rescorla <ekr@rtfm.com>; Hannes Tschofenig < > Hannes.Tschofenig@arm.com>; tls@ietf.org <tls@ietf.org> > *Subject:* Re: [TLS] Choice of Additional Data Computation > > > > So far I fail to understand, on an intuitive level, why it easier to > analyze the protocol when the AAD can take multiple forms potentially > truncating or omitting the underlying data, but then I don't know the > details and you're the expert here. If you have time though to explain a > bit more where the flaw in my thinking below is, that would be great, > provided it's possible. > > > I don't know that there's a flaw in your thinking. At the moment, all that > I can speak to is how authenticating the header (or not) might impact > security of DTLS. We can't directly extrapolate from what we know about > TLS, because the security goal is not to the same. That said what I know > about TLS is the following: the contents of the record header doesn't > matter for security goal considered in [1], as long as (1) the header is > authenticated; and (2) it correctly encodes the length of the next > ciphertext. But since the security goal of DTLS is not the same, the > details of the spec that are (ir)relevant to security are likely to differ. > > > > For example, another thing which I would expect to be more complicated to > verify in full rigor is epoch authentication: If the epoch is reduced to > its two low order bits in the DTLS 1.3 header and thus (at the moment) also > in the AAD, arguing that decryption can only succeed for the correctly > expanded epoch involves knowing that all epochs having different keys. > That's of course true but this fact wouldn't be needed if the full numeric > epoch was always explicitly authenticated in the AAD. This isn't a real > issue in the end, but I would expect it to be a nuisance in a formal proof? > > In terms of what you mentioned regarding decoding details, it seems that > adding the underlying logical header to the AAD ensures more directly that > decryption can only succeed if header decoding (that is, filling in > implicit data or expanding truncated data) was done correctly, whereas it > is less clear with the truncated or omitted data in AAD, as in the epoch > example above. Is it possible to explain what the flaw is here intuitively? > > > I'm afraid I would need to absorb spec and think about its intended > security properties in order to answer these specific questions. I'm sorry > if this answer is unhelpful; Ekr asked that I chime due to my prior work on > TLS. But I don't think there's a simple answer here, and unfortunately I > don't have the time to think it through at the moment. > > For now, I'll just leave you with this. I'm a fan of the following design > principle: whenever there is a branch in your code that depends on a bit > read from the wire, that bit should be authenticated if possible. To your > example, if a decision you're about to make depends on you agreeing with > the peer on the current epoch, the principle says that the epoch had better > be authenticated. Whether it's necessary or appropriate to do so here (via > AEAD decryption) depends very much on the context, i.e., the protocol > details and the security goal. > > > Chris P. > > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. >
- [TLS] Choice of Additional Data Computation Hannes Tschofenig
- Re: [TLS] Choice of Additional Data Computation Achim Kraus
- Re: [TLS] Choice of Additional Data Computation Hannes Tschofenig
- Re: [TLS] Choice of Additional Data Computation chris -
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation chris -
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation chris -
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation Thomas Fossati
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation chris -
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Thomas Fossati
- Re: [TLS] Choice of Additional Data Computation chris -
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation Martin Thomson
- Re: [TLS] Choice of Additional Data Computation Hannes Tschofenig
- Re: [TLS] Choice of Additional Data Computation Martin Thomson
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Felix Günther
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Eric Rescorla
- Re: [TLS] Choice of Additional Data Computation Felix Günther
- Re: [TLS] Choice of Additional Data Computation Hanno Becker
- Re: [TLS] Choice of Additional Data Computation Felix Günther
- Re: [TLS] Choice of Additional Data Computation Felix Günther