IETF Logo Mail Archive

Re: [TLS] Choice of Additional Data Computation

Hanno Becker <Hanno.Becker@arm.com> Fri, 24 April 2020 16:19 UTC

Return-Path: <Hanno.Becker@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 083083A0D68 for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 09:19:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.718
X-Spam-Level:
X-Spam-Status: No, score=-2.718 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=uZO4OtVt; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=uZO4OtVt
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S0VYwLNxJmBu for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 09:19:56 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2070.outbound.protection.outlook.com [40.107.21.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 542703A0B66 for <tls@ietf.org>; Fri, 24 Apr 2020 09:19:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Snxf1ekIl0C3FCN3IqJbV3kv7tGPsZMGr48cHPZ7qBc=; b=uZO4OtVtxjr4/W0nXnpOyVTIHHkMw++N2nFhRUUaZTyRQIzmW2+ErNTwARMYvEvOfG7E/Cv4p3ZyB6NND4ouNLi/HO8T0laRfBuuKxvFVqFtQbGaFoRltlWrPA+Gpqz3bAzyStGTFdgTkjPxLqQt3roTklOQi0RLVUab2V/yYD4=
Received: from DBBPR09CA0011.eurprd09.prod.outlook.com (2603:10a6:10:c0::23) by DBBPR08MB4235.eurprd08.prod.outlook.com (2603:10a6:10:c2::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.29; Fri, 24 Apr 2020 16:19:53 +0000
Received: from DB5EUR03FT061.eop-EUR03.prod.protection.outlook.com (2603:10a6:10:c0:cafe::33) by DBBPR09CA0011.outlook.office365.com (2603:10a6:10:c0::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13 via Frontend Transport; Fri, 24 Apr 2020 16:19:53 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT061.mail.protection.outlook.com (10.152.21.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.19 via Frontend Transport; Fri, 24 Apr 2020 16:19:53 +0000
Received: ("Tessian outbound cbb03e3a1db0:v53"); Fri, 24 Apr 2020 16:19:53 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 070a5bb5797de6ac
X-CR-MTA-TID: 64aa7808
Received: from b91e996faadf.2 by 64aa7808-outbound-1.mta.getcheckrecipient.com id A88BFC95-1AE9-4968-87DC-7759A8CE6747.1; Fri, 24 Apr 2020 16:19:48 +0000
Received: from EUR04-DB3-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id b91e996faadf.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 24 Apr 2020 16:19:48 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fXjNMvJdasBYe+VHIF/wUXDaCEwDh+Agwh2aL4+wip68/+Q5yw0FdiwJb4Y6FwF+LOz8IikDOUaNQQgrOHVg7IFSvMhcew9SGbmO9JNOBeply8gDP4QKd+o+DrkgW16BUrwRi5fexQUkAnY2uYxJcXkKs56UjjKnU5IXYdUNJIyR0+SBC0A12pmW7KzBYq1cgtLEkOy4cpOyXvAiZyOufGbDqRn3YmO912tsisWliDCzfiqVwibSES0n8ULxzzJNXuzj9NLPp3P099YsSpnccGhdAU1LSQAxoW4iPjyPa8DkqharRaWLC5RLEbRqmmHp6ICjzpIhmPiY+2dBNRANKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Snxf1ekIl0C3FCN3IqJbV3kv7tGPsZMGr48cHPZ7qBc=; b=hgCWjwfTEWTWTbQUioutoWMLi1upOY/Jn/t55MmU0kXIE6+IPkQLGOA3JhGu4IngKJf5DQ1DY45fAeFsazlEDXSTSoCvW8lGzgoJUy7whlhzA9qzrwWLdCzOicRlxVLL7UNBUXDSVl+m11nysdRDAqCt7iwn3WL9ExQBugLtx4AbHGWqO9qg2L2+KDJoE0EWbmNpc7WIJnOlgpjCu0fmuM0hrUBD8/FiyWDyrYhZpnjr6SHYBAw2N6jKBMImTCsjHsJWLfBLWtF4BvyGo/EjGziNJ6CxB982zGMgoBVfSAVZCaYO/+8bsUlrAiR1dpB2GLID04QEkmzZGpMjP0HR0Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Snxf1ekIl0C3FCN3IqJbV3kv7tGPsZMGr48cHPZ7qBc=; b=uZO4OtVtxjr4/W0nXnpOyVTIHHkMw++N2nFhRUUaZTyRQIzmW2+ErNTwARMYvEvOfG7E/Cv4p3ZyB6NND4ouNLi/HO8T0laRfBuuKxvFVqFtQbGaFoRltlWrPA+Gpqz3bAzyStGTFdgTkjPxLqQt3roTklOQi0RLVUab2V/yYD4=
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com (2603:10a6:209:45::15) by AM6PR08MB3367.eurprd08.prod.outlook.com (2603:10a6:20b:44::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.29; Fri, 24 Apr 2020 16:19:46 +0000
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::1579:b7d9:f543:200d]) by AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::1579:b7d9:f543:200d%5]) with mapi id 15.20.2937.020; Fri, 24 Apr 2020 16:19:46 +0000
From: Hanno Becker <Hanno.Becker@arm.com>
To: chris - <chrispatton@gmail.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Choice of Additional Data Computation
Thread-Index: AdYaKASVCp3JPFQuSaOSMkwtz/VZZwAEUEsAAAN7oaAAAnFQAAAASY9C
Date: Fri, 24 Apr 2020 16:19:46 +0000
Message-ID: <AM6PR08MB3318B6ABD411C8C476C3D10B9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com>
References: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <93042b37-37e1-5b6a-3578-a750054d0507@gmx.net> <AM0PR08MB3716541F4825F8D43DC3D308FAD00@AM0PR08MB3716.eurprd08.prod.outlook.com>, <CACLV2m4-Qcx-xKWP201VCY73HVyjCzHVCb6PrntnBWhA8fBQYg@mail.gmail.com>
In-Reply-To: <CACLV2m4-Qcx-xKWP201VCY73HVyjCzHVCb6PrntnBWhA8fBQYg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
x-originating-ip: [217.140.99.251]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 4616cf9d-1135-4a21-7065-08d7e86b5222
x-ms-traffictypediagnostic: AM6PR08MB3367:|AM6PR08MB3367:|DBBPR08MB4235:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <DBBPR08MB4235657B1169D7BB79230B959BD00@DBBPR08MB4235.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 03838E948C
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB3318.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(346002)(39860400002)(376002)(366004)(136003)(396003)(8676002)(86362001)(110136005)(66556008)(19627405001)(76116006)(26005)(66446008)(6506007)(6636002)(316002)(81156014)(66476007)(5660300002)(33656002)(64756008)(186003)(66946007)(53546011)(9686003)(71200400001)(2906002)(7696005)(52536014)(478600001)(8936002)(4326008)(55016002)(966005); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: LXR5lbAaVnvXo86s8AdvLy3bUaETnCWHAXPJXqnRekfNCYtJZavuAKaYD0khX81LDoZ27LjIUgEutPvGadi6OjYyGcC09YLXvMaeMd7I8+4obNyRp8WED1Y+faYvB+oXNSWDyH56lu8DJZsmBWoS3RPaOzlatKiHiWb58RaksZ6ZBha4RBpnLNHUwgoOVh+W7JWzIe232KAx/pdmHQN3Yrm0Na/QQEFHxp7jh6QgE+K+92s9sbgP7wed4qdHC2OUal8EIv8PtwdOfCD937zrX9U9KjhpG8umuVaIUZOkdP3S4RGPfkiLCrt+D7CZ+4vVPJt98XjU47ZXExsnEKn9bTuqP6XvcLbZyGa0wA0f4slcKXp48aBvpUw8L2kOcj97e4Ylbs9+yxO1bwbHqjYTOAzD5uYPHWw/XacdL2KPuXIPl59qitNcJgvFAGwXBt1CSj13jpX1gb+A1tvEHxHPyQpkFPP1vFiElCIiLKCkT141qqZdPIzxI2dVIL0ptd+JqAujFS1Mcyj2UYgbknW4cg==
x-ms-exchange-antispam-messagedata: vozWACHW9In3EX5pdIWq1uKT5Sq6BooPrPDyYKilYIbQDcvs/JvlCNsJ9895I/xIuNztp2np31wKOzOnw0c+P2HMlgYCXKJEcWai+g+B439DbrDV1Rju9gp5FJxbr1xBQZ8A3FjC6Kza/FIJsiDsvQ==
Content-Type: multipart/alternative; boundary="_000_AM6PR08MB3318B6ABD411C8C476C3D10B9BD00AM6PR08MB3318eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3367
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT061.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(376002)(346002)(136003)(39860400002)(396003)(46966005)(6506007)(7696005)(82310400002)(55016002)(9686003)(86362001)(8936002)(33656002)(2906002)(186003)(110136005)(336012)(26005)(5660300002)(316002)(70586007)(6636002)(19627405001)(53546011)(81166007)(356005)(966005)(82740400003)(8676002)(4326008)(70206006)(47076004)(478600001)(81156014)(52536014); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: b00aab6e-22be-4479-ad66-08d7e86b4df4
X-Forefront-PRVS: 03838E948C
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: IYgZe5/oClG2xaQ8I8dnBIcr9xf2EG91RstpNwyu2AitJDo0ZzBYDyBX3rzpEJatcALHKZuQWVgaeMU29aqIok61ZI75aWsob2cV3dCnT0cVtcU0IWsvDle0QfLI3c+DEBIkPSn22ME128Ja6kWeAvMURPJXLw8zw68w1PBB1r/IxHGVmy1zxjvn9MX+YCWJkJYowVLgookcyGvCBiUFMPRLxAPaOMRFDZTKWdFnnU0bUsua/7evY2EKMwutIP4U3+bK1tblSBaa0J/p27sF4OKSswWVLW5Vz3SiBLDCXA9Z0wiSfdOs4HKhA9d21Vv9114/ipFQWQayNZqt/PPdMSUExL0zGEvagFo4J9hraNk7yF3CE6h4FKyEhjAj+m3DTu22MGu7iTTRrRmMnAWoOUtFsnRLmql4vQoVsOdEAyL+KbMpbDlDj2WNrOJAyEWHWgklaBIoZbX74nodv/epH9Veuh29p/vInwiIWcpM/eoY9dfAu1QF3vGbkoeRL9gNuUfahnnBxXmXmPlBJMAIlqKvd3ZB7SiKJ533oIJUb1hm1/8uRArOt17XvMVaRdPchdP/jUe+N123jQz0M3YhmA==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Apr 2020 16:19:53.3278 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4616cf9d-1135-4a21-7065-08d7e86b5222
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR08MB4235
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LyvdHr_3DvW112j3KL9y45HAlRU>
Subject: Re: [TLS] Choice of Additional Data Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 16:19:59 -0000

Hi Chris,

Just a note on the comparison with TLS 1.3.

> I'd like to point to some related work that could shed light on this question.
> The decision for TLS 1.3 was to authenticate all data that is written to the wire,

It doesn't seem straightforward to extrapolate from that case since the 'pseudo-header'
and on-the-wire header are the same here, as TLS 1.3 doesn't have any header
data which is shortened or omitted on the wire. In DTLS 1.3, in contrast, various
fields can be dropped or shortened, such as the length, sequence number, CID.

Best,
Hanno
________________________________
From: TLS <tls-bounces@ietf.org> on behalf of chris - <chrispatton@gmail.com>
Sent: Friday, April 24, 2020 4:56 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: tls@ietf.org <tls@ietf.org>
Subject: Re: [TLS] Choice of Additional Data Computation

Hi all,


>  1. Generic question: Should the construction of the additional data be
>     dependent on what is transmitted over the wire or should it be based
>     on a "pseudo header"? DTLS 1.2 uses a pseudo header and DTLS 1.3 the
>     data transmitted over the wire in the additional data calculation.

I'd like to point to some related work that could shed light on this question. The decision for TLS 1.3 was to authenticate all data that is written to the wire, as this allows for proving the record layer secure [1] in a strong model for secure channels [2]. However, the formal models of [1,2] assume reliable transport (i.e., TCP): failure to deliver packets in order is deemed an attack. Therefore, the definitions would need to be changed in order to account for the case of DTLS. (I'm not sure if this has been studied.) My hunch is that the same design pattern (i.e., "authenticate everything on the wire") would be called for, but I've not seen formal evidence either way.


>  2. Specific question: Should the CID be included in the additional data
>     calculation, particularly for the case where it is only implicitly
>     sent? Asked differently, are there attacks possible?

Unfortunately I'm unfamiliar with the specific problem at hand, as I've not been following DTLS' development. (I'm in the middle of writing my thesis.) That said, I don't see a problem with having the AAD include *both* the record heard  *and*  something else, like the CID. And it may very well prevent an attack.


Chris P.

[1] https://eprint.iacr.org/2018/634.pdf
[2] https://eprint.iacr.org/2017/1191.pdf
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email