IETF Logo Mail Archive

Re: [TLS] Choice of Additional Data Computation

Hanno Becker <Hanno.Becker@arm.com> Sun, 17 May 2020 05:35 UTC

Return-Path: <Hanno.Becker@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9606A3A09A1 for <tls@ietfa.amsl.com>; Sat, 16 May 2020 22:35:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=jkbvgAXT; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=jkbvgAXT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LLRjnwnkFg7t for <tls@ietfa.amsl.com>; Sat, 16 May 2020 22:35:40 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50047.outbound.protection.outlook.com [40.107.5.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D6443A0993 for <tls@ietf.org>; Sat, 16 May 2020 22:35:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=If+xfG3Bj8VS84X8Ho/B6XJqNa/UKuAIB399Va+g91k=; b=jkbvgAXT0N6+MKSX1103dUeThGES6gFFE5gk6xXfL7gv+eqgpQiNN95BPNTRNoAH7koWTTkTmNTaI/8NVWXfZzgCYoFKhrEsQBXDAN6R1dHmHuwbfdepsO0apLXpLaHqbC1h5KxKLxX+/CRVEfFATwVWtb9RAikdtNybX3uoam4=
Received: from AM6PR08CA0048.eurprd08.prod.outlook.com (2603:10a6:20b:c0::36) by DB6PR0801MB1637.eurprd08.prod.outlook.com (2603:10a6:4:3a::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.20; Sun, 17 May 2020 05:35:36 +0000
Received: from AM5EUR03FT008.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:c0:cafe::21) by AM6PR08CA0048.outlook.office365.com (2603:10a6:20b:c0::36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.24 via Frontend Transport; Sun, 17 May 2020 05:35:36 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT008.mail.protection.outlook.com (10.152.16.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.19 via Frontend Transport; Sun, 17 May 2020 05:35:36 +0000
Received: ("Tessian outbound 4cdf5642225a:v54"); Sun, 17 May 2020 05:35:35 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 081a09307cff2922
X-CR-MTA-TID: 64aa7808
Received: from ce80d03d0cdd.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id C0041ED5-2389-419C-ADAD-78C47B90B1F4.1; Sun, 17 May 2020 05:35:30 +0000
Received: from EUR02-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id ce80d03d0cdd.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Sun, 17 May 2020 05:35:30 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G9VsvaPIXp8+kqEmNv4+WlkVsDi/dVuP5e8YESqj8c0uBUqZLJx6BIKN5U2UfueHCckhK38KKhBAjkZWLkCAw6Z04g0SDzMBWsbKeKRLYlsBogknaOUnfu6RUhDDp9CEJHvKHT4EXFQvirsRCxkYpELAW25YZdX8fsJ1wN9aDnlhWEsKSkSe2U3lCljRAbXK6Fbyp0oVG4XtpHWoU5zGTdcWmZTV6toufq3R8EcUJ8MYkUvjgPKmFwR1G4rgWJh78k7/H4c/TeHtyoB7GWco4PpTkKd3K7UQFm0N7VArpKLoMJzul9iKiBQq4SCG5Ne+IXj0CjXudXUv9y5t299H5Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=If+xfG3Bj8VS84X8Ho/B6XJqNa/UKuAIB399Va+g91k=; b=OlmdfTqUT4PGNSiOWmxXDZ+G0D0jH/Kkpysm//OlCaqUpTKNgqptxzkXy5MSQz0chA4Gssr+axdWtAXsDur9eqi07iPHwWHflDOIYHmbxiYP55N0VQaEp/hfmzFLaKzsg5qMk0+rv2ZdRDqxxW2AGJ048Aq/pcHm2lnSiD04WlCvFHbqV3No76GLuqRqVjDi1FejfKaMtT20vPhpQG6KfKhIoqREyQmlkdIAFvPmTxcPF7HlpffvaRqmiySgLRUp8cRw7qGzoQG8iSoyy8kPV9/iQBuoXnz8iMQuH2Yj2K8apXaC2Y/KuBDOZFztk6WkrGBJN0kgxT0EXPVLf856QA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=If+xfG3Bj8VS84X8Ho/B6XJqNa/UKuAIB399Va+g91k=; b=jkbvgAXT0N6+MKSX1103dUeThGES6gFFE5gk6xXfL7gv+eqgpQiNN95BPNTRNoAH7koWTTkTmNTaI/8NVWXfZzgCYoFKhrEsQBXDAN6R1dHmHuwbfdepsO0apLXpLaHqbC1h5KxKLxX+/CRVEfFATwVWtb9RAikdtNybX3uoam4=
Received: from AM4PR08MB2627.eurprd08.prod.outlook.com (2603:10a6:205:b::32) by AM4PR08MB2897.eurprd08.prod.outlook.com (2603:10a6:205:a::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.20; Sun, 17 May 2020 05:35:29 +0000
Received: from AM4PR08MB2627.eurprd08.prod.outlook.com ([fe80::2cce:c1e2:3f1c:149c]) by AM4PR08MB2627.eurprd08.prod.outlook.com ([fe80::2cce:c1e2:3f1c:149c%4]) with mapi id 15.20.3000.022; Sun, 17 May 2020 05:35:28 +0000
From: Hanno Becker <Hanno.Becker@arm.com>
To: Eric Rescorla <ekr@rtfm.com>, Felix Günther <mail@felixguenther.info>
CC: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Choice of Additional Data Computation
Thread-Index: AdYaKASVCp3JPFQuSaOSMkwtz/VZZwAEUEsAAAN7oaAAAnFQAAB17U6AAbcMx4AB+8tYgABFTcZB
Date: Sun, 17 May 2020 05:35:28 +0000
Message-ID: <AM4PR08MB26273DA4DCF47334C85DD7EB9BBB0@AM4PR08MB2627.eurprd08.prod.outlook.com>
References: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <93042b37-37e1-5b6a-3578-a750054d0507@gmx.net> <AM0PR08MB3716541F4825F8D43DC3D308FAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <CACLV2m4-Qcx-xKWP201VCY73HVyjCzHVCb6PrntnBWhA8fBQYg@mail.gmail.com> <a18b8223-ca9e-4a06-97fc-448865023376@www.fastmail.com> <6b074b76-2977-fbc1-99d7-f9acb79466e3@felixguenther.info>, <CABcZeBNzGr+R5BivpyBXRnO8y+Hnr2RTWeyifw9gFZrgG1C8ZQ@mail.gmail.com>
In-Reply-To: <CABcZeBNzGr+R5BivpyBXRnO8y+Hnr2RTWeyifw9gFZrgG1C8ZQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: rtfm.com; dkim=none (message not signed) header.d=none;rtfm.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [62.7.191.216]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: f1881bd1-d97a-4321-3439-08d7fa24202f
x-ms-traffictypediagnostic: AM4PR08MB2897:|DB6PR0801MB1637:
X-Microsoft-Antispam-PRVS: <DB6PR0801MB16372DE31F95921678551D479BBB0@DB6PR0801MB1637.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
x-forefront-prvs: 040655413E
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: Tvc63Yoa+dxqKy42PDWAztXED2t0ZxkDrFS5x6cQRAaGWz8udzb0wF3sCdqm8jaxkGL3T3n1v3mPq1Xj0uYvMluVftVMvQkznswd3K/6VD6opseMT1eji5bYoiK93WfyXEEfy1TADSCtule9yLP2x8w4yrcNxJA9d47yhlOo+iE+04z2mxL3nUan0vhxZKA2+Kp/W0dyIz6kYZSfumhOZ44y5JZg8oS/GU1SmvKJL/XqepAWKLz4AZSiUBv02H4F0X9NPV6tfL2z1U4C2PxFbIx8YnZ4kEH0DkVVacU9/66/qdpTajnursTd9VFBmyAXFSQ5CsN0LTwNOnyvmPeT/rfFziDd1e5JrLhuMJHDsF2h0UhGt3wFlr/0wDP2/bStgG/BDA7bd+wWovtb2wtf0aIz0yv9MHzqg3lTSgCKsQI4GgrnNwbSqLxwwkw8K65H0qMOFOR+okKUOYYLV+h9B592CKUt+9bc761/vCFCoKZFu293cOl7QwB8l+uUra57KK5f8BIsboJlFd5TNVgdz+eOXbq1zSHrWqyK1HLFHkRfPxea0vHMntx7jegowpEo
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM4PR08MB2627.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(136003)(39850400004)(346002)(366004)(376002)(71200400001)(5660300002)(8936002)(186003)(6506007)(53546011)(26005)(2906002)(33656002)(52536014)(86362001)(110136005)(478600001)(66476007)(966005)(66946007)(64756008)(66556008)(66446008)(76116006)(316002)(66574014)(8676002)(166002)(9686003)(55016002)(4326008)(7696005)(19627405001)(6606295002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 5rOgHFq3hnC4xqHfLF0MOVE7NGjzai+E1RU9YABMElooQ6SKyG7IC2ikkh46FHsnASSSsEVZKwQLX1pZ3+8WGXRN+c9AGsNgAV7UHJuRX0FLcSFtueToHdLeNrCCrIl1xMoc9JSf6avrz0xZQxTu2MaAPMk8M0dYW9llaVWCGANfonEji2PfLIEcfkMAJF1V6b8vIq3gkALVU9nG9ipQ3ciNO67OaplgJcK5T7EnO19LVbmVHHE0+qfHzeUbhIJbszlsjBKVZ2YmV8SUIYTuYpcmmHuPuc0dnpLrng0WoObpgox6Y98OhF2C+ICyJKLEzE/1DltBRXuJO5r3PNUvsOp4KGv5t5puiuvMzMf9hX592u6iQ9GPHrJKr8OeLwl+5bRk1WZw+vgmmQIh7+StpoZTNMy/AlfuRJcomIgJsTnxlJRU7xnKOwCMpfB2PfGjCHPy7mkjLvSqs/InXol5+mCDzGaoOQP3Q89kXOnCHj0=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM4PR08MB26273DA4DCF47334C85DD7EB9BBB0AM4PR08MB2627eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR08MB2897
Original-Authentication-Results: rtfm.com; dkim=none (message not signed) header.d=none;rtfm.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT008.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(346002)(136003)(396003)(39850400004)(376002)(46966005)(6506007)(336012)(4326008)(53546011)(8936002)(55016002)(36906005)(66574014)(166002)(316002)(7696005)(82310400002)(186003)(2906002)(9686003)(81166007)(356005)(82740400003)(33656002)(110136005)(52536014)(70586007)(70206006)(478600001)(47076004)(5660300002)(8676002)(86362001)(966005)(26005)(19627405001)(6606295002); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: b014fd72-82df-4ce0-a342-08d7fa241bce
X-Forefront-PRVS: 040655413E
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: We247/XOUJhV/l0nir2rJYZLeLVVUchJ+BCWnDy7YkpxlAlh20Lm53wFFZaHK9E1p7kD+Hxoq9cztGyWlYTlN12GWYSBKWw5J+wSIOcOiqSEXlNu4b4s8uS8fPVUaaeVlSa/gnGwQ/0ch5/n20c6jwX445p7KSMGqn5Y/dUbDN5DYkeoG0EifePQhro2sxCtiApRIKQ0Ia+WkN94vT0LJe9G4P3Q6bUuSoMufbc3dzKg80DcLH4grKFKxPWoFX6k/jqB8pKxIoH0IttwFN+yXU64AGkH7aMLU4JHtwufmDAs0KMBV8nk0ZBWXTS8l26y3yTsAMmGDgI86uvUDqU3kyY2f0MLRC2XwkPTxy8lpmX2wRhG/NIP2ogTf4r0kG7ZFEHUjbrtn9VJ/SOVdbwR7ShCtlX4waYMXpnT3MUZVNneHwryJPsFwY28bhBkmihMLxsu4sp/4TSNhNVROkvLjO1k9r/BJkp5qRBXXcvpLXVB6yGqDABizAj6thYLE3+DPPwjjCLvu5ba4AzUQ00QKWC2aaZO0TUaKS62+OZj/UC/VcZwUXXXt6B3Vzbc8LrJIkK9OT5nvnMnbOMZrAl7KJ2VAaPM77Ah17acpUtAR3mt9eTbvRp6JubM+8O7cVji
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 May 2020 05:35:36.1066 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f1881bd1-d97a-4321-3439-08d7fa24202f
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB1637
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/EwOj8EgdSu3wbqrAK1EJRZL3JiI>
Subject: Re: [TLS] Choice of Additional Data Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 May 2020 05:35:44 -0000

> Actually, the full epoch is included in the overall sequence number and hence used to generate the nonce.

Good point Ekr, I missed that.

So, we're here at the moment:
(1) Only the CID issue really _needs_ fixing somehow.
(2) Other header fields are currently authenticated through a mixture of AAD, nonce, and implicit properties of the AEAD,
and proof complexity doesn't seem to grow significantly because of that non-uniformity (the latter was slightly in doubt
so far for epoch authentication, but Ekr's remark clarifies that it isn't actually the case).
(3) No security issues with the proposed alternative -- uniformly pseudo-header based AAD -- have been raised yet.
(4) Non-security arguments for a pseudo-header AAD have been proposed, e.g. network bandwidth reduction.
Those aren't discussed until the question of security reaches some clarity.

Felix, could you give some input on (3) as detailed in my last post?

We still need to change _something_ to address (1), the pseudo-header approach does so while bringing other
advantages, and no concrete security have been pointed out so far. So, once again:

Are there objections in terms of security towards the (purely) pseudo-header AAD?

Cheers,
Hanno

________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Eric Rescorla <ekr@rtfm.com>
Sent: Friday, May 15, 2020 9:04 PM
To: Felix Günther <mail@felixguenther.info>
Cc: <tls@ietf.org> <tls@ietf.org>
Subject: Re: [TLS] Choice of Additional Data Computation



On Tue, May 5, 2020 at 10:55 AM Felix Günther <mail@felixguenther.info<mailto:mail@felixguenther.info>> wrote:
  4) I slightly disagree with "epochs determine the key" (true) as, what
I understand is, an argument that "the full epoch is implicitly
authenticated by using the right key", at least in its absoluteness. My
*guess* would be that, due to the key schedule, this argument comes down
to the probability of keys colliding (which is anyway to be avoided, so
probably fine). Still, from a security analysis point of view, showing
security with key updates might be easier if the (full) epoch was
authenticated as part of the AAD.

>

https://tools.ietf.org/html/draft-ietf-tls-dtls13-37#section-4

Does that help?

-Ekr

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email