Re: [TLS] Late DLS 1.3 issue
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 06 October 2021 11:43 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F2E43A1B79 for <tls@ietfa.amsl.com>; Wed, 6 Oct 2021 04:43:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AqaIzLC9zjZE for <tls@ietfa.amsl.com>; Wed, 6 Oct 2021 04:43:44 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A01513A0B41 for <tls@ietf.org>; Wed, 6 Oct 2021 04:43:44 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id BAFCB1F62A for <tls@ietf.org>; Wed, 6 Oct 2021 14:43:40 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id H8_7ZnNOF610 for <tls@ietf.org>; Wed, 6 Oct 2021 14:43:40 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 647BC28E for <tls@ietf.org>; Wed, 6 Oct 2021 14:43:39 +0300 (EEST)
Date: Wed, 06 Oct 2021 14:43:39 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <YV2L63Cl8AKpu9pR@LK-Perkele-VII2.locald>
References: <3e98642a-a232-471f-aacc-2f7a723be320@www.fastmail.com> <2dc51976-ee00-449c-b954-23b53d3607b7@www.fastmail.com> <CABcZeBM_Kx1fL4KU-9F9X3YjgDv2K4idDWXoLAfv9=-LbDLXjw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBM_Kx1fL4KU-9F9X3YjgDv2K4idDWXoLAfv9=-LbDLXjw@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rIHG_tNXvfWC1ldv7Ar4fr7nK1s>
Subject: Re: [TLS] Late DLS 1.3 issue
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 11:43:50 -0000
On Tue, Oct 05, 2021 at 06:58:24PM -0700, Eric Rescorla wrote: > On Tue, Oct 5, 2021 at 6:36 PM Martin Thomson <mt@lowentropy.net> wrote: > > > I left a comment, but I don't think that the fix, as it is specifically > > proposed, works. > > > > The general shape of the proposal seems credible. A larger epoch space, > > of which we only send the least-significant bits, would seem to address the > > concern. But the proposal doesn't specify what to do with the per-record > > nonce. > > > > If we go with a 48-bit epoch we get a few more records (2^32 times as many > > I suppose), which is probably enough. And the value would fit in the > > per-record nonce. Then you just need a bunch more text that explains how > > to encode that nonce. > > > > A 64-bit epoch doesn't fit in any nonce we currently use. We could > > truncate, which would need more analysis (my intuition is that it would be > > OK, but I'd like more than a gut feeling). We might use the expanded nonce > > options that some (not all) AEAD ciphers have, but that would be a very bad > > idea. > > > > This isn't dispositive, but note that TLS 1.3 doesn't include the epoch in > its nonce at all. The way I read editor's copy (section 4), DTLS 1.3 does stick the (64-bit!) epoch in nonce, Which does not work at all with Chacha20-Poly1305-AEAD, and would need AES-GCM with expanded nonce, which is poorly suppored and IIRC cryptographically busted. Because DTLS 1.3 ratchets keys when switching epochs, it is not necressary to include epoch in nonce. Just allowing epochs to wrap around would not create cryptographic problems. It seems that it would not cause problems with ACKs either: Burning through the 65536 epochs will presumably either require insane rekeying rate, or take so long that all potentially confusable ACK- elicting packets and ACKs have been permanently lost. Badly timed rehandshake could reuse epoch much faster than that, but it is not possible to confuse such ACKs as any wrong ACKs are undecryptable. -Ilari
- [TLS] Late DLS 1.3 issue Christopher Wood
- Re: [TLS] Late DLS 1.3 issue Martin Thomson
- Re: [TLS] Late DLS 1.3 issue Eric Rescorla
- Re: [TLS] Late DLS 1.3 issue Martin Thomson
- Re: [TLS] Late DLS 1.3 issue Ilari Liusvaara
- Re: [TLS] Late DLS 1.3 issue Christopher Wood
- Re: [TLS] Late DLS 1.3 issue Christopher Wood
- Re: [TLS] Late DLS 1.3 issue Christopher Wood