Re: [TLS] Choice of Additional Data Computation

Felix Günther <mail@felixguenther.info> Mon, 18 May 2020 06:37 UTC

Return-Path: <SRS0=lDxc=7A=felixguenther.info=mail@cdc02.comdc.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96E213A088E for <tls@ietfa.amsl.com>; Sun, 17 May 2020 23:37:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.252
X-Spam-Level:
X-Spam-Status: No, score=0.252 tagged_above=-999 required=5 tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Q9gvK5LnHIZ for <tls@ietfa.amsl.com>; Sun, 17 May 2020 23:37:39 -0700 (PDT)
Received: from cdc02.comdc.de (cdc02.comdc.de [136.243.4.87]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C4153A0889 for <tls@ietf.org>; Sun, 17 May 2020 23:37:38 -0700 (PDT)
Received: from cdc02.comdc.de (cdc02.comdc.de.local [127.0.0.1]) by cdc02.comdc.de (Postfix) with ESMTP id 365834F206A5 for <tls@ietf.org>; Mon, 18 May 2020 08:37:37 +0200 (CEST)
Received: from [192.168.178.40] (160.94.254.84.ftth.as8758.net [84.254.94.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mail@felixguenther.info) by cdc02.comdc.de (Postfix) with ESMTPSA id 05B274F20081 for <tls@ietf.org>; Mon, 18 May 2020 08:37:37 +0200 (CEST)
References: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <93042b37-37e1-5b6a-3578-a750054d0507@gmx.net> <AM0PR08MB3716541F4825F8D43DC3D308FAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <CACLV2m4-Qcx-xKWP201VCY73HVyjCzHVCb6PrntnBWhA8fBQYg@mail.gmail.com> <a18b8223-ca9e-4a06-97fc-448865023376@www.fastmail.com> <6b074b76-2977-fbc1-99d7-f9acb79466e3@felixguenther.info> <CABcZeBNzGr+R5BivpyBXRnO8y+Hnr2RTWeyifw9gFZrgG1C8ZQ@mail.gmail.com> <AM4PR08MB26273DA4DCF47334C85DD7EB9BBB0@AM4PR08MB2627.eurprd08.prod.outlook.com>
From: =?UTF-8?Q?Felix_G=c3=bcnther?= <mail@felixguenther.info>
Autocrypt: addr=mail@felixguenther.info; keydata= xsDiBE04qkIRBADtFenVz1DuqethtPkoKAazBeKjyrr5Znbi8mQT1gOrkuli6i0/umf2uJ9V uI6NgjR0uM68UFGIHZlAoWk5Nfo8BTkYsdXl4R08pePmwRwwtq9LALZrGkeLeQtOFdLJt7G2 iQgqq2XpZc9AXW3/+j0I6MmsWMQKCkCA1s6IRLtH+wCgk85oP1adRYaEpi82Z3oG7vztEOkE AMccj8RgnjWcbB13HxxRk2C/4mgLEmCBWO3nmcCPZP5t/5GZSe7Kt5HQoygjxxcro/2e+9wF YsYwLUpHKMOjyvtcU0jLtIv0m6I+GQ3HOz89erVpa7G7EUoEsbQ7FEuyW4mVEaQZ3XE1Mxvp /3Ca1rBJjoxXhxKaDJYWsc5fdO6RA/44xXLdiE2f6NDoTJY7Z97VXUnJskpDNnwePOJyX4GT DwII2kl6JSYOAmkcOpINOSVsS0XDLZpBuKqsibUF/t53BkNfR/aF/BzIUJ5dykqrHvi75aQb ltSum1+kIo8Q6ZI+MzAAwmbqLfuRHZP5y0fjxdHLhfMrvacrNHnaoUWrVc0oRmVsaXggR8O8 bnRoZXIgPG1haWxAZmVsaXhndWVudGhlci5pbmZvPsKTBBMRAgA8AhsjBgsJCAcDAgYVCAIJ CgsEFgIDAQIeAQIXgBYhBCuuSm95RkYbcAFhs1KvAgDT8XAOBQJdE93OAhkBACEJEFKvAgDT 8XAOFiEEK65Kb3lGRhtwAWGzUq8CANPxcA5VLACfRCZFjMy2oVl6MKcxqSLOqxpYcmUAniNH ecOrDmHcK3hfLPUIRCtR0mDPzsNNBE04qkIQEAD1M2gM5rQ9UIBa+323DToxTD4PQ+gCGSXW OU0TN41q0sNCp/ph6Ec6C2OmADy2m6UMlSr+jc03XkmxQHV6XqhCN7rjijCqEQUPxXTY2zdk rqEaAFEa6mnpErCDvQXjPi6QrAJLvz2tl3Bqry35ffs1FQ/jVjnfuSB83ZHUEUsHQDX1Bvna exqd4FRKAYte7f1vEOsei6eguMyK0lrXQBNFy5GfLx4nMC5cjyUJRE2MI9YlWNc3eCz7PqwD 95uvaKctBPrpYhBmLlDfUE3I8Z5pqL7u3shul+SGqdscBMOrq+0zyUJ6b6uxhzcy03VbiNBn n0AIjeJ67cyi4yg3hbmanRuMHqg2I7VNNgPdlRgF5XshNfjuVqDsD0w/MHBtEZ160A3XJTkc O/uaBp16L+gWXALj+EPXyRiO4cRTEqIKiiRllo9AQxMqMGkeGumFKyVNeX+1aYwkGhWyB52C FbJ/f2jxk5MGxBDXAfCE70Nz5/BP9DYHDqN1lLPBBUkbXeGD+4LoerGFh+Ioe2yIy6qdvk4g zSqRZrdD9e1FyWiSTx6VOMdgggz4cF2LbGPKzwP7WBU8jyzg3A9ECNzmb+QBfLNutuD6n5lV 7cglMTgz+F5KEvOygWtmiugTZPfyu9NayJ2j/zMlkLEn4ksBHynwFgpgEl6X+key9EXBJhs4 QwADBg/+P3Tm8Bn8wmUusSVDp5XBTZcgGEWaw61BxWaHcJnDRC5cwDUBCxB7cosslJ8EQ/wu PPz9j2Y827zCa+HDTg/HSjs2zrI4S6+/gLJDNpnAka+fSUjhRqNLvLiaAYWR3UCY+LX/h6X1 inibLzxWU5xJ7+Zpybj4wIgAwN6A0vEnMStmA4xAlV1LPitVhpZOhMT8NW9EWS4RmBk2e8i/ wbjo4Jm2edEW/VdAOi7Fqna07zIYFD4HEFleqte3J5XPXB44EhUfJxTGL2QZFDkz301+tm4i dHXfzZb1hiGqJWC+a9YSwtkVGgauHzDXJWTLHDogaKRaWTCrxMsZWUCKoDwAQ1ln1sklU6fn uV3oO/PxzxS8em9KlRu3djeN/QYlsOeWPi/dmsjFwjdGZQgZ/QJANKmqtQemmArCIE9IstFF Cu4bDuPMukyq7tqv7Z+E1AHcYtKbKCKR1hdE5+YgirQnmD+tktIVDUZmYvdLympL2wlCHQpk RQT7U+3MChhRin1u1HkmjelvICfoz+BI2VI0NTBrYRqLp/Ld8G7UpPUBiCe0vNXImvZD9Z3z kyMX9r0YjlfyWae89IAn+h9Ij9tGMurI2Pp+souvO0VX25xaEpChB3iIT2p7bzgpip1CrgFl SE7gnaeXatZsSq6gV70AJ0hUEi5GgIcRSut4wbS13KbCSQQYEQIACQUCTTiqQgIbDAAKCRBS rwIA0/FwDqNgAJ9h3wSRXwbvSK4+TIAcxlnxbyVZSgCgkSUHgTNTyiliLBDDTYdG9b+pi4k=
To: tls@ietf.org
Message-ID: <0b036723-5565-ae7c-49d4-7b43d0094713@felixguenther.info>
Date: Mon, 18 May 2020 08:37:36 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <AM4PR08MB26273DA4DCF47334C85DD7EB9BBB0@AM4PR08MB2627.eurprd08.prod.outlook.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV using ClamSMTP
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sUO3agXJtImpiHKCL2uFSlxMVqc>
Subject: Re: [TLS] Choice of Additional Data Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2020 06:57:36 -0000

Hi,

On 2020-05-17 07:35 +0200, Hanno Becker <Hanno.Becker@arm.com> wrote:
> So, we're here at the moment:
> (1) Only the CID issue really _needs_ fixing somehow.
> (2) Other header fields are currently authenticated through a mixture of
> AAD, nonce, and implicit properties of the AEAD,
> and proof complexity doesn't seem to grow significantly because of that
> non-uniformity (the latter was slightly in doubt
> so far for epoch authentication, but Ekr's remark clarifies that it
> isn't actually the case). 
> (3) No security issues with the proposed alternative -- uniformly
> pseudo-header based AAD -- have been raised yet.
> (4) Non-security arguments for a pseudo-header AAD have been proposed,
> e.g. network bandwidth reduction.
> Those aren't discussed until the question of security reaches some clarity.
> 
> Felix, could you give some input on (3) as detailed in my last post? 

Our security analysis doesn't speak to (3) --- I added some more
detailed remarks in reply to your last post. Cearly, you wouldn't
achieve the same security definition (as headers are intentionally
malleable). Whether that's a problem or not depends on the goal, and if
you can indeed prove the corresponding, to-be-formalized security
statements.


Cheers,
Felix