Re: [TLS] ECH AAD for HRR
David Benjamin <davidben@chromium.org> Wed, 01 September 2021 17:13 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90E2B3A0E59 for <tls@ietfa.amsl.com>; Wed, 1 Sep 2021 10:13:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.949
X-Spam-Level:
X-Spam-Status: No, score=-9.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E2ZpI92TNP5n for <tls@ietfa.amsl.com>; Wed, 1 Sep 2021 10:13:21 -0700 (PDT)
Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF7DB3A0E53 for <tls@ietf.org>; Wed, 1 Sep 2021 10:13:21 -0700 (PDT)
Received: by mail-pl1-x62c.google.com with SMTP id n4so53757plh.9 for <tls@ietf.org>; Wed, 01 Sep 2021 10:13:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1gULMf6Jqte1penYKiBENjUr4+Xhjdmyl3z33/EXISI=; b=Ezps3mMFPVK36zZ7rP7ZzjPz2XOlfdBAbhthmAKj4pXizscdsurt7aCDCu2Hab1nYl sSg+Nns24dlWSel4fDMvF4eFvYF5ZCvc3wM4hVzz1um7RF14+0APv+7FP0gBFb/QqG7v ZB2O6017qAjaI8Gou9Y4Gq90WimMWD2gTfvO4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1gULMf6Jqte1penYKiBENjUr4+Xhjdmyl3z33/EXISI=; b=Gpa1b1NeSVVCi8+UXP0MMO79qCjsFbxnDjh17NBdxvIQc82v1mCCN780XO0/DcLCpH tHLXeA8yXd+dCqnjtpXqJap+lF0KMUqkFpwB/jkU4Hql1N3+r6xS2owyVHNwilMXZ+AP W9HiSihwiK4yqxo/RPU6gNy4yF7mWsxvMY8gubreK/Bz2MT7YSqc8UCzvZUb9Tx7tuid Si7IF+mlHFnx8jAAIfFuH5rsgFW/7R7bkV7Ayez0JyPXb+neROmCFTG2mfPanJk0T8U9 TtFMScqGrzO+hR45ovDb0cZ0vyT8DgJp9jx+dZIlDZhHOkpcXgz+PjshYqJ1ynzwcEZp rVtA==
X-Gm-Message-State: AOAM533lzSw0GVauDfW54S+JgQFkGBcA23pBNxb30eK5HXQ7UZWa8fuq h4hPo+lEakNQkIn91uDxMYDqPCR04b5RwN9OzhIh8ITb/w==
X-Google-Smtp-Source: ABdhPJzbx5ULL5Tdecz3fm3yqMGXq3pjw8arq1gEeBh5G91omkFTAviho/g9kttN2/dtVdphU8HCNBF4Oz7hg9PAmVQ=
X-Received: by 2002:a17:90a:6503:: with SMTP id i3mr383840pjj.42.1630516399649; Wed, 01 Sep 2021 10:13:19 -0700 (PDT)
MIME-Version: 1.0
References: <07c00cd9-677c-ec35-7dba-0c4eccac35cd@cs.tcd.ie>
In-Reply-To: <07c00cd9-677c-ec35-7dba-0c4eccac35cd@cs.tcd.ie>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 01 Sep 2021 13:13:03 -0400
Message-ID: <CAF8qwaBWndRS5-HAfyTYHeLyM_i-DZwG5tUmnZeWNnOjXHK55w@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ce13cc05caf22e82"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/syi9JatWmV1Mk7BXmFUjpJbfjTc>
Subject: Re: [TLS] ECH AAD for HRR
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2021 17:13:28 -0000
That's right. The AAD and actual CH should be exactly the same, apart from the payload being zeroed in place. You don't need to reserialize the structure as a server, or serialize ClientHelloOuter twice as a client. On Wed, Sep 1, 2021 at 1:01 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > (Apologies for the acronym laden subject:-) > > I'm more or less at the "code complete" stage of > implementing draft-13 incl. HRR. (If anyone wants > to try interop, for now please contact me, but I > should have a server up in a few days.) I'm sure > as usual I'll have gotten some details wrong, but > I wasn't clear about one thing: > > - When sending the 2nd CH following HRR, the spec > calls for omitting the "enc" field of the ECH > extension ("enc" holds the sender's public HPKE > value that's re-used from the 1st CH). > - The AAD for that ECH encryption is the outer > CH with zeros replacing where the ciphertext will > go. > - I concluded that the sender's ECH public value > (the "enc" field) ought not be present in the > AAD in that case, as well as being omitted in > the ECH value, but it wasn't entirely clear to me > from the spec (and it'd work either way). > > So my question is: did I get that right or not? > > Thanks in advance, > S. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] ECH AAD for HRR Stephen Farrell
- Re: [TLS] ECH AAD for HRR David Benjamin
- Re: [TLS] ECH AAD for HRR Christopher Patton
- Re: [TLS] ECH AAD for HRR Stephen Farrell
- Re: [TLS] ECH AAD for HRR Stephen Farrell