IETF Logo Mail Archive

Re: [TLS] Choice of Additional Data Computation

Eric Rescorla <ekr@rtfm.com> Fri, 24 April 2020 20:43 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E86DA3A0AF1 for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 13:43:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hLLYSYqYeLCG for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 13:43:11 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 249C03A0AF0 for <tls@ietf.org>; Fri, 24 Apr 2020 13:43:11 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id j3so11335146ljg.8 for <tls@ietf.org>; Fri, 24 Apr 2020 13:43:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xAobyx51xZnd8tkCaha+OWdKLpeQuuGu3Q06iqJ/SKI=; b=euYRtf9vhavqcvg1R9yqk1snYhVeMFv6cLxc8wNXJ3/i3bv84Arvc2unN2dbNgqKWf e/ABa49cC78dghUbZ87y977PjThI0DYfQOUxPXgDobWLB7fx0lfzCV+sVGBTUgZzQRcB MF9hTCHsdYA7o3YrCdC5yMZ8xsMCh2DCWbjKpfger2YLNtdaaTQaf8c+7BNOimPbm+yu n1/Tzvq2jOwHnfFFUbH0GFAH4AStZ3CwqEwShno0YHwEVLFN47zYsxD5ZajieEe0+f9b 1WWR/vLqySR7qjGAHHX8k/O8cjz/L8Ng8ZwB98bT1opbMOe4mLjqhZrSDSbOfGJpKiET qMrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xAobyx51xZnd8tkCaha+OWdKLpeQuuGu3Q06iqJ/SKI=; b=I0QRylOQsi6v1mgMEPPmCi7u2cXWn1dayYxpbwiIoXRTB2iDVDSvio6vbYdpahxuA7 Vg6OnBsNsmszrbya1wYdYnzZDsOGnJZu8YbMVhcF1FibigQwXK5R/j6umQQupiy0pH1p OAEX8U7wQtwkkueeG3o4X9Dp53bIvC4JfARqJsqnEptVEC63SMfXhRaFDBQphWY6kGsh Nju5KfTG11f3s0YBnlT84JezV0wzEUVzAMEWYYTdBVCQim3N0VuxF52doYa4jEtASeht 9rigzojw981SI4RhtzICmKbPkkSRa9gIz0t2Zj3FcCzUAhz+Cdia7881hMxLpFa+4l9i ynsQ==
X-Gm-Message-State: AGi0Pub7wH6C9SY9L+Q/4Kb2teJXUTs9+6bDoOhzG5vHJg5EWOByfXxe y7d1srwpoDiXFRvvb0mA6xvZSpv1+JOhb6wZj3rZL+8gkns=
X-Google-Smtp-Source: APiQypItx9eYYVJCpRjDhUQd0lzlGUuvcRbDNuQejwrAkeIkkhCj2pppMRTLRJ31PsjzHT/4y1Tn6yk/uyfoM9utbgU=
X-Received: by 2002:a2e:2414:: with SMTP id k20mr6906684ljk.162.1587760989237; Fri, 24 Apr 2020 13:43:09 -0700 (PDT)
MIME-Version: 1.0
References: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <93042b37-37e1-5b6a-3578-a750054d0507@gmx.net> <AM0PR08MB3716541F4825F8D43DC3D308FAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <CACLV2m4-Qcx-xKWP201VCY73HVyjCzHVCb6PrntnBWhA8fBQYg@mail.gmail.com> <AM6PR08MB3318B6ABD411C8C476C3D10B9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBOwK7m465LsbY3U+bHv0XA2rcGOTEBStTtTNkwAYvWeQA@mail.gmail.com> <CACLV2m5Md2+Ffc978ZJ+BeZwRgcXTV3xE0vXzmvNgnot_c71xQ@mail.gmail.com> <AM6PR08MB331862B6F143652F4B4C10EE9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBMKoVrcN-=aTvy6py5bhOwOVrhgVLmtX2tthc=Oa54b_Q@mail.gmail.com> <CACLV2m7knyt-gQoQq2v1Kz-J62DPjCpb6faJFfDgJ-8mprHwxQ@mail.gmail.com> <CD3D3519-281A-469E-AB5C-FB5E26816958@arm.com>
In-Reply-To: <CD3D3519-281A-469E-AB5C-FB5E26816958@arm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 24 Apr 2020 13:42:33 -0700
Message-ID: <CABcZeBPJZKOCN7p52htHBERCVVxBJSTvJfOwn5=u6zZJLRfkfQ@mail.gmail.com>
To: Thomas Fossati <Thomas.Fossati@arm.com>
Cc: chris - <chrispatton@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c0a4c505a40f694f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/w_TejcFu4maiT9WcDpAINfKNxtA>
Subject: Re: [TLS] Choice of Additional Data Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 20:43:13 -0000

On Fri, Apr 24, 2020 at 12:56 PM Thomas Fossati <Thomas.Fossati@arm.com>
wrote:

> On 24/04/2020, 19:53, "chris -" <chrispatton@gmail.com> wrote:
> > [...] the details of how to decode the data on the wire begin to
> > really matter for the proof (and potentially for an attacker).
>
> I have zero experience with formal security proofs, so I need to trust
> your assessment here, which looks like the crux of the argument against
> authenticating the pseudo-header alone.
>
> > I don't think it would hurt to authenticate more than this, e..g.,
> > other fields that the sender and receiver need to agree on.
>
> IIUC the other seemingly critical thing for the security proof of TLS,
> which I think it's critically important we try hard not to diverge from,
> was
> authenticating the length of the record:
>
> > [...] all we cared about is that the header correctly encodes the
> > length of the next ciphertext to decrypt.
>
> The thing is with UDP it is trivial for an attacker to truncate a
> datagram and therefore change the *implicit* length of the carried
> record and go undetected if that is not included in the authenticated
> data.  So it seems that - at a minimum - we should always authenticate
> the length even when it is not put on the wire.
>
> And if we need to do that, keeping the implicit CID looks like a
> no-brainer to me.
>

I do want to be clear that AEAD functions implicitly authenticate the
length of the input. But I'd like to hear Chris weigh in on whether he
thinks we should have them explicitly in the AD (and whether that should be
true in QUIC too).

-Ekr


>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
>

v2.23.0 | Report a Bug | By Email