IETF Logo Mail Archive

Re: [TLS] Choice of Additional Data Computation

chris - <chrispatton@gmail.com> Fri, 24 April 2020 21:29 UTC

Return-Path: <chrispatton@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DD933A0C0A for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 14:29:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RKjCAvh1HDUD for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 14:29:42 -0700 (PDT)
Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FB2F3A0BFC for <tls@ietf.org>; Fri, 24 Apr 2020 14:29:42 -0700 (PDT)
Received: by mail-ot1-x332.google.com with SMTP id g14so14986802otg.10 for <tls@ietf.org>; Fri, 24 Apr 2020 14:29:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FbgWI5aJ/5KdL0oN5S3UxMguyTabYjZzkWpUWwwQub8=; b=hFTra4vVG4c8OBw8ikm5VABunoH9GtY+Kh0O9RJkP2wlb6xMUAsyf38vWfrzrdpYTB albmTuRxAbRVbCtELHEAZiKWw83F8J5wnM5CNGHzeOR7vlGAEHPAx+O/CvKIxqZSc2iO j04lEJFnRPf3jaCS1BornYzL8BwNokNHYWrlKqM4vwoq1FwRYuxIrU1YOkx2CvEPZl9o X3GyiTxe7tTYr3SpqOgPoVkUYOBe4Ny16gKCOQMmfdwYJew0EifwVCAYPw2ac4iEF9UX k8Pgys6hlFzrkZdrSEtshBWRLrTBbXC0MHYuBbX5FKpaGbGv2NlHTajARjdPE1Pi6hL7 WLAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FbgWI5aJ/5KdL0oN5S3UxMguyTabYjZzkWpUWwwQub8=; b=eCCJjMSOKwvllLno2UT4uurU5AHuSShegiABol2xZ1bH9G0v/Ia+SY6/VXgvAnCpQ0 5tLw58ntCiT9TTCBu3OjA5sBINoqaSXttd+Z0wGuhOCWc6zQs2lnqqMNufjJEOCBheMU ZzGkQ/1jj2C94YWS9+b6YkR81KsUT7S3EkIVy5GBR1KCFbqGG5OhpvFIufUdMVLEgNlX 4upZHFcEuQ3f1TVeuh3a18H7Ygd+Hm0V3rkUgODCex97JaV5C5MJIlbx2zLD28YVLO+s lvesQ9OY/5bkcj2yILVABYmQrSAECP81X4F/lSKQuZ/5pNZ+XTNr0ETPDr+EkDZFNhJk 9b3Q==
X-Gm-Message-State: AGi0PubrXX8meyhtbg4CRceahwkdPwqcEC81a6kqSOy/t+NywUKFn9Fz 4vmcEM49D7Z5oYvwKvIChL8GEpBgbNfHX93N3fU=
X-Google-Smtp-Source: APiQypIp4f04YjBFzCfHqa3yy9/20ajjalRIJn+YYVV1ulNNoxSKnQmUxWq7x1CKnTmJdSLO7Y3WPCpHPqCdZgEESjw=
X-Received: by 2002:a9d:1eaa:: with SMTP id n39mr9811737otn.238.1587763781218; Fri, 24 Apr 2020 14:29:41 -0700 (PDT)
MIME-Version: 1.0
References: <AM0PR08MB371694E826FA10D25F2BA53EFAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <93042b37-37e1-5b6a-3578-a750054d0507@gmx.net> <AM0PR08MB3716541F4825F8D43DC3D308FAD00@AM0PR08MB3716.eurprd08.prod.outlook.com> <CACLV2m4-Qcx-xKWP201VCY73HVyjCzHVCb6PrntnBWhA8fBQYg@mail.gmail.com> <AM6PR08MB3318B6ABD411C8C476C3D10B9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBOwK7m465LsbY3U+bHv0XA2rcGOTEBStTtTNkwAYvWeQA@mail.gmail.com> <CACLV2m5Md2+Ffc978ZJ+BeZwRgcXTV3xE0vXzmvNgnot_c71xQ@mail.gmail.com> <AM6PR08MB331862B6F143652F4B4C10EE9BD00@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBMKoVrcN-=aTvy6py5bhOwOVrhgVLmtX2tthc=Oa54b_Q@mail.gmail.com> <CACLV2m7knyt-gQoQq2v1Kz-J62DPjCpb6faJFfDgJ-8mprHwxQ@mail.gmail.com> <CD3D3519-281A-469E-AB5C-FB5E26816958@arm.com> <CABcZeBPJZKOCN7p52htHBERCVVxBJSTvJfOwn5=u6zZJLRfkfQ@mail.gmail.com>
In-Reply-To: <CABcZeBPJZKOCN7p52htHBERCVVxBJSTvJfOwn5=u6zZJLRfkfQ@mail.gmail.com>
From: chris - <chrispatton@gmail.com>
Date: Fri, 24 Apr 2020 17:29:29 -0400
Message-ID: <CACLV2m6D=DrHH+66V1HC8RMQytggpkcxutZD=p0GP1dpcqjhVw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Thomas Fossati <Thomas.Fossati@arm.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002ac04305a4101053"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wiHaycUzHWpVD2Tvfbl5piT9-H4>
Subject: Re: [TLS] Choice of Additional Data Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 21:29:44 -0000

>
> But I'd like to hear Chris weigh in on whether he thinks we should have
> them explicitly in the AD (and whether that should be true in QUIC too).
>

I would need to study the specs in order to provide an intelligent answer
here. Off the hip, it would seem to depend on how the boundaries between
record headers and ciphertexts are determined. Taking a quick look at
draft-37, Fig. 4: the "full" header includes three values that are excluded
from the "minimal" header, the length of the ciphertext being one of the
fields. Presumably, when using the "minimal" header, the length is a
parameter that the sender and receiver already agree on. If this is case,
then I don't see a need to add the length to the AD. If the attacker
manages to convince the receiver to use the wrong length parameter (maybe
this is negotiated during the handshake?), then as Ekr points out, AEAD
decryption would fail, thereby "implicitly authenticating the input length".

Chris P.

v2.23.0 | Report a Bug | By Email