Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dtls-connection-id-07
Eric Rescorla <ekr@rtfm.com> Thu, 15 October 2020 16:00 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB41C3A08B6 for <tls@ietfa.amsl.com>; Thu, 15 Oct 2020 09:00:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eOpOQU1lmpDL for <tls@ietfa.amsl.com>; Thu, 15 Oct 2020 09:00:23 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0D673A08AE for <tls@ietf.org>; Thu, 15 Oct 2020 09:00:22 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id h6so4219095lfj.3 for <tls@ietf.org>; Thu, 15 Oct 2020 09:00:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HA1xNOv2Wx9BpaeP5gmFnnonMl08tR9EcDquXynWuko=; b=L1eNkz5W4yvBCL+1lAQe4fL0n0XoWHOaQb07eBYD5DwH4Z4+tYo+8+353AdRersNeL 4jwMbPUsfis03A6tv7gEJjjwL+nlHT7/o6COpWLkXWjuwmfNxTfP8bEdeY1sCiJTBZJf gmvixBqaG8reDBpKen1iIhJddRetI3Q7ss/YxRsRDKU1EBz281mRyl/pK76HfC2uX7L8 Y3yT4K3stpdM186sOjo4oTvaMZoWs1ICpPqJPLVppmyqGbWpzFRCZ7s02ivw5TxxiYMZ JyD6MvHVtE95VQuvKCOv93M3UCapQUj+rp2pe6VikzJlVTlzeqAT7L1bsxIbpu70dNLu Ag9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HA1xNOv2Wx9BpaeP5gmFnnonMl08tR9EcDquXynWuko=; b=f4YLSMRv3LUjJ1Y3d1pnv1wjlMgfY6IphtJp2ER1wSrwVERvBfO/bHhkyTmrLKKtWX Ab0PYtMoln+YokfrvB1x1gP7U7xFNLRy/jnmg/D3VNOySTq9u+qkMDih1my6DVWLad8S bgWHDlWVqHlQF9ziBrx/IsUuDkz957P25S8/9T12BLVgzijNZZPAW1qnt6rxrUCOkXR0 XcBuGy6h55ci7bbo8l+QPJHTuetWGMjv3DjOxCKSyp0Z2ROLMuUZv753jX5iZ5Jre7lY 2/bChdB1Dv2MU93dZ1QBfcWXXkhGh/7IxKNQFTYvD4DTnG/U1rO/tMTi9CVJV6sYN0V1 1NCA==
X-Gm-Message-State: AOAM533awOMApzMMeRzK8w959YE6UGbYAiN11DYDWViHhIudUPzToAF4 8SkS1hLAIBMnWFAubwwkj0RhRYZtA9vTqzSlQiun8g==
X-Google-Smtp-Source: ABdhPJy78SKgX9QUQ6El3lOuKgSYQ2jlfWCkvT6sLLGkguwwY9rlAcEVMYMj48qCdxqR0z4bFuxkOC7Xjda+f/rxM5c=
X-Received: by 2002:a19:2294:: with SMTP id i142mr1248593lfi.579.1602777620688; Thu, 15 Oct 2020 09:00:20 -0700 (PDT)
MIME-Version: 1.0
References: <20201008233454.GF89563@kduck.mit.edu> <6185242d-8ba8-2d2f-5938-afad46c2e854@gmx.net> <20201009212240.GK89563@kduck.mit.edu> <fe7eab66-a14a-5f18-46be-7bae471c3b20@gmx.net> <CAOgPGoBWRyqQUNk3JQx2_Cna-7s-A7gENVwW-sh8+tRoJ_=V_Q@mail.gmail.com> <13a821d3-30cc-94b8-842c-22a87d280f09@gmx.net> <CACsn0cn4QcnaoocQeoiUXgGoAvfOs+1+Ei76z1Kuq8MMqNEh3Q@mail.gmail.com> <0327abb0-6317-b848-28d0-1fc50f4bf50e@gmx.net> <20201012200548.GD1212@kduck.mit.edu> <bab402e6-3353-d750-a849-21c91081f94e@gmx.net> <20201014212428.GP50845@kduck.mit.edu> <a7110178-6220-175e-869d-fcc44400f773@gmx.net>
In-Reply-To: <a7110178-6220-175e-869d-fcc44400f773@gmx.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 15 Oct 2020 08:59:43 -0700
Message-ID: <CABcZeBNocUYZO9yxuG-DYh33ss+Dum1EOxHYEdww5OCR=rKFXw@mail.gmail.com>
To: Achim Kraus <achimkraus@gmx.net>
Cc: Benjamin Kaduk <kaduk@mit.edu>, Watson Ladd <watsonbladd@gmail.com>, Joseph Salowey <joe@salowey.net>, "tls@ietf.org" <tls@ietf.org>, draft-ietf-tls-dtls-connection-id@ietf.org
Content-Type: multipart/alternative; boundary="000000000000bc465005b1b7bea4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xuZg9jHd05n036U4qvykDttfi6w>
Subject: Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dtls-connection-id-07
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2020 16:00:25 -0000
I would like to make several points here: - In terms of operational practice, in order for a server to function correctly, the CID must either be fixed-length for all clients that might need to be demuxed *or* self-describing. Otherwise, the server will not be able to determine the correct CID. I believe this is clear in the specification: Because each party sends the value in the "connection_id" extension it wants to receive as a CID in encrypted records, it is possible for an endpoint to use a globally constant length for such connection identifiers. This can in turn ease parsing and connection lookup, for example by having the length in question be a compile-time constant. Implementations, which want to use variable-length CIDs, are responsible for constructing the CID in such a way that its length can be determined on reception. Such implementations must still be able to send CIDs of different length to other parties. Note that there is no CID length information included in the record itself. This is an important space optimization and in fact was one of the key points in getting us to variable CIDs in QUIC, so I would not want to take a regression here. - I agree with Ben that the current construction has some awkward properties and that prefixing the length field would remedy that. It's been quite some time since we had this discussion but as I recall the rationale was to protect the bits on the wire as-is rather than some reconstructed version of them (see a number of long discussions on this topic), so just prefixing the CID length is also not ideal. - To the best of my knowledge, the ability to just disclose the encryption key but not the MAC key has never been part of the official interface of TLS -- and of course it doesn't really work with many AEADs. So, anyone who is doing that is off the fairway and I don't think has any security guarantees (TLS aside, many application protocols have surprising security properties in this situation) With that said, we shouldn't break such uses unnecessarily, and it seems like there might be other negative side effects of the current construction. So on balance, I think we should try to fix this. I'm slightly less enthusiastic about just swapping the length field, because I'd prefer to MAC the literal bytes (though perhaps we'll just have to live with that). However, it might be worth bikeshedding that some. Here's one potential alternative, though I haven't studied struct { uint8 marker = tls12_cid; uint8 cid_len; uint64 seq_num; uint8 cid = tls12_cid; \ uint16 DTLSCiphertext.version + | appears on wire | non-CID MAC input opaque cid[cid_len]; / | uint16 length_of_DTLSInnerPlaintext; / } This is a little goofy but it has (I think) the properties that (1) the bytes appear in the MAC in the order they appear on the wire (2) fixed-length metadata appears in the front (the seq_num already does) (3) the duplicated tls12_cid in the front avoids confusion with MAC input for other records. -Ekr On Wed, Oct 14, 2020 at 11:12 PM Achim Kraus <achimkraus@gmx.net> wrote: > Hi Ben, > > > The attack does not require that both are valid for the same peer at the > > same time -- the attack can still occur when the party producing the MAC > is > > induced to use the "wrong" (invalid CID) interpretation of the byte > stream > > but then the version with valid CID is presented to the party verifying > the > > MAC. > > Though I consider the CID mainly as lookup-key for the security context, > including the MAC_write_key for Block Ciphers or the write_key / > write_IV for AEAD Ciphers provides in almost all casses the protection, > not the cid in the MAC. The only exclusion would be, if two different > cids point to the same security context. With a injective cid encoding, > that is mitigated. > > As far as I understand your description: > > 1. The (server) peer 1 used cid "abcd" for it's encryption context. > > 2. An attacker modifies that cid "abcd" into a different cid (any > assumptions about that? Should it be "abcd12"? Or "ef3456"? Or no > special consideration?) > > 3. Then the other peer 2 uses the modified cid to place it into the > FINISH record and to calculate the MAC for that. The used security > context on peer 2 is NOT defined by that modified CID, it's defined by > peer 1's 5-tupel (according draft-ietf-tls-dtls-connection-id-07). > > 4. Now peer 1 will use the modified cid to > 4.a. lookup the security context. What is assumed as result here? > 4.b. calculated the MAC using the security context and modified cid > > In my opinion, the MAC verfication generally fails, if at least one > input is different. So either a different security context or a > different cid will fail the MAC verification. > > Though you say, that not both cids need to be valid for peer 1, the > consequence for me is, that peer 1 knows only the unmodified cid, but > not the modified cid. With that, peer 1 doesn't even have a security > context to calculate the MAC with. > > It's totally mystic to me, what you assume as attack. > > I guess, you adapt now your example. If so, would it be possible, that > you try to follow the above steps and show, where you deviate? > > > If the internal structure (including length encoding) of the CID is > > opaque to the party producing the MAC, that party cannot validate the > data > > used as input to the MAC. > > > > (Sorry for duplicating this previous paragraph here and on the github > > issue.) > > > > From the github issue: > > > In short, you asked me to show how having a cid-length (in a different > > position than currently) will prevent an attack: the attack in > > question occurs when the client is generating a (its first) MAC, not > > at the time when the MAC is validated. > > I still fail to follow your description, even with that amend. > Would it be possible, to get more information about an attack applied on > the generation of a MAC (above in step 3)? Or does the effect occur in > an other step (maybe 4)? Which effect should be considered? > > Maybe, someone else has also an opinion about that attack or the > description. > > best regards > Achim Kraus >
- [TLS] AD review of draft-ietf-tls-dtls-connection… Benjamin Kaduk
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Achim Kraus
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Benjamin Kaduk
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Achim Kraus
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Achim Kraus
- [TLS] Fwd: Re: AD review of draft-ietf-tls-dtls-c… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] AD review of draft-ietf-tls-dtls-connec… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Michael D'Errico
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Joseph Salowey
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Watson Ladd
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Ilari Liusvaara
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… antoine
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… antoine
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Michael D'Errico
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Eric Rescorla
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Eric Rescorla
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Eric Rescorla
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Peter Gutmann
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Achim Kraus
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Benjamin Kaduk
- Re: [TLS] Fwd: Re: AD review of draft-ietf-tls-dt… Eric Rescorla