Re: [TLS] DTLS 1.3 AEAD additional data

Hanno Becker <Hanno.Becker@arm.com> Thu, 23 April 2020 06:43 UTC

Return-Path: <Hanno.Becker@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 857803A1575 for <tls@ietfa.amsl.com>; Wed, 22 Apr 2020 23:43:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=mYcNM2r9; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=mYcNM2r9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CCTA5HRvxDDv for <tls@ietfa.amsl.com>; Wed, 22 Apr 2020 23:43:34 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2075.outbound.protection.outlook.com [40.107.21.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C6F43A1574 for <tls@ietf.org>; Wed, 22 Apr 2020 23:43:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4WzTiaN/XjMnNAK0k682BfXDpb2zsknnUYYEnLRcsuM=; b=mYcNM2r9lMny0sk51Z52j9ak0rdKEHoCTAgk401e/vEdRCQm3BMnby+z2DE1xnSIHc8CSw0sxkMGY0bClHfA0rfSkoWeHnRdHGmwZHDXdNjgnq5G+EHRX3xSPWIUgkd7clZnaax0Wb4OnI0M3//7kGUvIahLTrylcfZBDcpXsxM=
Received: from DB6PR07CA0055.eurprd07.prod.outlook.com (2603:10a6:6:2a::17) by VI1PR08MB3357.eurprd08.prod.outlook.com (2603:10a6:803:45::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.27; Thu, 23 Apr 2020 06:43:30 +0000
Received: from DB5EUR03FT003.eop-EUR03.prod.protection.outlook.com (2603:10a6:6:2a:cafe::a1) by DB6PR07CA0055.outlook.office365.com (2603:10a6:6:2a::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.7 via Frontend Transport; Thu, 23 Apr 2020 06:43:30 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT003.mail.protection.outlook.com (10.152.20.157) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.19 via Frontend Transport; Thu, 23 Apr 2020 06:43:30 +0000
Received: ("Tessian outbound d63670e9da8f:v53"); Thu, 23 Apr 2020 06:43:30 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 978f4bf6ff0417ba
X-CR-MTA-TID: 64aa7808
Received: from 2d128a0d0783.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 425A641D-0404-4EFC-B1CA-9C1B97B61C86.1; Thu, 23 Apr 2020 06:43:25 +0000
Received: from EUR02-AM5-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 2d128a0d0783.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 23 Apr 2020 06:43:25 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ks8vPKBbOsgfTKxS+h7E+Ak0Syn6JeprMXNULDu16y7bl0p7yrNqXfxw5COswUwuk9grIQ2IJylvNKI5wy1wkzXgg1j5jVPhUSb6bctyogNyGK/9a+D7T22iKEhqxGAYr2kUaYf4Ed2XvpJ+aAe9r7yXN3eLeV5t9JJbEyzQe17A4QQCh5c1s1RFt+FktwHfAMZ9F6iDC5ctgtXYQ9+mfL4tESvb8nQyAALHHxLlFEfIW48IIsb1SoJJa/X3tV8bBw9uKS9+YECRAwJM2rjo1R03vjJcMlKvooGsuWL9HzDHWNcBN97Z3zXKsYQB8sY9PuACoK7LfZhQwAoJr98H0A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4WzTiaN/XjMnNAK0k682BfXDpb2zsknnUYYEnLRcsuM=; b=hLtXSOCmWteatJEqJGejp8inqW9DZFFHOno4UsQg7NZ38dmGR5KKOd798DRrj8x/aQIcfEjEylJLCbdbD7Vpg5tgFJxKxoGvvAOqoyauGNccMNGPc/cffmCPRl8cVUW143QKGj8ZDDTybxwfwprm3xvmaYhnjjF7t5mv+O0+r4CkL34ccKum/9YsflADNQIwvN+V5RVuWCem0Y7D5cDIjkUVrcQ/07ROAv3dFhM8RnjJ4QEQa8f8UDUFugDg7krI9DkY8sc+GTWCpU+PSr6gM7WG+KSIWGnAxl+wo45TqX8J07XAi8hltCfDxsn32h9QF/33unvYJDhxemsZvHZjmw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4WzTiaN/XjMnNAK0k682BfXDpb2zsknnUYYEnLRcsuM=; b=mYcNM2r9lMny0sk51Z52j9ak0rdKEHoCTAgk401e/vEdRCQm3BMnby+z2DE1xnSIHc8CSw0sxkMGY0bClHfA0rfSkoWeHnRdHGmwZHDXdNjgnq5G+EHRX3xSPWIUgkd7clZnaax0Wb4OnI0M3//7kGUvIahLTrylcfZBDcpXsxM=
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com (2603:10a6:209:45::15) by AM6SPR01MB0041.eurprd08.prod.outlook.com (2603:10a6:20b:29::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13; Thu, 23 Apr 2020 06:43:23 +0000
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::1579:b7d9:f543:200d]) by AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::1579:b7d9:f543:200d%5]) with mapi id 15.20.2937.012; Thu, 23 Apr 2020 06:43:23 +0000
From: Hanno Becker <Hanno.Becker@arm.com>
To: Eric Rescorla <ekr@rtfm.com>, Martin Thomson <mt@lowentropy.net>
CC: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] DTLS 1.3 AEAD additional data
Thread-Index: AQHWF+iN1gKILcDltkmRr5OfopCaAaiD3VMAgAB8FQCAAE7VmIAAawyAgAAHdS6AAB8+AIAACQCRgACPx4CAABkpAIAABDCAgAAC0ICAAEL8/A==
Date: Thu, 23 Apr 2020 06:43:23 +0000
Message-ID: <AM6PR08MB3318D5881B8D2BEFF938F2B79BD30@AM6PR08MB3318.eurprd08.prod.outlook.com>
References: <AM6PR08MB3318911C71C0DDB90480694A9BD50@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBMs+o4BU5VhqJKmQvnkEe9RkQXRv7Ej6pVD1-e1vdMoyA@mail.gmail.com> <CABcZeBM9Ri=Rz5kbWn08Vk-Y14MVSALwB1Bd9QV=HfWoq3XqSA@mail.gmail.com> <AM6PR08MB33184161239B6383EA7D776C9BD20@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBM4wVkH_pdTZMakyV9Y=tk8PNDknHTFhjwX-sw3GOOaZw@mail.gmail.com> <AM6PR08MB3318D6A11587449627F6EA679BD20@AM6PR08MB3318.eurprd08.prod.outlook.com> <CABcZeBNcODKehe217nr2jSedy6N6Gun+QYcksFp2Oqv6gLrzzw@mail.gmail.com> <AM6PR08MB3318717D21E69A2373AC1ACE9BD20@AM6PR08MB3318.eurprd08.prod.outlook.com> <8371994b-799c-4196-a3cd-4b0f71e24b5e@www.fastmail.com> <CABcZeBNbehkW8FO29DS00m19+b=dH8V8esscu8OU-mmaJf6etQ@mail.gmail.com> <5b74a840-a1cd-4b5b-a0c5-65320b851325@www.fastmail.com>, <CABcZeBOvm-nx6hKR79ChN=A4RFzWgt=-BzjORc=N7_A79tO6Ng@mail.gmail.com>
In-Reply-To: <CABcZeBOvm-nx6hKR79ChN=A4RFzWgt=-BzjORc=N7_A79tO6Ng@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
x-originating-ip: [86.177.220.146]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 34df9693-417e-4d9e-18fd-08d7e751a2c4
x-ms-traffictypediagnostic: AM6SPR01MB0041:|VI1PR08MB3357:
X-Microsoft-Antispam-PRVS: <VI1PR08MB33572334F9888A71A06BCD9E9BD30@VI1PR08MB3357.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:8273;OLM:9508;
x-forefront-prvs: 03827AF76E
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR08MB3318.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(39860400002)(376002)(346002)(396003)(366004)(19627405001)(8676002)(8936002)(110136005)(316002)(5660300002)(53546011)(6506007)(7696005)(2906002)(478600001)(71200400001)(81156014)(33656002)(52536014)(9686003)(4326008)(86362001)(55016002)(26005)(966005)(66556008)(64756008)(66946007)(76116006)(66446008)(186003)(66476007); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 9GtFttZAPcsGLy1+whbMjzwqeyMo0ylackk6Z5b7ngwsjIXlIxN04P8jOb4OanL8s1qRhUeJJuXjD7Y37KFtm5fJYt6t+6UVvXvAX+k3cuniv6r8j/Geql65TGVU2fpaKQVsnDDI4/9P76xAFe3DJFQAB4UmURK7cDKsQhUrP/ERZlBrvF55oJVLuypUSjRJe9Nqi+TSYV6wxZXUC8xc+cvgGyeE0Z5gKLKWgF4yF+V9fezOdy9qCMhEgVViGxu4S+3APmWOEgVI3PcEBDufHuDfHZ6vp10djaUmJif7G6FbHimVfrGdD/z1hHKKnvlHnvCnzcWURaCbndl8W9/khA1/x7qN67tDrgrTKGWaUmdU+ohBaTIa4wnjKzvGNrUyrOkk0z65MqcB6i+a6+28sY5Wvclg/M75FVvac2SdFwEVwPtdZ/XjIHDcrie1g//YLWTl+NV0KEje/b67vxBLOBAybE2mBRQQ/eTDY4VXeh8/NenMAE/bWRc7aTGE8yiJJ7rK1Y4fy1C5LZGa+7yHgQ==
x-ms-exchange-antispam-messagedata: dV3vxf5foC4c6fHRafkS6bu865Kbe+dExRelQhK0h9e97PLarvZj8KPN5ObQ+KMAEoFrDWAgBW9S9BPT5uvoBnyVyttxOH87E6vu4mx9Goya/4NLatg4BtsCULUv7VVq3z+cUqvLUuGz9EirGmUfTg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM6PR08MB3318D5881B8D2BEFF938F2B79BD30AM6PR08MB3318eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6SPR01MB0041
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT003.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(376002)(136003)(39860400002)(346002)(396003)(46966005)(86362001)(2906002)(81156014)(4326008)(26005)(5660300002)(9686003)(33656002)(6506007)(55016002)(81166007)(70586007)(53546011)(356005)(82310400002)(52536014)(70206006)(186003)(8676002)(316002)(7696005)(478600001)(19627405001)(336012)(966005)(82740400003)(110136005)(47076004)(8936002); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 11844a3a-a376-4a51-0d85-08d7e7519ea3
X-Forefront-PRVS: 03827AF76E
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: QN97sC/F0YGSZ9SobIZaxBr3TDEND1E/ThHbbDp6BN8W2lrwSWkzxEkJ7KKrf/6OIdffbmHFCUd8xCt6rr/s9l2BpriSHXqfJWRuGoF0RgapP1gidp7wqLukiXw++NlScn5DKT6F7EMlvZ/dJimTEVmFG/x47c86OTPAWyRqfEc+4tZQIKDdRsmUIYLS56APdYH8Wdc9JISQIaMTqOV0K3SVnxNZuDwyDoD26a9GHvZCoK5m2Ork1HI4/gOD0W/OD2pYj9ccCnTq0IzwdAhOtqxlnP3f4vG7WDbO2LO2KkBp6HMCYQjZKhl5zg/ZF7g1aKO+CLESgFUu383AlC6ud3bWck6OUwYYwgV1zHxvFNaeyBFwqZIH7qGQvoP5N65ITuJ9W3uB6Txwfze54olG/1vNqQT285thaWLDniySItnddIeBM3vAfiHqUJ1hhqEAQ/nVy61fy8/LYs3Fz0YsMIapTO7DhkIl3d9kQVBn1oP6nksSWyVjFy0o6Hwc4PnCuVsWxY3c1YdasPRuoxSceIeVXQHcifZli56E3wJqApwDbn9uWK0VoALjDK1xO+R47kCygoy6VLcf0bmZPQkXLg==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Apr 2020 06:43:30.5272 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 34df9693-417e-4d9e-18fd-08d7e751a2c4
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3357
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-d4wVmuPUeE90Rf1dMniCVlTQl4>
Subject: Re: [TLS] DTLS 1.3 AEAD additional data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2020 06:43:38 -0000

Hey,

Thanks for joining in, Martin and Chris.

> But Hanno's proposal is a terrible thing to have to implement.  You have to assume that there is some way to recover which CID to use in decrypting any record.  You might save some datagram-local state, but that's awkward.  Stacks that I've worked on try very hard not to have state transmission between records for good reasons.  So this would be a fairly bad complication.  Separately, I hope that no one would be contemplating trial decryption for this, which would be terrible.

Yes that's a fair point and also applies to Ekr's proposal https://github.com/tlswg/dtls13-spec/pull/143. Moreover,
the same layer-mixing criticism applies to the draft as it stands as well as to the other proposed solution, as mentioned before:
When you prepare a record, you need to know where it resides within a datagram in order to choose the best header and
AAD: You need to know if it's non-initial within the datagram to decide if you can omit the CID, and you need to know if
it's terminal to decide if you can omit the length.

In contrast, if you decouple the choice of header format from the AAD, record protection can be done prior to
passing the record to the datagram layer. As mentioned initially, this not only increases modularity within the
stack, but also allows e.g. to change the header towards more aggressive compression at the entry of a highly
constrained network, which I believe is indeed a feature and not a "defect" and increases suitability
of DTLS 1.3 for the IoT.

The CID maintenance for incoming records can be avoided when forbidding CID elision, as suggested by Ekr.
Comparing the state maintenance complications this avoids to the increase in header size it introduces, maybe
that's the way to go, as the state maintenance indeed seems to be the bigger pain.
However, even if CID elision is removed, I maintain the proposal to always use the logical presentation of the header
for AAD, for all the mentioned reasons: (a) No interleaving of record and datagram layer, (b) conceptual clarity and
independence of [header] compression methods from cryptographic computations, as e.g. in cTLS, (c) dynamic
choice of header depending on network paths. All those issues persist when sticking to the on-the-wire AAD.
What are your reservations towards this?

Cheers,
Hanno
________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Eric Rescorla <ekr@rtfm.com>
Sent: Thursday, April 23, 2020 2:49 AM
To: Martin Thomson <mt@lowentropy.net>
Cc: <tls@ietf.org> <tls@ietf.org>
Subject: Re: [TLS] DTLS 1.3 AEAD additional data

OK but we would expect the peer to process CID-less records if they are coalesced?

-Ekr


On Wed, Apr 22, 2020 at 6:39 PM Martin Thomson <mt@lowentropy.net<mailto:mt@lowentropy.net>> wrote:


On Thu, Apr 23, 2020, at 11:24, Eric Rescorla wrote:
> On Wed, Apr 22, 2020 at 4:54 PM Martin Thomson <mt@lowentropy.net<mailto:mt@lowentropy.net>> wrote:
> > I prefer Ekr's solution, but I would go with that being a recommendation (SHOULD) as opposed to a requirement (MUST).
>
> Can you clarify where you think we should say SHOULD?

The security considerations seems right.  After the list of improvements over DTLS 1.2 CID.  You would say that an endpoint that is asked to provide a CID SHOULD provide one in every record (with the compact header, etc...).  If it does not, then it might be possible for an attacker to use that record to confirm guesses about linkability between two paths.  Also, omitting the CID might make it hard to route datagrams.

With all of this, you might want a section heading for all the CID stuff.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.