Hi Ilari, On 15/06/2016 17:23, "TLS on behalf of Ilari Liusvaara" <tls-boun...@ietf.org on behalf of ilariliusva...@welho.com> wrote:
>On Wed, Jun 15, 2016 at 09:44:18AM -0400, Daniel Kahn Gillmor wrote: >> On Wed 2016-06-15 04:44:59 -0400, Yoav Nir wrote: >> >> To be clear, we're being asked to trade these things off against each >> other here, but there are other options which were ruled out in the >> prior framing of the question which don't rule either of them out. >> >> In particular, if we're willing to pay the cost of a slightly more >> complex key schedule (and an increased TLS record size), we could have >> "packet header" keys which protect the content-type itself for all >> non-cleartext TLS records. If we do that, these keys might as well also >> be used to protect the TLS record size itself. This would result in an >> opaque data stream (though obviously record size would still leak in >> DTLS, and timing and framing is still likely to leak the record size in >> the lowest-latency TLS applications). > >Does this need to enlarge TLS record size? Why doesn't encrypting the >content-type/length and then authenticating those off main MAC work >(that's how SSH with CHACHA20-POLY1305 does things)? I presume >problems from header-flipping (tho in TLS that will kill the >connection if you try...) Yes, this can be made to work in the style adopted for ChaCha20-Poly1305 in SSH. However, because the record length is now determined by data that is encrypted, and you need to know its value in order to "receive" enough bytes to have obtained the record MAC which comes at the end of the record, and because the record MAC can't now be checked before you make use of the length field .... you need to be a bit careful. But it can be proved secure when using certain AEAD schemes as the basis, and in a suitable security model that allows for decryption in part depending on data that was acted on before it was unauthenticated and for delivery of records in a fragmented fashion. Just don't use CBC mode for the encryption :-) (A more serious point: this kind of thing would not be secure using a generic EtM-style AEAD scheme as the building block.) In fact, if you're careful enough with the analysis, you can improve a bit on the ChaCha20-Poly1305 construction in SSH: it currently uses a 64-byte key, with 32 bytes being used to create one ChaCha20 context for encrypting the length field and another 32 bytes being used to create a second ChaCha20 context for encrypting the rest. This is not necessary if you construct the ChaCha20 nonces/IVs in a slightly different way - a single ChaCha20 context suffices. The same ought to be true in the slightly different TLS setting, and also for an AES-GCM-based construction. Happy to follow-up with discussion of more details if people seriously want to consider this kind of construction for TLS 1.3. It's not what's currently on the table, but maybe it should be... Cheers Kenny > >Also, in DTLS, there could be issues switching the encryption on >(but then, looks like DTLS 1.3 has other unsolved problems >currently..) > > >-Ilari > > >_______________________________________________ >TLS mailing list >TLS@ietf.org >https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
