Hi all,
> 1. Generic question: Should the construction of the additional data be > dependent on what is transmitted over the wire or should it be based > on a "pseudo header"? DTLS 1.2 uses a pseudo header and DTLS 1.3 the > data transmitted over the wire in the additional data calculation. I'd like to point to some related work that could shed light on this question. The decision for TLS 1.3 was to authenticate all data that is written to the wire, as this allows for proving the record layer secure [1] in a strong model for secure channels [2]. However, the formal models of [1,2] assume reliable transport (i.e., TCP): failure to deliver packets in order is deemed an attack. Therefore, the definitions would need to be changed in order to account for the case of DTLS. (I'm not sure if this has been studied.) My hunch is that the same design pattern (i.e., "authenticate everything on the wire") would be called for, but I've not seen formal evidence either way. > 2. Specific question: Should the CID be included in the additional data > calculation, particularly for the case where it is only implicitly > sent? Asked differently, are there attacks possible? Unfortunately I'm unfamiliar with the specific problem at hand, as I've not been following DTLS' development. (I'm in the middle of writing my thesis.) That said, I don't see a problem with having the AAD include *both* the record heard *and* something else, like the CID. And it may very well prevent an attack. Chris P. [1] https://eprint.iacr.org/2018/634.pdf [2] https://eprint.iacr.org/2017/1191.pdf
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
