On Fri, Apr 24, 2020 at 9:20 AM Hanno Becker <hanno.bec...@arm.com> wrote:
> Hi Chris, > > Just a note on the comparison with TLS 1.3. > > > I'd like to point to some related work that could shed light on this > question. > > The decision for TLS 1.3 was to authenticate all data that is written to > the wire, > > It doesn't seem straightforward to extrapolate from that case since the > 'pseudo-header' > and on-the-wire header are the same here, as TLS 1.3 doesn't have any > header > data which is shortened or omitted on the wire. In DTLS 1.3, in contrast, > various > fields can be dropped or shortened, such as the length, sequence number, > CID. > I'm not sure if it's straightforward, but I would note that in TLS 1.3, we did *implicitly* authenticate the length because AEAD provides that, but nevertheless one of Chris's recommendations was to include it in the AAD. -Ekr > Best, > Hanno > ------------------------------ > *From:* TLS <tls-boun...@ietf.org> on behalf of chris - < > chrispat...@gmail.com> > *Sent:* Friday, April 24, 2020 4:56 PM > *To:* Hannes Tschofenig <hannes.tschofe...@arm.com> > *Cc:* tls@ietf.org <tls@ietf.org> > *Subject:* Re: [TLS] Choice of Additional Data Computation > > Hi all, > > > > 1. Generic question: Should the construction of the additional data be > > dependent on what is transmitted over the wire or should it be based > > on a "pseudo header"? DTLS 1.2 uses a pseudo header and DTLS 1.3 the > > data transmitted over the wire in the additional data calculation. > > I'd like to point to some related work that could shed light on this > question. The decision for TLS 1.3 was to authenticate all data that is > written to the wire, as this allows for proving the record layer secure [1] > in a strong model for secure channels [2]. However, the formal models of > [1,2] assume reliable transport (i.e., TCP): failure to deliver packets in > order is deemed an attack. Therefore, the definitions would need to be > changed in order to account for the case of DTLS. (I'm not sure if this has > been studied.) My hunch is that the same design pattern (i.e., > "authenticate everything on the wire") would be called for, but I've not > seen formal evidence either way. > > > > 2. Specific question: Should the CID be included in the additional data > > calculation, particularly for the case where it is only implicitly > > sent? Asked differently, are there attacks possible? > > Unfortunately I'm unfamiliar with the specific problem at hand, as I've > not been following DTLS' development. (I'm in the middle of writing my > thesis.) That said, I don't see a problem with having the AAD include > *both* the record heard *and* something else, like the CID. And it may > very well prevent an attack. > > > Chris P. > > [1] https://eprint.iacr.org/2018/634.pdf > [2] https://eprint.iacr.org/2017/1191.pdf > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
