Hi Hannes, Hi list, as input for the discussion:
https://github.com/tlswg/dtls-conn-id/issues/25 A longer "comment-flow", the conclusion was, the CID is on the wire, so it's in the MAC. (ekr: "authenticating the whole header is just good practice.") My arguments was, that the CID is always included in the MAC, either explicit, or implicit (implicit, because the CID selects the "mac-keys" or "cipher-keys" and gets included equal to the address:port before). best regards Achim Am 24.04.20 um 13:04 schrieb Hannes Tschofenig:
Hi all, the thread on the AEAD commutation in DTLS 1.3 and the construction of the additional data raised two interesting questions. I believe those would benefit from a formal analysis or at least a security investigation. Here are the questions: 1. Generic question: Should the construction of the additional data be dependent on what is transmitted over the wire or should it be based on a “pseudo header”? DTLS 1.2 uses a pseudo header and DTLS 1.3 the data transmitted over the wire in the additional data calculation. 2. Specific question: Should the CID be included in the additional data calculation, particularly for the case where it is only implicitly sent? Asked differently, are there attacks possible? Your feedback would be appreciated to advance the discussion. I believe there is a chance to provide generic guidance for security protocol designers here. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls