Hi Hannes,
Hi list,
as input for the discussion:
https://github.com/tlswg/dtls-conn-id/issues/25
A longer "comment-flow", the conclusion was, the CID is on the wire, so
it's in the MAC.
(ekr: "authenticating the whole header is just good practice.")
My arguments was, that the CID is always included in the MAC, either
explicit, or implicit (implicit, because the CID selects the "mac-keys"
or "cipher-keys" and gets included equal to the address:port before).
best regards
Achim
Am 24.04.20 um 13:04 schrieb Hannes Tschofenig:
Hi all,
the thread on the AEAD commutation in DTLS 1.3 and the construction of
the additional data raised two interesting questions. I believe those
would benefit from a formal analysis or at least a security investigation.
Here are the questions:
1. Generic question: Should the construction of the additional data be
dependent on what is transmitted over the wire or should it be based
on a “pseudo header”? DTLS 1.2 uses a pseudo header and DTLS 1.3 the
data transmitted over the wire in the additional data calculation.
2. Specific question: Should the CID be included in the additional data
calculation, particularly for the case where it is only implicitly
sent? Asked differently, are there attacks possible?
Your feedback would be appreciated to advance the discussion. I believe
there is a chance to provide generic guidance for security protocol
designers here.
Ciao
Hannes
IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended
recipient, please notify the sender immediately and do not disclose the
contents to any other person, use it for any purpose, or store or copy
the information in any medium. Thank you.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
