Hi Achim, My point is that we made decisions based on the best of our knowledge (and personal preferences) but I am wondering whether formal methods can tell us whether there is a preferred way.
Ciao Hannes -----Original Message----- From: Achim Kraus <[email protected]> Sent: Friday, April 24, 2020 3:07 PM To: Hannes Tschofenig <[email protected]>; [email protected] Subject: Re: [TLS] Choice of Additional Data Computation Hi Hannes, Hi list, as input for the discussion: https://github.com/tlswg/dtls-conn-id/issues/25 A longer "comment-flow", the conclusion was, the CID is on the wire, so it's in the MAC. (ekr: "authenticating the whole header is just good practice.") My arguments was, that the CID is always included in the MAC, either explicit, or implicit (implicit, because the CID selects the "mac-keys" or "cipher-keys" and gets included equal to the address:port before). best regards Achim Am 24.04.20 um 13:04 schrieb Hannes Tschofenig: > Hi all, > > the thread on the AEAD commutation in DTLS 1.3 and the construction of > the additional data raised two interesting questions. I believe those > would benefit from a formal analysis or at least a security investigation. > > Here are the questions: > > 1. Generic question: Should the construction of the additional data be > dependent on what is transmitted over the wire or should it be based > on a "pseudo header"? DTLS 1.2 uses a pseudo header and DTLS 1.3 the > data transmitted over the wire in the additional data calculation. > 2. Specific question: Should the CID be included in the additional data > calculation, particularly for the case where it is only implicitly > sent? Asked differently, are there attacks possible? > > Your feedback would be appreciated to advance the discussion. I > believe there is a chance to provide generic guidance for security > protocol designers here. > > Ciao > > Hannes > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose > the contents to any other person, use it for any purpose, or store or > copy the information in any medium. Thank you. > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
