Hi Chris, Just a note on the comparison with TLS 1.3.
> I'd like to point to some related work that could shed light on this question. > The decision for TLS 1.3 was to authenticate all data that is written to the > wire, It doesn't seem straightforward to extrapolate from that case since the 'pseudo-header' and on-the-wire header are the same here, as TLS 1.3 doesn't have any header data which is shortened or omitted on the wire. In DTLS 1.3, in contrast, various fields can be dropped or shortened, such as the length, sequence number, CID. Best, Hanno ________________________________ From: TLS <[email protected]> on behalf of chris - <[email protected]> Sent: Friday, April 24, 2020 4:56 PM To: Hannes Tschofenig <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: [TLS] Choice of Additional Data Computation Hi all, > 1. Generic question: Should the construction of the additional data be > dependent on what is transmitted over the wire or should it be based > on a "pseudo header"? DTLS 1.2 uses a pseudo header and DTLS 1.3 the > data transmitted over the wire in the additional data calculation. I'd like to point to some related work that could shed light on this question. The decision for TLS 1.3 was to authenticate all data that is written to the wire, as this allows for proving the record layer secure [1] in a strong model for secure channels [2]. However, the formal models of [1,2] assume reliable transport (i.e., TCP): failure to deliver packets in order is deemed an attack. Therefore, the definitions would need to be changed in order to account for the case of DTLS. (I'm not sure if this has been studied.) My hunch is that the same design pattern (i.e., "authenticate everything on the wire") would be called for, but I've not seen formal evidence either way. > 2. Specific question: Should the CID be included in the additional data > calculation, particularly for the case where it is only implicitly > sent? Asked differently, are there attacks possible? Unfortunately I'm unfamiliar with the specific problem at hand, as I've not been following DTLS' development. (I'm in the middle of writing my thesis.) That said, I don't see a problem with having the AAD include *both* the record heard *and* something else, like the CID. And it may very well prevent an attack. Chris P. [1] https://eprint.iacr.org/2018/634.pdf [2] https://eprint.iacr.org/2017/1191.pdf IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
