> Actually, the full epoch is included in the overall sequence number and hence > used to generate the nonce.
Good point Ekr, I missed that. So, we're here at the moment: (1) Only the CID issue really _needs_ fixing somehow. (2) Other header fields are currently authenticated through a mixture of AAD, nonce, and implicit properties of the AEAD, and proof complexity doesn't seem to grow significantly because of that non-uniformity (the latter was slightly in doubt so far for epoch authentication, but Ekr's remark clarifies that it isn't actually the case). (3) No security issues with the proposed alternative -- uniformly pseudo-header based AAD -- have been raised yet. (4) Non-security arguments for a pseudo-header AAD have been proposed, e.g. network bandwidth reduction. Those aren't discussed until the question of security reaches some clarity. Felix, could you give some input on (3) as detailed in my last post? We still need to change _something_ to address (1), the pseudo-header approach does so while bringing other advantages, and no concrete security have been pointed out so far. So, once again: Are there objections in terms of security towards the (purely) pseudo-header AAD? Cheers, Hanno ________________________________ From: TLS <tls-boun...@ietf.org> on behalf of Eric Rescorla <e...@rtfm.com> Sent: Friday, May 15, 2020 9:04 PM To: Felix Günther <m...@felixguenther.info> Cc: <tls@ietf.org> <tls@ietf.org> Subject: Re: [TLS] Choice of Additional Data Computation On Tue, May 5, 2020 at 10:55 AM Felix Günther <m...@felixguenther.info<mailto:m...@felixguenther.info>> wrote: 4) I slightly disagree with "epochs determine the key" (true) as, what I understand is, an argument that "the full epoch is implicitly authenticated by using the right key", at least in its absoluteness. My *guess* would be that, due to the key schedule, this argument comes down to the probability of keys colliding (which is anyway to be avoided, so probably fine). Still, from a security analysis point of view, showing security with key updates might be easier if the (full) epoch was authenticated as part of the AAD. > https://tools.ietf.org/html/draft-ietf-tls-dtls13-37#section-4 Does that help? -Ekr IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
