Re: [quicwg/base-drafts] Authenticating connection IDs (#3439)

Martin Thomson <> Wed, 04 March 2020 04:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id ADBA23A0DF1 for <>; Tue, 3 Mar 2020 20:30:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.099
X-Spam-Status: No, score=-3.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fwmThOqvyut8 for <>; Tue, 3 Mar 2020 20:30:42 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2CA2E3A0E0B for <>; Tue, 3 Mar 2020 20:30:42 -0800 (PST)
Date: Tue, 03 Mar 2020 20:30:40 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1583296240; bh=4/lkoJ7EX8HOZZQw7g7sODEdFCxedud11EbA4dLyDMY=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=USE38Pc5eWM1+R5xRfQP+kpLl1UMi3/BgJxd1OJ6cEI+Ze5eCNfXY7f226gdpspqZ q8NnUdyL0kUIsirD14Yu8SmVnpjbmdiF7w6NbLErTaDlQ/h2nufKsHe68tGpG1WYvq +SWAZPNzfoX9ORpQairWOpTcTJ3M23XEKDe3Laps=
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/3439/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Authenticating connection IDs (#3439)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e5f2ef0ca5b6_1c553ff256acd964151675"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Mar 2020 04:30:52 -0000

In the interests of both providing defense in depth and for simplifying the analysis of the protocol, I believe that we should consider the ways in which connection IDs are negotiated and the ways in which that negotiation might be more strongly protected.

## Problem Statement

We currently do not validate any choice of any connection ID that is chosen during the handshake, with the exception of the Destination Connection ID the client chooses when a Retry was used.

The [paper above]( describes an attack on earlier versions of header protection that relied on the variable position of the packet number length field, the lack of an authenticated length of the connection ID, and the malleability of the encryption used in header protection.  We have since fixed the position of the packet number length, which invalidates that attack.  The effect of the attack was not severe, but I would rather not have any weaknesses.  Note also that two of these weaknesses remain and we only really fixed this problem by accident.

The attack described required that a server generate a Retry.  The attacker rewrites the Source Connection ID field from that message into a value that the server would then subsequently reuse.  This seems to be in tension with the requirement that connection IDs be unpredictable, but I believe the theory is that the requirement only applies to the question of linkability.  As long as an attacker is unable to generate another valid connection ID or link valid connection IDs to this original value, a server could reuse the client's choice.  Of course, in this case the value is chosen by the attacker, not the client.

A server could authenticate the value it includes in a Retry packet by including it in the token, but let's assume for now that it does not do that.  Whether or not there is a concrete attack out of this, this demonstrates that an attacker can choose a connection ID.  That's not a great position to be in with respect to analysis of the protocol.

Right now the values that are negotiated using the Source Connection ID field are not authenticated.  It is true that these are ultimately authenticated when they are included in the AAD of a 1-RTT packet, but that is rather circuitous. You might also say that Handshake packets also cover these, but that relies on even more convoluted logic. What I heard at QUIPS and what I learned from TLS is that formalizing proofs based on such indirect authentication can be extremely challenging.  I realize that this is theoretical, but we made concessions in TLS for simplified analysis and as long as the complexity cost is low, the same might be done here.

## Proposal

A relatively simple way to authenticate these connection IDs would be to include a `handshake_connection_id` transport parameter that includes the value that the endpoint includes in the Source Connection ID field of Initial or Handshake packets.  Endpoints then validate this value before declaring the handshake complete.  In terms of transport parameter construction, this is simple: endpoints make a choice and stick with it.  The only real cost is the extra 21 bytes this takes.

That isn't quite enough though.  The server gets to choose new connection IDs twice during the handshake if a Retry packet is sent.  Authenticating a single connection ID could not authenticate the Source Connection ID from the Retry packet.  That's might be OK on the basis that the value from the Retry won't be used after the handshake completes.

Not authenticating the choice from Retry is less OK if the server adopts the value that the client uses in its Destination Connection ID field.  Now the attacker just chose a connection ID.  As this was the specific attack that was used, that needs to be addressed too.

Rather than authenticate the Retry also, my suggestion there is to forbid the server from copying the client's Destination Connection ID when it generates its first Initial packet.  That is, the server needs to pick a completely new connection ID.  We already do that for Retry packets.  Then the attacker has no input into connection ID selection.

We could limit the requirement to change connection ID to only the cases where Retry is used.  That is require a change if there is a token in the Initial packet.  It seems easier to require the change always.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: