IETF Logo Mail Archive

Re: [quicwg/base-drafts] Include epoch in the AAD or the nonce? (#3661)

Martin Thomson <notifications@github.com> Mon, 18 May 2020 00:37 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A1263A0936 for <quic-issues@ietfa.amsl.com>; Sun, 17 May 2020 17:37:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.474
X-Spam-Level:
X-Spam-Status: No, score=-0.474 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=0.726, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mm3lvT7hxMNg for <quic-issues@ietfa.amsl.com>; Sun, 17 May 2020 17:37:24 -0700 (PDT)
Received: from out-22.smtp.github.com (out-22.smtp.github.com [192.30.252.205]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B10C83A0935 for <quic-issues@ietf.org>; Sun, 17 May 2020 17:37:24 -0700 (PDT)
Received: from github-lowworker-6b40fdd.va3-iad.github.net (github-lowworker-6b40fdd.va3-iad.github.net [10.48.16.64]) by smtp.github.com (Postfix) with ESMTP id 01917A08A7 for <quic-issues@ietf.org>; Sun, 17 May 2020 17:37:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1589762244; bh=LzJ/EAf77AYAQDg1ogzwZdK0cnrXJUkMvy8nWfSIOKk=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=K1OxhMUV2IFHUc74dm2LNRTIACqIioBXL+Xp1V8hxkB3Oc/bRFx2nVZjUmd5FYrzk AXD/1wxh91jUKgGL0W0qw6ib6fY8rrZJ/N0cOcSSyIyisuWnbdiKfRonr/NQxydJzi cm+hk2GJjNMHvIrfuiBOam5l0EcOi2iZiT3VD/Qs=
Date: Sun, 17 May 2020 17:37:23 -0700
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK4NCEM3TQCV62GFZAV4ZW44HEVBNHHCJ2QBFM@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/3661/629888016@github.com>
In-Reply-To: <quicwg/base-drafts/issues/3661@github.com>
References: <quicwg/base-drafts/issues/3661@github.com>
Subject: Re: [quicwg/base-drafts] Include epoch in the AAD or the nonce? (#3661)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ec1d8c3e6192_24303f97c9ccd96833403d"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/2nq1QL5q4sUd3HeaaUswXRmIrwE>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2020 00:37:26 -0000

As Kazuho says, the short value is covered by the AAD; it's only the full value that we need to worry about.

This is only an intuition, but my expectation is that the analysis offered in https://www.felixguenther.info/docs/QUIPS2020_RobustChannels.pdf could extend to epochs.  That is, the packet contains the key phase, which is analogous to the packet number.  Endpoints only accept packets within a very narrow window.  For packet numbers, this is determined by the length of the packet number encoding in that analysis; for epochs, this would be the two epochs you keep live, which matches the length of the key phase.  I can make an argument that keeping the number of keys less than the number of epoch values is no worse than one key and no encoded epoch values.

That's not formal though; there might be a trick needed to resolve the odd loop where the value you are relying on is authenticated by the key that it identifies (I don't see that question being addressed in the referenced thread).

The question for me is whether you believe that this requires formal analysis.  Obviously it would be great if someone could find a way to subject this to more formal analysis, but we need to determine how much of a deal-breaker this could be.

Folks in TLS seem to be pushing toward adding more to the AAD, but that doesn't seem to be well supported by anything other than an excess of caution in the absence of any real analysis.  I don't think we should change something without formal analysis supporting additional measures.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/3661#issuecomment-629888016

v2.23.0 | Report a Bug | By Email