IETF Logo Mail Archive

Re: [quicwg/base-drafts] Perform stateless reset token comparisons in constant time (#2993)

Kazuho Oku <notifications@github.com> Wed, 04 September 2019 02:10 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 333E9120033 for <quic-issues@ietfa.amsl.com>; Tue, 3 Sep 2019 19:10:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.899
X-Spam-Level:
X-Spam-Status: No, score=-7.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eqwQ5N56fYvT for <quic-issues@ietfa.amsl.com>; Tue, 3 Sep 2019 19:10:11 -0700 (PDT)
Received: from out-24.smtp.github.com (out-24.smtp.github.com [192.30.252.207]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29FC512003E for <quic-issues@ietf.org>; Tue, 3 Sep 2019 19:10:11 -0700 (PDT)
Date: Tue, 03 Sep 2019 19:10:10 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1567563010; bh=BQfJbQv87NqK0Ulfr+VjlKBx01PnseMFSzVlPokEeBw=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=vO4l73iQszWsV1435mCiS3EUajo/KXFlEgXsdNyH+3S7kP9Ve0wrhuBw/BerPQ8LN 1wmYx/W7h0fPqsRJXV45BMOtekgK+k0lepPymnOzlkEAQ1t6YAVvVMk9qDbexi6eIT CImOzn21K8vX7SGfaJVSsKyL1WvqLYs0HqOs/7K0=
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK65IGDK4K5YMLDBETN3PRHYFEVBNHHBZ4IYAM@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2993/c527709362@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2993@github.com>
References: <quicwg/base-drafts/pull/2993@github.com>
Subject: Re: [quicwg/base-drafts] Perform stateless reset token comparisons in constant time (#2993)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d6f1d0212341_54023faaa42cd95c805bf"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/4XQHDDMYzo4jqSFLSCm7m1XWxLQ>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 02:10:13 -0000

@marten-seemann 
> In my implementation, I have a map of reset tokens -> connections. Unless I switch to a constant time map implementation (the standard library doesn't provide one, you'd have to write that yourself)

As I stated on the issue, using a "standard hash map implementation" for storing stateless reset tokens as-is is not a good approach, as it might be vulnerable to [hash flooding DoS attacks](https://131002.net/siphash/siphashdos_appsec12_slides.pdf). I think this is a unique property for a hash map containing stateless reset tokens; hash maps containing CIDs is not susceptible to the issue as CIDs are chosen by the endpoint (rather than the peer), nor are the hash maps containing streams, as stream IDs are generated in sequential order (assuming that an endpoint would not have a very high stream concurrency per each connection).

Considering that, we _might_ want to state something like the following in Security Considerations: _As the stateless reset tokens are controlled by the peers, QUIC endpoints SHOULD be resistant to hash flooding DoS attacks when using a hash map for retaining those tokens. One way of achieving such property is to retain and compare the transformed values of the stateless tokens where the transformation is defined as a cryptographically-secure pseudo-random permutation (e.g., block cipher) or a pseudo-random function (e.g., secure hash function), instead of using the raw token values as the hash keys. This approach also satisfies the constant time comparison requirements in section x.y._

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2993#issuecomment-527709362

v2.37.1 | Report a Bug | By Email | System Status