Re: [quicwg/base-drafts] Timing side-channel on key updates (#2792)

Mike Bishop <> Fri, 14 June 2019 15:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 11D20120257 for <>; Fri, 14 Jun 2019 08:35:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.391
X-Spam-Status: No, score=-6.391 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WNcsHB-dk-9u for <>; Fri, 14 Jun 2019 08:35:18 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DB303120094 for <>; Fri, 14 Jun 2019 08:35:17 -0700 (PDT)
Date: Fri, 14 Jun 2019 08:35:16 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1560526516; bh=X/M9EYCK9F6jbbeb2vjuaShpGscNn7tb295rZB8Sssc=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=i0C2OgpwFbybwIIkBJ22Ds6kUuj8fORor0oyDQKHN66Y1eeI6YVCT61GeToVfQfq0 qyc875/GfoYuZB7R8Qx9JNDwC4vijNZncz0HtivZh2V+iHIVH1HpDS6JSwTC7TXxy9 IvdxbXrT7+ARRqCH1VheK8bpuBUZQd75AuxKBo9g=
From: Mike Bishop <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2792/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Timing side-channel on key updates (#2792)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d03beb477d4f_1bf63ff68a8cd960292439"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: MikeBishop
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 14 Jun 2019 15:35:20 -0000

Isn't the middle ground here to pre-compute the N+1 key when the N-1 key is dropped, with the drop happening at the first of:
  - 3xPTO after the N key was first used
  - First arrival of a packet which purports to be N+1

The attacker's ability at that point would be to cause any delayed N-1 packets to be dropped, but if we're presuming the ability to bit-flip, they can cause those packets to be invalid and dropped anyway.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: