IETF Logo Mail Archive

Re: [quicwg/base-drafts] Consider simplifying Packet Number Encryption (#1575)

Kazuho Oku <notifications@github.com> Thu, 04 October 2018 07:44 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91CEF130DF0 for <quic-issues@ietfa.amsl.com>; Thu, 4 Oct 2018 00:44:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Level:
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0_SdvtL_2HFx for <quic-issues@ietfa.amsl.com>; Thu, 4 Oct 2018 00:44:44 -0700 (PDT)
Received: from out-3.smtp.github.com (out-3.smtp.github.com [192.30.252.194]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C50E3130DE9 for <quic-issues@ietf.org>; Thu, 4 Oct 2018 00:44:44 -0700 (PDT)
Date: Thu, 04 Oct 2018 00:44:43 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1538639083; bh=GaBILOzy+b1I4RKUjKWQUfMKErNeCx9IPE1UscbdCj0=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=G30YXmw3b0tXwlTKIxZ6S76k61n+IJ0OagMp/gvZWFl3uZt0inE//M1pdKgEcFze1 81lP7XMxX1BvbYAklcJMA+u7dguJo9G3FLq6sk1p+/qiIU75K3gNlVHLIqUL60PV4+ raR2ZnfU9SYg7Osc2i0AZptlJ41C5r6965eWSiH4=
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4abe11ef2a181f60852c42c69bcb5a55f1dc34abc0f92cf0000000117cd86eb92a169ce14620d9d@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/1575/426917912@github.com>
In-Reply-To: <quicwg/base-drafts/issues/1575@github.com>
References: <quicwg/base-drafts/issues/1575@github.com>
Subject: Re: [quicwg/base-drafts] Consider simplifying Packet Number Encryption (#1575)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bb5c4eb7141e_5d043fd1a1ed45c44409de"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/C95WvDUz9IAFDm4gaVOPmvsmWHg>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Oct 2018 07:44:47 -0000

> I think requiring 3 octets of frames is more restrictive that we need to be. I would prefer saying that QUIC packets MUST verify `length(packet number) + length(payload) >= 4`, and if implementors want to do that by always ensuring 3 bytes of frames that's fine.

This sounds like a neat approach.

> I meant that we XOR over the payload if the packet number length is < 4.

I am not sure if I like the idea. Because it might be an additional complexity to the hardware decoders. In the current design, payload is decrypted only once by an AEAD cipher. This change would mean that it can be decrypted twice, first by a CTR cipher and then by an AEAD cipher.

As @martinthomson points out, we discussed in New York about moving the PN length bits to the first octet. Assuming that we adopt that change, I think there would be no reason to prefer always CTR-decrypting 4 octets. The different is just having a different order between picking the specified length and applying CTR.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/1575#issuecomment-426917912

v2.23.0 | Report a Bug | By Email