IETF Logo Mail Archive

Re: [quicwg/base-drafts] Request forgery attacks (#3995)

Martin Thomson <notifications@github.com> Fri, 14 August 2020 01:39 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1057C3A0BE6 for <quic-issues@ietfa.amsl.com>; Thu, 13 Aug 2020 18:39:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.697
X-Spam-Level:
X-Spam-Status: No, score=-1.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4u_jk7dtlhDV for <quic-issues@ietfa.amsl.com>; Thu, 13 Aug 2020 18:39:37 -0700 (PDT)
Received: from out-23.smtp.github.com (out-23.smtp.github.com [192.30.252.206]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06DAC3A0BE3 for <quic-issues@ietf.org>; Thu, 13 Aug 2020 18:39:36 -0700 (PDT)
Received: from github-lowworker-0f7e7fd.ash1-iad.github.net (github-lowworker-0f7e7fd.ash1-iad.github.net [10.56.110.17]) by smtp.github.com (Postfix) with ESMTP id 421F3600080 for <quic-issues@ietf.org>; Thu, 13 Aug 2020 18:39:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1597369176; bh=YSkBPLTjfEHVyTmEk7xs+qO+luHLBZqc5DDcWYd17Ks=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=pt2etr2r5XvQRD4jSxnmrSWdQK931TFcpFqZNdbrKXBxQpvGn5peyy+6xzxrsGHfj A+LiCT+ngSTGZgNSbCHQgZ5d+MGpjL6bga6o+Eihvl1JZ2A5CSjAwt2DOm/fDsYGhW snd3uswJcCTqG/elVOakK5rE7wnHeyssWzhYwMbQ=
Date: Thu, 13 Aug 2020 18:39:36 -0700
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKYSB3GIKFK2RYOMARV5IHGFREVBNHHCQYGADU@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/3995/673820730@github.com>
In-Reply-To: <quicwg/base-drafts/issues/3995@github.com>
References: <quicwg/base-drafts/issues/3995@github.com>
Subject: Re: [quicwg/base-drafts] Request forgery attacks (#3995)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f35eb5831e5b_28eb1964728bb"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/EzrpyzS7qoGefH7PeCmLpiltjug>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2020 01:39:38 -0000

Adding PATH_CHALLENGE just adds a few unpredictable bytes, it doesn't really address the problem of control.  For that, you need something like the masking in websockets. 

The problem with something like masking is that it adds a fixed overhead to packets because you need to tell the recipient what the unpredictable stuff was and the size is determined by the number of attempts you might allow (see below).  Maybe that only applies to packets that are sent prior to address validation, so maybe you could repurpose one of the long header packet types (0-RTT?) to carry a masked payload in those cases, but it's a massive change.  I don't even want to think about making that sort of change right now...

The refragmenting idea is interesting.  The analysis supports the view that it is unnecessary for CRYPTO.  It might be too much work otherwise as well.  Skipping a random offset for STREAM frames might work, but you have to work through all the ways that an adversary might try to game out whatever strategy you adopt.  You need to ensure that the number of potential variations is at least the square of the number of attempts that an attacker might have (if you have 100 attempts, that's a minimum of 10,000 variations) or you hit the birthday bound and attacks become feasible in the aggregate.  Getting variations that high isn't necessarily that easy.  I'm not sure if it is worthwhile chasing that down.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/3995#issuecomment-673820730

v2.37.1 | Report a Bug | By Email | System Status