IETF Logo Mail Archive

Re: [quicwg/base-drafts] Rework Key Update (#2237)

Marten Seemann <notifications@github.com> Wed, 09 January 2019 06:23 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D78A4129C6A for <quic-issues@ietfa.amsl.com>; Tue, 8 Jan 2019 22:23:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.065
X-Spam-Level:
X-Spam-Status: No, score=-8.065 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t2dPjtyavxRv for <quic-issues@ietfa.amsl.com>; Tue, 8 Jan 2019 22:23:11 -0800 (PST)
Received: from out-16.smtp.github.com (out-16.smtp.github.com [192.30.254.199]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A90B1128D09 for <quic-issues@ietf.org>; Tue, 8 Jan 2019 22:23:11 -0800 (PST)
Date: Tue, 08 Jan 2019 22:23:10 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1547014990; bh=SAwVmBS+7ynPLt00kRJjy36vQeNjgqoycnn0DrCKHvg=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=pjALCvofJssWx2ekXVo6ozPH5Z8S25z16EG9DVtfx2BOzKsEvhRXof5OGPplfnZR9 3fO01Pp8NWPBsf8N+1akwYZMUR/EjfATwxoqqsKXSxfiHtyqhPI3TiT3uQ61FQ7RWw EvO6d/Qfsj1763LOKDUDa5niYBg+URFlrmruSS/A=
From: Marten Seemann <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab2f3f255867e77aa51273199224638ec82a8b3a3592cf00000001184d554e92a169ce1770e975@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2237/review/190578232@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2237@github.com>
References: <quicwg/base-drafts/pull/2237@github.com>
Subject: Re: [quicwg/base-drafts] Rework Key Update (#2237)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c35934e6edf0_45dc3f8473cd45c42661ea"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: marten-seemann
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/IkHOGd17ebcx9_8GA08Kvz4otFo>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2019 06:23:14 -0000

marten-seemann commented on this pull request.



> @@ -1101,75 +1101,153 @@ anticipation of receiving a ClientHello.
 # Key Update
 
 Once the 1-RTT keys are established and the short header is in use, it is
-possible to update the keys. The KEY_PHASE bit in the short header is used to
-indicate whether key updates have occurred. The KEY_PHASE bit is initially set
-to 0 and then inverted with each key update.
+possible to update the keys used to protect packets. The Key Update field in the
+short header are used to indicate when key updates are permitted and when they

s/are/is/

>  
 This mechanism replaces the TLS KeyUpdate message.  Endpoints MUST NOT send a
 TLS KeyUpdate message.  Endpoints MUST treat the receipt of a TLS KeyUpdate
 message as a connection error of type 0x10a, equivalent to a fatal TLS alert of
 unexpected_message (see {{tls-errors}}).
 
-An endpoint MUST NOT initiate more than one key update at a time.  A new key
-cannot be used until the endpoint has received and successfully decrypted a
-packet with a matching KEY_PHASE.
+{{ex-key-update}} shows a key update process, with keys used identified with @M
+and @N.  Values in brackets [] indicate the value of Key Update bits.
+
+~~~
+   Initiating Peer                    Responding Peer
+
+@M [10] QUIC Packets
+. Update to @N
+@N [01] QUIC Packets
+                      -------->
+                                     QUIC Packets [10] @M

Why is this line here? The responding peer should update the keys immediately when receiving the first @N packet.

>  
-The KEY_PHASE bit allows a recipient to detect a change in keying material
-without necessarily needing to receive the first packet that triggered the
-change.  An endpoint that notices a changed KEY_PHASE bit can update keys and
-decrypt the packet that contains the changed bit.
+The the low bit of the Key Update field (0x04) is the Key Phase bit.  The Key
+Phase is used to indicate which packet protection keys are in use.  The Key

Maybe better: "which packet protection key was used to protect this packet."

>  
-If the packet can be decrypted and authenticated using the updated key and IV,
-then the keys the endpoint uses for packet protection are also updated.  The
-next packet sent by the endpoint will then use the new keys.
+The endpoint uses the key and IV to protect all subsequent packets, clears the
+Key Update Permitted bit, and toggles the value of the low Key Phase bit.

This sentence reads better if you turn it around and insert an "updated": "The endpoint clears the Key Update Permitted bit, and toggles the value of the low Key Phase bit, and uses the updated key and IV to protect all subsequent packets."

>  
-If the packet can be decrypted and authenticated using the updated key and IV,
-then the keys the endpoint uses for packet protection are also updated.  The
-next packet sent by the endpoint will then use the new keys.
+The endpoint uses the key and IV to protect all subsequent packets, clears the
+Key Update Permitted bit, and toggles the value of the low Key Phase bit.
+
+An endpoint MUST NOT initiate more than one key update at a time.  A new key
+cannot be used until the endpoint has successfully processed a packet with a

Better: A subsequent key update can only be performed once the endpoint...

>  
-If the packet can be decrypted and authenticated using the updated key and IV,
-then the keys the endpoint uses for packet protection are also updated.  The
-next packet sent by the endpoint will then use the new keys.
+The endpoint uses the key and IV to protect all subsequent packets, clears the
+Key Update Permitted bit, and toggles the value of the low Key Phase bit.
+
+An endpoint MUST NOT initiate more than one key update at a time.  A new key
+cannot be used until the endpoint has successfully processed a packet with a
+matching Key Phase and the Key Update Permitted bit set.  Together, these
+indicate that the key update was received and acted on.
+
+Once an endpoint has received and successfully processed packets with the same
+Key Phase value, this indicates that the peer has also updated keys.  The
+endpoint can then set the Key Update Permitted bit to 1 on packets it

I'd prefer stronger language here. Ideally, a MUST (although we'd have to rearrange the text a bit to allow deferring this until the old keys are discarded).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2237#pullrequestreview-190578232

v2.23.0 | Report a Bug | By Email