[quicwg/base-drafts] Include epoch in the AAD or the nonce? (#3661)

ekr <notifications@github.com> Fri, 15 May 2020 22:58 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 147E73A09FB for <quic-issues@ietfa.amsl.com>; Fri, 15 May 2020 15:58:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.654
X-Spam-Status: No, score=-1.654 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id wUS78e-9Rnrw for <quic-issues@ietfa.amsl.com>; Fri, 15 May 2020 15:58:33 -0700 (PDT)
Received: from out-21.smtp.github.com (out-21.smtp.github.com []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEEC63A0970 for <quic-issues@ietf.org>; Fri, 15 May 2020 15:58:33 -0700 (PDT)
Received: from github-lowworker-39ac79b.ac4-iad.github.net (github-lowworker-39ac79b.ac4-iad.github.net []) by smtp.github.com (Postfix) with ESMTP id 7583FA043B for <quic-issues@ietf.org>; Fri, 15 May 2020 15:58:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1589583512; bh=hH3+U3Wn0SFNnemvT2UWvmnpbHoDiaW61BMeP5DOFyg=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=kPGEguFD9cNHKSeunWsgOHJ/bnfUqknRjImLfaQM9fk57PsXSwnAh3eO0q788+z8r y775MdSCYh5pwRQLZvsjxwusH0DXK1K7sIgD9mxRwXV4hDIxiDispK1uEd6VypZfxA bfs2rFeUXyTJS+4M9XbwFD2cIB5300WAHx/eEk7Y=
Date: Fri, 15 May 2020 15:58:32 -0700
From: ekr <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK7YQPPAIMUMYDAPA6N4ZL7ZREVBNHHCJ2QBFM@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/3661@github.com>
Subject: [quicwg/base-drafts] Include epoch in the AAD or the nonce? (#3661)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ebf1e986606e_508e3fd406ecd9601915a8"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ekr
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/JaC2lKLOL_oZwnHqWlGip6XuI9I>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2020 22:58:36 -0000

Over in TLS we have been discussing the data which is included in the AEAD transform. 

1. Some parts of the context for encryption (epoch, length, etc.) are implicit.

2. The AD only covers the bits on the wire.

This intuitively seems like it ought to be OK because these values do affect how the protection is done, but only implicitly. For instance, length delineates the data, the packet number/record sequence number controls the nonce, etc., but nevertheless only some of these values are in the AD. It turns out that there is a bit of a gap between analysis we have of this so far and the
current state, and specifically we don't have analysis of the epoch, which is sent only partially in both QUIC and DTLS [0]. Note that QUIC is actually worse than DTLS here because in DTLS the epoch is folded into the sequence number used to make the nonce, but in QUIC the nonce is just the packet number. This issue is intended to raise the question of if we should revisit that, for instance by putting the epoch in the AD.

[0] https://mailarchive.ietf.org/arch/msg/tls/Ri33zZmFNb1kZ4HToDHs9cDDTPY/

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: