Re: [quicwg/base-drafts] Initial secrets do not change after Retry (#2878)

Marten Seemann <notifications@github.com> Tue, 09 July 2019 05:30 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64092120307 for <quic-issues@ietfa.amsl.com>; Mon, 8 Jul 2019 22:30:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.596
X-Spam-Level:
X-Spam-Status: No, score=-6.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iakCpJsGLeS5 for <quic-issues@ietfa.amsl.com>; Mon, 8 Jul 2019 22:30:06 -0700 (PDT)
Received: from out-24.smtp.github.com (out-24.smtp.github.com [192.30.252.207]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9A32120305 for <quic-issues@ietf.org>; Mon, 8 Jul 2019 22:30:02 -0700 (PDT)
Date: Mon, 08 Jul 2019 22:30:01 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1562650201; bh=mFJKhrExaOsKiwUHCc+/Apdw1fSDX1XiPCudpcE9spU=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=p4I6Pzi6sfWz1AzeDxqTvD47C3zhD9OqZIlEsseNC2NCZXsyi7l4wNKabSZD1AD7N 66wiDJC3FA8n7yq9AtGEnFh1GN2DqyiWlJTsqxsUpuCzSTH+5ua/iPBbeMEx3u7XWa EURNCsjxpG7UZmNQnd45JAdhorZ6whvT3ZG9W0Vc=
From: Marten Seemann <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKYJNYC3DS7PDGEMZ653GFMNTEVBNHHBXP6EBY@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2878/review/259275439@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2878@github.com>
References: <quicwg/base-drafts/pull/2878@github.com>
Subject: Re: [quicwg/base-drafts] Initial secrets do not change after Retry (#2878)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d2426598077d_156f3fef4e0cd9601457260"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: marten-seemann
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/LVDV-B6sJM7P4l8c_acVuS1nw1E>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 05:30:08 -0000

marten-seemann requested changes on this pull request.

At the NY interim, we agreed that a design goal of QUIC's Retry mechanism is that a MITM is not able to perform a Retry. 
By removing the original_connection_id transport parameter, this PR reintroduces that option. The attack works as follows:
1. The MITM captures the Initial packet, and sends a Retry packet. 
2. The client generates a second Initial as a response. This packet will us the DCID provided by the Retry (which is different from the DCID use for the first Initial).
3. The MITM strips out the token, and re-protects the packet with an Initial key derived from the DCID of the packet (it might even choose to change the DCID before forwarding the packet to the server).
4. Because the key used to protect the packet was derived from the DCID, the server is able to unprotect the packet. It replies with an Initial packet.
5. Since Initials are able to change the DCID, the client will accept the Initial packet and change the DCID again (if MITM or server changed the DCID, that is).



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2878#pullrequestreview-259275439