Re: [quicwg/base-drafts] token-based greasing / initial packet protection (#3166)

Kazuho Oku <> Wed, 30 October 2019 01:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B9087120059 for <>; Tue, 29 Oct 2019 18:25:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VudpxK_A_Sx5 for <>; Tue, 29 Oct 2019 18:25:08 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 27C7512003E for <>; Tue, 29 Oct 2019 18:25:08 -0700 (PDT)
Date: Tue, 29 Oct 2019 18:25:07 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1572398707; bh=mLTB1/aLYmzxIDz9b38SoYUH5wYSk037qCmedAeRbBo=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=NDmye43mS9bNzpfX3O5kd0Iq1kLSy0ufNuf8g48lgiG79GIKpy/+hCnrcFcbGObK9 oeCKiJFSUbuHeNgg+0rzSUoOJzfxsSNGcYIZekKEU8mZ5zLiqrCrXfSfAJ70LOqOle BD8XNJAZHZl1RRDojhjsBD0KjptFZWAvcPNVvt7E=
From: Kazuho Oku <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3166/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] token-based greasing / initial packet protection (#3166)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5db8e67365d2c_14113fa74b2cd9681890d8"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Oct 2019 01:25:10 -0000

kazuho commented on this pull request.

> +NEW_TOKEN frame, the server generates the alternative initial salt by calling a
+pseudo-random function, embeds that initial salt into the token which is then
+encrypted, and sends a NEW_TOKEN frame that comprises of the generated token and
+the alternative initial set.
+When the client reconnects to the server by using the provided token and the
+alternative initial set, the server first checks if the version number field of
+the incoming packet contains one of the alternative version numbers it
+advertises, then if that is the case, applies the corresponding packet type
+modifier to recover the correct packet type.  If the recovered packet type is an
+Initial packet and that packet contains a NEW_TOKEN token, the server decrypts
+the embedded token and recovers the alternative initial salt, uses that to
+decrypt the payload of the Initial packet.
+When the server is incapable of determining the alternative initial salt, it can
+send a Version Negotiation packet that instructs the client to use the default

@DavidSchinazi That's obviously the case. Thank you for pointing that out.

I think what the PR fails to state that a Retry token needs to inherit the properties of the NEW_TOKEN token included in the Initial packet that trigerred the Retry. One way doing that is to embed the NEW_TOKEN token in the Retry token.

The reason why we need the NEW_TOKEN token to be embedded in the Retry token is not only because there is an attack that you describe. It is necessary because when the server receives the first Initial packet from client that carries the alternative version, and responds with a Retry packet that carries that alternative version, and the client in response sends an Initial packet that carries the Retry token using an Initial packet with the alternative version, the server needs to extract the alternative initial salt (and other information) from the Retry token.

I'd update the PR to clarify that.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: