IETF Logo Mail Archive

Re: [quicwg/base-drafts] Short header reserved bits: make available for unilateral experimentation (#2022)

Mike Bishop <notifications@github.com> Tue, 20 November 2018 19:33 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8B45130DD2 for <quic-issues@ietfa.amsl.com>; Tue, 20 Nov 2018 11:33:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.47
X-Spam-Level:
X-Spam-Status: No, score=-8.47 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qVQxEHiHJXmx for <quic-issues@ietfa.amsl.com>; Tue, 20 Nov 2018 11:33:32 -0800 (PST)
Received: from out-16.smtp.github.com (out-16.smtp.github.com [192.30.254.199]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 400FF130DC6 for <quic-issues@ietf.org>; Tue, 20 Nov 2018 11:33:32 -0800 (PST)
Date: Tue, 20 Nov 2018 11:33:31 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1542742411; bh=pZJ6sNHTO+aFv8u3qH9RYXkAwLYCNdMZgY2ORDdnKjs=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=CNUIzdQL9/53ydYaIs2N7IgllSEK/DuQgTvm4f//ADjAgvXRcYy6aj1gcEXlEQs/8 gIgLIPwfN0s9R4WjHzWB57wFF4/SiKLi7F2h3wu2u8T3K7udnVkzOTXif7JD7tyz/x JCrHiXILuaSacun5/rXCD8aKXFbgo6dVNjhL9Jbk=
From: Mike Bishop <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab8d8c4bb6244c05ea2dd3fae7004f2f73fa85cb9392cf00000001180c238b92a169ce16cbfdb7@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2022/440402331@github.com>
In-Reply-To: <quicwg/base-drafts/issues/2022@github.com>
References: <quicwg/base-drafts/issues/2022@github.com>
Subject: Re: [quicwg/base-drafts] Short header reserved bits: make available for unilateral experimentation (#2022)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bf4618b898b5_31223fd88aed45c09259e"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: MikeBishop
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/SiW5DpJ0kWCkdQ7gse6MbTlq3E8>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2018 19:33:34 -0000

I think I see the issue, though we're skirting the outer edges of my crypto here, so I'd like to confirm.  The cheap way to deal with this would *seem* to be taking those two extra masking bits from the packet number protection and using them to mask off the bits iff you're not using them.  But that doesn't work, because you don't have the PNP mask until after you've committed to a value.

The pre-masking value (currently required to be 0) is in the AAD, which influences the output of the AEAD tag (and the ciphertext?).  The sampled input for packet number protection can come from the AEAD tag, so anything that modifies the AAD potentially modifies the PNP mask.

To validate, the recipient would need to generate the PNP mask, then check the packet against the authentication tag for both the bits-as-received and the bits-as-would-have-been-masked, then accept the packet if either were valid.  (Since we're talking about two bits, there's also a ~33% chance that if someone on the network decided to fiddle those bits, the recipient would decide it was still okay.)

In order to avoid trial decryption and undetected meddling, the recipient has to know whether to unmask those bits before validating the packet or not.  Either we declare them unmasked and random-if-not-used, which entails an extra CSPRNG call for those two bits in the non-experiment case; or we declare them masked unless the peers negotiate otherwise.  (The value pre-masking doesn't actually matter, but since the network can't observe it, it's useless for these experiments.)

Did I get all that?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/2022#issuecomment-440402331

v2.23.0 | Report a Bug | By Email