IETF Logo Mail Archive

Re: [quicwg/base-drafts] Expand AEAD limits to consider multi-user security. (#3789)

Martin Thomson <notifications@github.com> Wed, 01 July 2020 01:37 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43D363A08AD for <quic-issues@ietfa.amsl.com>; Tue, 30 Jun 2020 18:37:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.1
X-Spam-Level:
X-Spam-Status: No, score=-3.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OkJe2XbhEni3 for <quic-issues@ietfa.amsl.com>; Tue, 30 Jun 2020 18:37:45 -0700 (PDT)
Received: from out-28.smtp.github.com (out-28.smtp.github.com [192.30.252.211]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A748F3A08AC for <quic-issues@ietf.org>; Tue, 30 Jun 2020 18:37:45 -0700 (PDT)
Received: from github-lowworker-b19c547.va3-iad.github.net (github-lowworker-b19c547.va3-iad.github.net [10.48.17.66]) by smtp.github.com (Postfix) with ESMTP id D68AF8C0E22 for <quic-issues@ietf.org>; Tue, 30 Jun 2020 18:37:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1593567464; bh=dwLZ8HeYvnfuQk8VBVaPEbtDrCsycfjpas8UfHnw+Fs=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=WP/izd/f/IlwYFQ5y3QyKeD9buU7yYY/jzn6nfA1iIGPiMSoB6wZ7G9ex9i9CSOcQ GF6A1LdS2y/AjOPkCRcOrlFlPct9gzUHKKiRQEcvntaSf1TI4i+5TYn5+WcMA1YJzW RPVWaALmz8aUZ/8S4noEdCe5H/r/jZdPLfqYX5cE=
Date: Tue, 30 Jun 2020 18:37:44 -0700
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK2Q3FWH2JQYKQOPINN5A7E6REVBNHHCM4U4BA@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3789/review/440491570@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3789@github.com>
References: <quicwg/base-drafts/pull/3789@github.com>
Subject: Re: [quicwg/base-drafts] Expand AEAD limits to consider multi-user security. (#3789)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5efbe8e8c7615_7ed53f8958ccd96072831"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/TTzZygqWb2SEuDFfAk04k5PXR7U>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 01:37:47 -0000

@martinthomson commented on this pull request.



> @@ -1552,30 +1549,40 @@ number of attempts to forge packets. TLS achieves this by closing connections
 after any record fails an authentication check. In comparison, QUIC ignores any
 packet that cannot be authenticated, allowing multiple forgery attempts.
 
-Endpoints MUST count the number of received packets that fail authentication for
-each set of keys.  If the number of packets that fail authentication with the
-same key exceeds a limit that is specific to the AEAD in use, the endpoint MUST
-stop using those keys.  Endpoints MUST initiate a key update before reaching
-this limit.  If a key update is not possible, the endpoint MUST immediately
-close the connection.  Applying a limit reduces the probability that an attacker
-is able to successfully forge a packet; see {{AEBounds}} and {{ROBUST}}.
+Endpoints MUST count the number of encrypted packets for each set of keys. If

This is an existing ambiguity.  And the answer is that either endpoint can do the update.  As updates are symmetric, this isn't a big deal, but you can stumble over each other if you do it poorly.

I haven't implemented this bit yet, but when I did it for TLS, the sender updates at limit-N and the receiver requests an update at limit-M where M < N.  This is because the primary responsibility for the update lies with the sender.  This stops endpoints using the same implementation from doing near-simultaneous updates, which is a little wasteful.  If M for one implementation matches N for another, then you can still get a race.  Of course, QUIC handles simultaneous updates well, so maybe you don't care for that level of sophistication.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3789#discussion_r448068353

v2.23.0 | Report a Bug | By Email