IETF Logo Mail Archive

Re: [quicwg/base-drafts] Client's initial destination CID is unauthenticated (#1486)

Antoine Delignat-Lavaud <notifications@github.com> Mon, 30 July 2018 15:15 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3F8E1310F6 for <quic-issues@ietfa.amsl.com>; Mon, 30 Jul 2018 08:15:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.009
X-Spam-Level:
X-Spam-Status: No, score=-8.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1cwFIH95LUJ for <quic-issues@ietfa.amsl.com>; Mon, 30 Jul 2018 08:15:28 -0700 (PDT)
Received: from out-7.smtp.github.com (out-7.smtp.github.com [192.30.252.198]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B56A130E25 for <quic-issues@ietf.org>; Mon, 30 Jul 2018 08:15:28 -0700 (PDT)
Date: Mon, 30 Jul 2018 08:15:27 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1532963727; bh=61Ei+W/aIlgsLqq0aPsddEBihsgEsEPqpO/dBoqfAnc=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=AHe3n6NUw/YLI8mo/IKoXJ18MbEZMwzFA55HL17f5A9yI7xZfnvVX02DiXuAFaa63 l3ayUDdzNK3PcTh6VXA3MgAz3QEoqhLLkkCcrUlhnSJY06dd2UDOOOgoXfgPzjgJlq 0T/Pbsyeijw69Uas1V4D1Z7XqNJ8ku4zAiNQ5RFM=
From: Antoine Delignat-Lavaud <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab84ebc97f5379265f78f82637fb1d658e0986beea92cf000000011776ed8f92a169ce140801b8@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/1486/408899724@github.com>
In-Reply-To: <quicwg/base-drafts/issues/1486@github.com>
References: <quicwg/base-drafts/issues/1486@github.com>
Subject: Re: [quicwg/base-drafts] Client's initial destination CID is unauthenticated (#1486)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5b5f2b8f581f8_67ec3fad604be61c105220"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ad-l
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/VPwS6-aWkl05Xm3zMzLr4l7Zl94>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.27
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 15:15:31 -0000

I noticed another problem caused by the fact that ConnectionID is not authenticated.

In short header packets, the connection ID is followed by the encrypted packet number. The encryption of the PN is only indirectly authenticated by the QUIC headers appearing in the additional authenticated data of the AEAD encryption. However, if a network attacker is given the capability to alter the Connection ID, he can use this capability to truncate or extend the encrypted packet number. This is very easy to do - for instance, if the attacker wants to truncate one byte off the encrypted PN he can set the connection ID to be one byte longer and ensure that the headers remain the same.

Unfortunately, this is an effective attack against the confidentiality of packet number encryption (e.g. successful PN extension is a trivial distinguisher for the most significant bits of the PN being 0). PN truncation also puts worrying pressure on AEAD - replayability is no longer prevented by AAD (which is provably authenticated in AEAD) but by implicit nonce authentication (which is not typically proved). 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/1486#issuecomment-408899724

v2.23.0 | Report a Bug | By Email