Re: [quicwg/base-drafts] Mask packet numbers with a per-connection-ID key (#1043)
Martin Thomson <notifications@github.com> Wed, 10 January 2018 23:54 UTC
Return-Path: <bounces+848413-a050-quic-issues=ietf.org@sgmail.github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0366612D77C for <quic-issues@ietfa.amsl.com>; Wed, 10 Jan 2018 15:54:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.03
X-Spam-Level:
X-Spam-Status: No, score=-2.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QyRLslALkCYl for <quic-issues@ietfa.amsl.com>; Wed, 10 Jan 2018 15:54:50 -0800 (PST)
Received: from o8.sgmail.github.com (o8.sgmail.github.com [167.89.101.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FC95120726 for <quic-issues@ietf.org>; Wed, 10 Jan 2018 15:54:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=gbIeHAFA+LaMSmV+FMXGGAFVy7k=; b=HhL0vaDZ3OiKPo89 son1aSjXRsstybjesohGCXYyxIZ4MVn/U1gG2fa1DQCII3ru8VRfLLfgnkdjb55+ ex3NzMGRhXaZlRKnYpQLwkOuJmbo51swHqkej4zR1AJ/0Tygrdi85a/OfKsGflzV 0V+42fk/p5QsTmMkY0rqgafyRR8=
Received: by filter0554p1las1.sendgrid.net with SMTP id filter0554p1las1-17185-5A56A7C8-21 2018-01-10 23:54:48.821618423 +0000 UTC
Received: from github-smtp2a-ext-cp1-prd.iad.github.net (github-smtp2a-ext-cp1-prd.iad.github.net [192.30.253.16]) by ismtpd0022p1iad2.sendgrid.net (SG) with ESMTP id l926sSEmRtynOkPHhI7gbQ for <quic-issues@ietf.org>; Wed, 10 Jan 2018 23:54:48.979 +0000 (UTC)
Date: Wed, 10 Jan 2018 23:54:48 +0000
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4aba95d68a1d7f7678f771a6547f6d05c9b8f48561092cf00000001166e69c892a169ce111afff8@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/1043/review/87721441@github.com>
In-Reply-To: <quicwg/base-drafts/pull/1043@github.com>
References: <quicwg/base-drafts/pull/1043@github.com>
Subject: Re: [quicwg/base-drafts] Mask packet numbers with a per-connection-ID key (#1043)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5a56a7c88f3ef_7dc3f9ee148ef3064274"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
X-SG-EID: l64QuQ2uJCcEyUykJbxN122A6QRmEpucztpreh3Pak2Uo/Yfr3kGijwR3NrgrK5QI/55YsLnTeDQFN L8Uez56p4GAU+CJsbUH10ZNZs+hU83L7keAAq9eHNCCAiB2bLwLOy5Km6ZnWOhWDVF0DiAOF/PBulW /kjasI+0Opxh/j1lTrCF3cvDEeccMMXjTaiaNkvaKQxtbpigFrr8zyhPyRInyU6XuzD7KbaXpGmRev g=
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/XYvwh-llHq2mnbtauUEpD4ynI0I>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jan 2018 23:54:53 -0000
martinthomson commented on this pull request.
>
~~~
- struct {
- uint16 length = Length;
- opaque label<6..255> = "QUIC " + Label;
- uint8 hashLength = 0;
- } QuicHkdfLabel;
+struct {
+ uint16 length = Length;
+ opaque label<6..255> = "QUIC " + Label;
+ uint8 connectionId<0>;
Hmm, I meant to check up on this, and now that I have, I don't actually know how `<0>` would be encoded.
> -TLS state machine reports that the ClientHello has been sent, the 0-RTT keys can
-be generated and installed for writing. When the TLS state machine reports
-completion of the handshake, the 1-RTT keys can be generated and installed for
-writing.
+Note:
+
+: A connection ID might be omitted from the encoding of a packet, as is
+ permitted when the omit_connection_id transport parameter is used, but the
+ connection ID is still used by QHKDF-Expand to derive these values.
+
+The QUIC record protection initially starts with keying material derived from
+handshake keys. When the TLS state machine reports that the ClientHello has
+been sent, 0-RTT keys can be generated and installed for writing, if 0-RTT is
+available. Finally, the TLS state machine reports completion of the handshake,
+the 1-RTT keys can be generated and installed for writing. Additionally, new
+keys are installed each time that the connection ID changes.
Key updates in TLS are mentioned elsewhere, I think. We don't need to use them.
> @@ -606,9 +606,12 @@ A Retry packet uses long headers with a type value of 0x7E. It carries
cryptographic handshake messages and acknowledgments. It is used by a server
that wishes to perform a stateless retry (see {{stateless-retry}}).
-The packet number and connection ID fields echo the corresponding fields from
-the triggering client packet. This allows a client to verify that the server
-received its packet.
+The connection ID field echoes the corresponding fields from the triggering
+client packet. This allows a client to correlate a Retry with the Initial
+packet that it sends that the server received its packet.
It's also wrong :/
> @@ -642,11 +645,11 @@ server and client.
The connection ID field in a Handshake packet contains a connection ID
that is chosen by the server (see {{connection-id}}).
-The first Handshake packet sent by a server contains a randomized packet number.
-This value is increased for each subsequent packet sent by the server as
-described in {{packet-numbers}}. The client increments the packet number from
-its previous packet by one for each Handshake packet that it sends (which might
-be an Initial, 0-RTT Protected, or Handshake packet).
+The first Handshake packet sent by a server contains a packet number of 0. This
+value is increased for each subsequent packet sent by the server as described in
+{{packet-numbers}}. The client increments the packet number from its previous
+packet by one for each packet that it sends (which might be an
+Initial, 0-RTT Protected, or Handshake packet).
Trimmed down.
> @@ -707,8 +710,8 @@ packets MUST use connection ID selected by the client.
The packet number is an integer in the range 0 to 2^62-1. The value is used in
determining the cryptographic nonce for packet encryption. Each endpoint
maintains a separate packet number for sending and receiving. The packet number
-for sending MUST increase by at least one after sending any packet, unless
-otherwise specified (see {{initial-packet-number}}).
+for sending starts at zero for the first packet set and MUST increase by one
+after sending a packet.
That was an error. I wish that we had a better defense against optimistic ACK attacks though.
> +packet_number = (masked_packet_number - pn_mask) MOD num_values
+~~~
+
+Packet numbers are not obscured when encoded in frames, such as ACK
+({{frame-ack}}).
+
+These changes are applied before packet protection, so the additional
+authenticated data (AAD) input includes masked values.
+
+These are not true cryptographic confidentiality protections, so entities other
+than endpoints are likely to be able to recover the underlying values by
+observing multiple packets. For instance, in this version of QUIC, packet
+numbers still increase monotonically as long as the connection ID remains
+constant. However, these values are different for client and server, and they
+change when a connection ID changes, together ensuring that flows with different
+connection IDs are not linkable based on the value of these fields.
I believe that this is true as qualified. Based on the values of these fields alone there isn't linkability: they are effectively random. There are ways to mess this up (and multipath will definitely risk doing that).
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/1043#discussion_r160580026
- [quicwg/base-drafts] Mask packet numbers with a p… Martin Thomson
- Re: [quicwg/base-drafts] Mask packet numbers with… MikkelFJ
- Re: [quicwg/base-drafts] Mask packet numbers with… Martin Thomson
- Re: [quicwg/base-drafts] Mask packet numbers with… Martin Thomson
- Re: [quicwg/base-drafts] Mask packet numbers with… MikkelFJ
- Re: [quicwg/base-drafts] Mask packet numbers with… Marten Seemann
- Re: [quicwg/base-drafts] Mask packet numbers with… Mike Bishop
- Re: [quicwg/base-drafts] Mask packet numbers with… ianswett
- Re: [quicwg/base-drafts] Mask packet numbers with… Martin Thomson
- Re: [quicwg/base-drafts] Mask packet numbers with… Martin Thomson
- Re: [quicwg/base-drafts] Mask packet numbers with… Martin Thomson
- Re: [quicwg/base-drafts] Mask packet numbers with… Martin Thomson