Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 2D8BD12008A
 for <quic-issues@ietfa.amsl.com>; Mon, 26 Aug 2019 15:37:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Level: 
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, 
 DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1,
 RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
 header.d=github.com
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id fAWfmM7Rh6iS for <quic-issues@ietfa.amsl.com>;
 Mon, 26 Aug 2019 15:37:38 -0700 (PDT)
Received: from out-18.smtp.github.com (out-18.smtp.github.com [192.30.252.201])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 04F26120013
 for <quic-issues@ietf.org>; Mon, 26 Aug 2019 15:37:37 -0700 (PDT)
Date: Mon, 26 Aug 2019 15:37:37 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com;
 s=pf2014; t=1566859057;
 bh=CJYA7HR+K4A1QWZJBAAaLzfY2ARNAk/PzaoOAebyKO0=;
 h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID:
 List-Archive:List-Post:List-Unsubscribe:From;
 b=CCFMRv6UgC1ylT8TgRpKVs2QMoLgPw/fJiHta218/M9/EZ8gplXPbnoY1iq95A26R
 vPBwIkkIRUsboORSIZzixbOm2fyrBe6fQJTITrJPOa+mLubMtZdvWTGo1dfbBGlxAw
 80zN9IbB4hgJEmd5jASMj+J/6Hrnn7XWfCI5fWBw=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts
 <reply+AFTOJK7F2EVLNME3XBI6NE53OGB2DEVBNHHBWLWXFE@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2791/review/279593687@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2791@github.com>
References: <quicwg/base-drafts/pull/2791@github.com>
Subject: Re: [quicwg/base-drafts] Receiver's behavior on key update (#2791)
Mime-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--==_mimepart_5d645f312f139_342c3f8e272cd9644912a4";
 charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/Xb4LAsvBslQCScWHkOpcDyIARmA>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG
 <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>,
 <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>,
 <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Aug 2019 22:37:40 -0000


----==_mimepart_5d645f312f139_342c3f8e272cd9644912a4
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

martinthomson commented on this pull request.



> -what it is expecting.  It creates a new secret (see Section 7.2 of {{!TLS13}})
-and the corresponding read key and IV using the KDF function provided by TLS.
-The header protection key is not updated.
-
-If the packet can be decrypted and authenticated using the updated key and IV,
-then the keys the endpoint uses for packet protection are also updated.  The
-next packet sent by the endpoint MUST then use the new keys.  Once an endpoint
-has sent a packet encrypted with a given key phase, it MUST NOT send a packet
-encrypted with an older key phase.
+While only one send key is used at a time, an endpoint MUST retain at least two
+receive keys.
+
+Packets received with the current key phase are unprotected using the
+corresponding receive key.  When a packet arrives with the opposite key phase,
+an endpoint determines which receive key to use by tracking the lowest packet
+number among the packets received with the currently key phase.  If a packet is

```suggestion
number among the packets received with the current key phase.  If a packet is
```

> +
+Packets received with the current key phase are unprotected using the
+corresponding receive key.  When a packet arrives with the opposite key phase,
+an endpoint determines which receive key to use by tracking the lowest packet
+number among the packets received with the currently key phase.  If a packet is
+received that has a different KEY_PHASE bit and a lower packet number than this
+value, the endpoint uses the receive key of the previous key phase for
+unprotecting the packet, if that key is available.  If the packet has a higher
+packet number, the endpoint derives the receive key of the next key phase by
+calculating the next secret (see Section 7.2 of {{!TLS13}}), the corresponding
+read key and IV using the KDF function provided by TLS, unless the next receive
+key has already been derived.  The header protection key is not updated.
+
+Once derived, an endpoint retains the receive key of the next key phase, to
+prevent attackers from targeting the calculation process of the next receive key
+as an attack vector.  An endpoint that retains only two receive keys drops the

An attack on what?

> +corresponding receive key.  When a packet arrives with the opposite key phase,
+an endpoint determines which receive key to use by tracking the lowest packet
+number among the packets received with the currently key phase.  If a packet is
+received that has a different KEY_PHASE bit and a lower packet number than this
+value, the endpoint uses the receive key of the previous key phase for
+unprotecting the packet, if that key is available.  If the packet has a higher
+packet number, the endpoint derives the receive key of the next key phase by
+calculating the next secret (see Section 7.2 of {{!TLS13}}), the corresponding
+read key and IV using the KDF function provided by TLS, unless the next receive
+key has already been derived.  The header protection key is not updated.
+
+Once derived, an endpoint retains the receive key of the next key phase, to
+prevent attackers from targeting the calculation process of the next receive key
+as an attack vector.  An endpoint that retains only two receive keys drops the
+receive key of the previous key phase in favor of retaining the next receive
+key.

This has to happen *after* you successfully use the new key.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2791#pullrequestreview-279593687
----==_mimepart_5d645f312f139_342c3f8e272cd9644912a4
Content-Type: text/html;
 charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p><b>@martinthomson</b> commented on this pull request.</p>=0D
=0D
<hr>=0D
=0D
<p>In <a href=3D"https://github.com/quicwg/base-drafts/pull/2791#discussi=
on_r317605403">draft-ietf-quic-tls.md</a>:</p>=0D
<pre style=3D'color:#555'>&gt; -what it is expecting.  It creates a new s=
ecret (see Section 7.2 of {{!TLS13}})=0D
-and the corresponding read key and IV using the KDF function provided by=
 TLS.=0D
-The header protection key is not updated.=0D
-=0D
-If the packet can be decrypted and authenticated using the updated key a=
nd IV,=0D
-then the keys the endpoint uses for packet protection are also updated. =
 The=0D
-next packet sent by the endpoint MUST then use the new keys.  Once an en=
dpoint=0D
-has sent a packet encrypted with a given key phase, it MUST NOT send a p=
acket=0D
-encrypted with an older key phase.=0D
+While only one send key is used at a time, an endpoint MUST retain at le=
ast two=0D
+receive keys.=0D
+=0D
+Packets received with the current key phase are unprotected using the=0D=

+corresponding receive key.  When a packet arrives with the opposite key =
phase,=0D
+an endpoint determines which receive key to use by tracking the lowest p=
acket=0D
+number among the packets received with the currently key phase.  If a pa=
cket is=0D
</pre>=0D
=E2=AC=87=EF=B8=8F Suggested change=0D
<pre style=3D"color: #555">-number among the packets received with the cu=
rrently key phase.  If a packet is=0D
+number among the packets received with the current key phase.  If a pack=
et is=0D
</pre>=0D
=0D
=0D
<hr>=0D
=0D
<p>In <a href=3D"https://github.com/quicwg/base-drafts/pull/2791#discussi=
on_r317607419">draft-ietf-quic-tls.md</a>:</p>=0D
<pre style=3D'color:#555'>&gt; +=0D
+Packets received with the current key phase are unprotected using the=0D=

+corresponding receive key.  When a packet arrives with the opposite key =
phase,=0D
+an endpoint determines which receive key to use by tracking the lowest p=
acket=0D
+number among the packets received with the currently key phase.  If a pa=
cket is=0D
+received that has a different KEY_PHASE bit and a lower packet number th=
an this=0D
+value, the endpoint uses the receive key of the previous key phase for=0D=

+unprotecting the packet, if that key is available.  If the packet has a =
higher=0D
+packet number, the endpoint derives the receive key of the next key phas=
e by=0D
+calculating the next secret (see Section 7.2 of {{!TLS13}}), the corresp=
onding=0D
+read key and IV using the KDF function provided by TLS, unless the next =
receive=0D
+key has already been derived.  The header protection key is not updated.=
=0D
+=0D
+Once derived, an endpoint retains the receive key of the next key phase,=
 to=0D
+prevent attackers from targeting the calculation process of the next rec=
eive key=0D
+as an attack vector.  An endpoint that retains only two receive keys dro=
ps the=0D
</pre>=0D
<p>An attack on what?</p>=0D
=0D
<hr>=0D
=0D
<p>In <a href=3D"https://github.com/quicwg/base-drafts/pull/2791#discussi=
on_r317826592">draft-ietf-quic-tls.md</a>:</p>=0D
<pre style=3D'color:#555'>&gt; +corresponding receive key.  When a packet=
 arrives with the opposite key phase,=0D
+an endpoint determines which receive key to use by tracking the lowest p=
acket=0D
+number among the packets received with the currently key phase.  If a pa=
cket is=0D
+received that has a different KEY_PHASE bit and a lower packet number th=
an this=0D
+value, the endpoint uses the receive key of the previous key phase for=0D=

+unprotecting the packet, if that key is available.  If the packet has a =
higher=0D
+packet number, the endpoint derives the receive key of the next key phas=
e by=0D
+calculating the next secret (see Section 7.2 of {{!TLS13}}), the corresp=
onding=0D
+read key and IV using the KDF function provided by TLS, unless the next =
receive=0D
+key has already been derived.  The header protection key is not updated.=
=0D
+=0D
+Once derived, an endpoint retains the receive key of the next key phase,=
 to=0D
+prevent attackers from targeting the calculation process of the next rec=
eive key=0D
+as an attack vector.  An endpoint that retains only two receive keys dro=
ps the=0D
+receive key of the previous key phase in favor of retaining the next rec=
eive=0D
+key.=0D
</pre>=0D
<p>This has to happen <em>after</em> you successfully use the new key.</p=
>=0D
=0D
<p style=3D"font-size:small;-webkit-text-size-adjust:none;color:#666;">&m=
dash;<br />You are receiving this because you are subscribed to this thre=
ad.<br />Reply to this email directly, <a href=3D"https://github.com/quic=
wg/base-drafts/pull/2791?email_source=3Dnotifications&amp;email_token=3DA=
FTOJK7SL7QHIB4MEPPP6WLQGRLLDA5CNFSM4HYEHCK2YY3PNVWWK3TUL52HS4DFWFIHK3DMKJ=
SXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCCVEFVY#pullrequestreview-279593687=
">view it on GitHub</a>, or <a href=3D"https://github.com/notifications/u=
nsubscribe-auth/AFTOJK2X67FHWRPH4W7CNGTQGRLLDANCNFSM4HYEHCKQ">mute the th=
read</a>.<img src=3D"https://github.com/notifications/beacon/AFTOJK5NWPAC=
BBROR4M6ODDQGRLLDA5CNFSM4HYEHCK2YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FE=
ZLWNFSXPKTDN5WW2ZLOORPWSZGOCCVEFVY.gif" height=3D"1" width=3D"1" alt=3D""=
 /></p>=0D
<script type=3D"application/ld+json">[=0D
{=0D
"@context": "http://schema.org",=0D
"@type": "EmailMessage",=0D
"potentialAction": {=0D
"@type": "ViewAction",=0D
"target": "https://github.com/quicwg/base-drafts/pull/2791?email_source=3D=
notifications\u0026email_token=3DAFTOJK7SL7QHIB4MEPPP6WLQGRLLDA5CNFSM4HYE=
HCK2YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOC=
CVEFVY#pullrequestreview-279593687",=0D
"url": "https://github.com/quicwg/base-drafts/pull/2791?email_source=3Dno=
tifications\u0026email_token=3DAFTOJK7SL7QHIB4MEPPP6WLQGRLLDA5CNFSM4HYEHC=
K2YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCCV=
EFVY#pullrequestreview-279593687",=0D
"name": "View Pull Request"=0D
},=0D
"description": "View this Pull Request on GitHub",=0D
"publisher": {=0D
"@type": "Organization",=0D
"name": "GitHub",=0D
"url": "https://github.com"=0D
}=0D
}=0D
]</script>=

----==_mimepart_5d645f312f139_342c3f8e272cd9644912a4--