IETF Logo Mail Archive

Re: [quicwg/base-drafts] Disallow reuse of stateless reset tokens (#2785)

David Schinazi <notifications@github.com> Wed, 12 June 2019 22:20 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF3591200A1 for <quic-issues@ietfa.amsl.com>; Wed, 12 Jun 2019 15:20:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.008
X-Spam-Level:
X-Spam-Status: No, score=-8.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lpzZcbEjmYMf for <quic-issues@ietfa.amsl.com>; Wed, 12 Jun 2019 15:20:54 -0700 (PDT)
Received: from out-20.smtp.github.com (out-20.smtp.github.com [192.30.252.203]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D20D6120045 for <quic-issues@ietf.org>; Wed, 12 Jun 2019 15:20:53 -0700 (PDT)
Date: Wed, 12 Jun 2019 15:20:52 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1560378052; bh=8845/WpH/tx6frV+o89TxTUp6fjqsexUlOgdSGI/VT4=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=noAHYueJZoVOgBSrLcGoVkJ86Fh80QHA1Iq2gZSfB2LMAcZzg6ZrrWEkXhGACR8t9 Z4FDIw9HjyZkJhHCWUROZ7emztpUCzd7TX2ccy8TEOlqc5Jh9aBkOvq140XL64RdPY PvXkJndaIywVS0yGnmdjh83wndgh7yucTNQUA2Io=
From: David Schinazi <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK3VZW4XMVTAXLNXOJF3B2WUJEVBNHHBWJFGY4@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2785/501475877@github.com>
In-Reply-To: <quicwg/base-drafts/issues/2785@github.com>
References: <quicwg/base-drafts/issues/2785@github.com>
Subject: Re: [quicwg/base-drafts] Disallow reuse of stateless reset tokens (#2785)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d017ac48aec2_60aa3fa7fc6cd96c27455e"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: DavidSchinazi
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/YUSxtCnKY9tMNXFz0zWlQsT5uSI>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2019 22:20:56 -0000

I don't think #2769 introduces this issue. It does make it worse but the issue was already present. It's reasonable for a server implementation to drop a CID from their state when the client retires it.

There are two options to guarantee safety:
1. make sure each CID has a distinct SRT
2. make sure once a CID is sent in NEW_CONNECTION_ID it always routes back to this connection

I think (1) is simpler and giving implementations two options here not only makes the spec more complicated, but can also lead to accidental vulnerabilities.

I think it would be safer for the implementations you mention to use `HMAC(srt_key, conn_id || path_index)` to generate their SRT. That also makes it simpler to generate the SRT from the cleartext CID.

In general, it's been this spec philosophy to add constraints that can be verified by the peer whenever possible. Forcing distinct CIDs ensures verifiable security whereas requiring that CIDs get routed appropriately for the duration of the connection is not enforceable and therefore easier to get wrong.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/2785#issuecomment-501475877

v2.23.0 | Report a Bug | By Email