Re: [quicwg/base-drafts] Expand AEAD limits to consider multi-user security. (#3789)

Jana Iyengar <notifications@github.com> Fri, 26 June 2020 00:59 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BC373A1046 for <quic-issues@ietfa.amsl.com>; Thu, 25 Jun 2020 17:59:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.101
X-Spam-Level:
X-Spam-Status: No, score=-3.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XrMy0zXh1lQm for <quic-issues@ietfa.amsl.com>; Thu, 25 Jun 2020 17:59:53 -0700 (PDT)
Received: from out-28.smtp.github.com (out-28.smtp.github.com [192.30.252.211]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72BF93A1021 for <quic-issues@ietf.org>; Thu, 25 Jun 2020 17:59:53 -0700 (PDT)
Received: from github-lowworker-ca235ff.ash1-iad.github.net (github-lowworker-ca235ff.ash1-iad.github.net [10.56.110.15]) by smtp.github.com (Postfix) with ESMTP id 70B128C0528 for <quic-issues@ietf.org>; Thu, 25 Jun 2020 17:59:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1593133192; bh=7iUcYp4T8+lnG29UoJv39LtUTShOJQDIMwuUkj+XwA4=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=FnEPmWmAlucPy1r46F2G/BROd9qZtcs8l4SVWRr/emGuIFtZbqfPjx9PzD2ORo3sW D9u7DIAr/4WbTvMBcitUMnByooP270b7SugwqnZ/Fg5LlkEnOHVZ8Wvilajb6t+p7+ 8hdOE0XxRLIhuOrC0zNf3jkRdv4I9Mp9IxsrSBZk=
Date: Thu, 25 Jun 2020 17:59:52 -0700
From: Jana Iyengar <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK3QUXK4S7NDH4FRD3F5AEUYREVBNHHCM4U4BA@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3789/review/437946485@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3789@github.com>
References: <quicwg/base-drafts/pull/3789@github.com>
Subject: Re: [quicwg/base-drafts] Expand AEAD limits to consider multi-user security. (#3789)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ef548886097b_3b4a3fefbaccd960732c5"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: janaiyengar
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/_m1AJjd-fu-rRD5P7VZroe1dD-A>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 00:59:56 -0000

@janaiyengar commented on this pull request.

Thank you for the PR, @chris-wood ! A few comments.

> @@ -2207,10 +2206,14 @@ v:
   bound on the number of forged packets that an endpoint can reject before
   updating keys.
 
-The analysis of AEAD_AES_128_CCM relies on a count of the number of block
-operations involved in producing each message. For simplicity, and to match the
-analysis of other AEAD functions in {{AEBounds}}, this analysis assumes a
-packet length of 2^10 blocks and a packet size limit of 2^14.
+o:
+
+: The amount of offline ideal cipher queries made by an adversary.
+
+The analyses that follow rely on a count of the number of block operations
+involved in producing each message. For simplicity, and to match the analysis of
+other AEAD functions in {{AEBounds}}, this analysis assumes a packet length of
+2^10 blocks; that is, a packet size limit of 2^14 bytes.

I don't understand how this impacts the analysis, but why is packet size 2^14 bytes? For QUIC, I would suggest that 2^11 ought to be adequate (if a larger packet size is more conservative).

> +
+~~~
+(q + v) <= 2^28
+~~~
+
+Assuming `v = q`, endpoints cannot protect more than 2^27 packets in a single
+connection without causing an attacker to gain an larger advantage than the
+target of 2^-60.
+
+### Integrity Limit
+
+For integrity, Theorem (4.3) in {{?GCM-MU}} establishes that an attacker gains
+an advantage in successfully forging a packet of no more than:
+
+~~~
+(1 / 2^(8 * n)) + ((2 * v) / 2^2*n) + ((2 * o * v) / 2^(k + n))

```suggestion
(1 / 2^(8 * n)) + ((2 * v) / 2^(2 * n)) + ((2 * o * v) / 2^(k + n))
```
?

>  
-Key updates MUST be initiated before usage limits on packet protection keys are
-exceeded. For the cipher suites mentioned in this document, the limits in
-Section 5.5 of {{!TLS13}} apply. {{!TLS13}} does not specify a limit for
-AEAD_AES_128_CCM, but the analysis in {{ccm-bounds}} shows that a limit of 2^23
-packets can be used to obtain the same confidentiality protection as the limits
-specified in TLS.
+This document sets usage limits for AEAD algorithms to ensure that overuse does
+not give an adversary a disproportionate advantage in attacking the
+confidentiality and integrity of communications.

```suggestion
confidentiality and integrity of communications when using QUIC.
```

> +If the number of packets sent or fail authentication within the connection
+(across all keys) exceeds a limit that is specific to the AEAD in use, the
+endpoint MUST immediately close the connection and not attempt to process any
+further packets.  Applying a limit reduces the probability that an attacker can
+successfully forge a packet; see {{AEBounds}}, {{ROBUST}}, and {{?GCM-MU}}.
+
+A connection MUST be closed if the number of packets that fail authentication
+exceed the integrity limit for the selected AEAD. For AEAD_AES_128_GCM, and the
+integrity limit is 2^54 encrypted or forged packets; see {{gcm-bounds}}.  For
+AEAD_CHACHA20_POLY1305, the limit on number of packets that fail authentication
+is 2^36; see {{AEBounds}}.  For AEAD_AES_128_CCM, the integrity limit is 2^23.5
+forged packets; see {{ccm-bounds}}.

There seems to be some redundancy and some inconsistencies in the text heree, I've tried to clean it up a bit. See if the following is accurate.
```suggestion
If the total number of received packets that fail authentication within the
connection, across all keys, exceeds the integrity limit for the selected AEAD,
the endpoint MUST immediately close the connection and not process any more
packets. For AEAD_AES_128_GCM, the integrity limit is 2^54 forged packets; see
{{gcm-bounds}}. For AEAD_CHACHA20_POLY1305, the integrity limit is 2^36
forged packets; see {{AEBounds}}. For AEAD_AES_128_CCM, the integrity limit
is 2^23.5 forged packets; see {{ccm-bounds}}. Applying this limit reduces the
probability that an attacker can successfully forge a packet; see {{AEBounds}},
{{ROBUST}}, and {{?GCM-MU}}.
```

> -  This means that packets that fail authentication will often use the packet
-  protection keys from the next key phase.  It is therefore necessary to also
-  track the number of packets that fail authentication with the next set of
-  packet protection keys.  To avoid exhaustion of both sets of keys, it might be
-  necessary to initiate two key updates in succession.
-
-For AEAD_AES_128_GCM, AEAD_AES_256_GCM, and AEAD_CHACHA20_POLY1305, the limit on
-the number of packets that fail authentication is 2^36.  Note that the analysis
-in {{AEBounds}} supports a higher limit for the AEAD_AES_128_GCM and
-AEAD_AES_256_GCM, but this specification recommends a lower limit.  For
-AEAD_AES_128_CCM, the limit on the number of packets that fail authentication
-is 2^23.5; see {{ccm-bounds}}.
+Endpoints MUST count the number of encrypted packets for each set of keys. If
+the number of encrypted packets with the same key exceeds a limit that is
+specific to the AEAD in use, the endpoint MUST stop using those keys. If a key
+update is not possible, the endpoint MUST immediately close the connection.

Should an error code specified here? How is the endpoint closing the connection?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3789#pullrequestreview-437946485