Re: [quicwg/base-drafts] Preventing KEY_PHASE bit from being used as a tool to correlate CIDs (#1322)

Martin Thomson <notifications@github.com> Fri, 04 May 2018 01:47 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D92B812D941 for <quic-issues@ietfa.amsl.com>; Thu, 3 May 2018 18:47:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.75
X-Spam-Level:
X-Spam-Status: No, score=-7.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JO1Obqw0Kv-L for <quic-issues@ietfa.amsl.com>; Thu, 3 May 2018 18:47:50 -0700 (PDT)
Received: from out-4.smtp.github.com (out-4.smtp.github.com [192.30.252.195]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C991A12D889 for <quic-issues@ietf.org>; Thu, 3 May 2018 18:47:50 -0700 (PDT)
Date: Thu, 03 May 2018 18:47:50 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1525398470; bh=MIecW7sSUxllEan0PC2u1l0HBUJdAwZTKDhSeRRcRag=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=nYPXqNHZyKTbU4opD6FIB7nXufQw1wxx/SGrEbVEKUUINLtz+lgyYCN05RVIwvQgG 2EZY76JJko6vmltttXeiTdcovPdXn5zXGaGueXQwDPgiTcukwQrigUKhydpv6oc776 LogL8FXLCxoGY1SiFOpx93+LWDqtMIfZkLi6dNmw=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4abe17441f3b91d56d9cc3d76106c1f33804e57b39792cf0000000117037dc692a169ce12e69628@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/1322/386486688@github.com>
In-Reply-To: <quicwg/base-drafts/issues/1322@github.com>
References: <quicwg/base-drafts/issues/1322@github.com>
Subject: Re: [quicwg/base-drafts] Preventing KEY_PHASE bit from being used as a tool to correlate CIDs (#1322)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5aebbbc62f087_2a5df3f89e205ef78107731"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/_qMNwuquehiYDuk8H9KT3KlJrOg>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2018 01:47:53 -0000

I don't think that PN mod 2<sup>32</sup> works without trial decryption.

Let's say that we have an 8 bit encoding and we are approaching the crossover point.  When the crossover happens, the recipient uses the old PN key and gets a random 8 bit value, which might be a valid value less than the crossover point.  That packet will fail to be decrypted.

I also agree with @marten-seemann that we should favour designs that are based on explicit signals rather than simple counts.  2<sup>32</sup> is large enough that some implementations might not encounter the rollover point.  I have experience with fixed rollovers in NSS and testing them is ugly.  On the other hand, sending KeyUpdate is easy.  I don't think that a randomized packet number is the right fix for that.

Finally, though I suspect @janaiyengar is right with respect to per-CID spaces, but the decision to roll keys based on a change in connection ID can be made without going that far.  All we need to do is decide to keep the sequencing of connection IDs.  We also need to recognize that two sets of keys might be maintained for some time during migration; that would be somewhat longer than the text currently suggests because of probing, but it's not that much.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/1322#issuecomment-386486688