[quicwg/base-drafts] Invariants does not support public signatures on version negotiation (#1246)
MikkelFJ <notifications@github.com> Wed, 21 March 2018 14:09 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7438E12DA29 for <quic-issues@ietfa.amsl.com>; Wed, 21 Mar 2018 07:09:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.01
X-Spam-Level:
X-Spam-Status: No, score=-7.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UmKYm8uPd9Cy for <quic-issues@ietfa.amsl.com>; Wed, 21 Mar 2018 07:09:50 -0700 (PDT)
Received: from out-2.smtp.github.com (out-2.smtp.github.com [192.30.252.193]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8AE112DA3D for <quic-issues@ietf.org>; Wed, 21 Mar 2018 07:09:49 -0700 (PDT)
Date: Wed, 21 Mar 2018 07:09:48 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1521641388; bh=JdnS7nqdElD6YFDSjOfL3epN+Q6Qa7HHfzlDqoCqlBc=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=OweerNA6alIEvVfNKEkYcpv8fpY7q/alxLT0JTdaVnw1+xE+5gBbn1lFUJctzZIoP G4q3jVhFyTVmuXEzHLxqVYlFbKlYsLDFQwdTm7K9M5Tnbl+PBB7uuIy8POvATrhoKf bwdPS4bxgpDkL4Us3JVkTMg59sVafWvw6MeA27xM=
From: MikkelFJ <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab2a52ab2503de1f69db825cf29441f0ccfd94fc4292cf0000000116ca29ac92a169ce12506c92@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/1246@github.com>
Subject: [quicwg/base-drafts] Invariants does not support public signatures on version negotiation (#1246)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ab267acabff7_36262b1e417eeed02667bc"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: mikkelfj
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/aP_EpP86JdtzvJxaUniD59OTSG0>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 14:09:51 -0000
Invariants do not allow for future public signatures on the version negotation packet. Specific versions can of course add their packets, but it would be better if the version negation packet had room for a signature that future versions could evaluate. Doing this later in the handshake reduces the defense against handshake attacks from man-on-the-side. The connection ID swaps the source and destination in the server transmitted vneg packet. This adds a reasonable defense against off-path attacks but makes it impossible to use the source ID for a server signature. A simple solution would be allow the server to replace part of the source id with a public signature while preservering at least 64 octests from the client. This leaves 144 - 64 = 80 octets for a public signature. Ed25519 signatures are 64 octets - which then leaves room for an additional 80 - 64 = 16 octest for a public key identifier. Ed25519 might turn out to be weak and longer signatures would then be required. Therefore an alternative propososal would be to allow a server to append a signture after the version list. This requires a length field at the start of the version list. NOTE: the algorithm should be left unspecified - but reserving 80 octets would allow future versions some room. I would prefer adding a length field and allow for future data. Quote invariant draft 01: > Version Negotiation packets do not use integrity or confidentiality protection. A specific QUIC version might authenticate the packet as part of its connection establishment process. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/issues/1246
- [quicwg/base-drafts] Invariants does not support … MikkelFJ
- Re: [quicwg/base-drafts] Invariants does not supp… Mike Bishop
- Re: [quicwg/base-drafts] Invariants does not supp… MikkelFJ
- Re: [quicwg/base-drafts] Version Negotiation pack… Marten Seemann
- Re: [quicwg/base-drafts] Version Negotiation pack… Martin Thomson
- Re: [quicwg/base-drafts] Version Negotiation pack… Mark Nottingham
- Re: [quicwg/base-drafts] Version Negotiation pack… MikkelFJ
- Re: [quicwg/base-drafts] Version Negotiation pack… Mark Nottingham
- Re: [quicwg/base-drafts] Version Negotiation pack… Mark Nottingham
- Re: [quicwg/base-drafts] Version Negotiation pack… Mark Nottingham