IETF Logo Mail Archive

Re: [quicwg/base-drafts] Stateless Reset needs "on-path" proof (#1230)

Martin Thomson <notifications@github.com> Tue, 10 April 2018 03:09 UTC

Return-Path: <bounces+848413-a050-quic-issues=ietf.org@sgmail.github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70AFF127058 for <quic-issues@ietfa.amsl.com>; Mon, 9 Apr 2018 20:09:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.009
X-Spam-Level:
X-Spam-Status: No, score=-3.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jp-5C6kDSZbS for <quic-issues@ietfa.amsl.com>; Mon, 9 Apr 2018 20:09:43 -0700 (PDT)
Received: from o6.sgmail.github.com (o6.sgmail.github.com [192.254.113.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F144126D45 for <quic-issues@ietf.org>; Mon, 9 Apr 2018 20:09:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=FHVtexp8HogKvSDcGm2m5k6B5cw=; b=eUWscu5w8hhR4DMC NqlyyD5OQQRbdO6WAmgqv9Pag7t/OeFhpu7+SpVDXwkxDs7BEKhN6RiaAHPZ20mQ LTCvK1RovEWPxWI7Rwrih5qlySo3crjiXeDNwdHGGz0j91Bv/I5exJdOdA8/CRJZ q1LbZurcr6eneN4eBTJSKQ5OAkk=
Received: by filter0562p1mdw1.sendgrid.net with SMTP id filter0562p1mdw1-21916-5ACC2AF5-F 2018-04-10 03:09:41.842617838 +0000 UTC
Received: from smtp.github.com (out-1.smtp.github.com [192.30.252.192]) by ismtpd0010p1iad2.sendgrid.net (SG) with ESMTP id I877Tlp3ReSH5EF83D6DrA for <quic-issues@ietf.org>; Tue, 10 Apr 2018 03:09:41.867 +0000 (UTC)
Date: Tue, 10 Apr 2018 03:09:41 +0000
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab4ed9371d2284288798a55595d65c948e00607bf992cf0000000116e3ecf592a169ce12414b9e@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/1230/379959752@github.com>
In-Reply-To: <quicwg/base-drafts/issues/1230@github.com>
References: <quicwg/base-drafts/issues/1230@github.com>
Subject: Re: [quicwg/base-drafts] Stateless Reset needs "on-path" proof (#1230)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5acc2af5b3774_36013f98424a8f34216293"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
X-SG-EID: l64QuQ2uJCcEyUykJbxN122A6QRmEpucztpreh3Pak2X+q4CiHabI+tHtJlpqu/DDBYFvjHc8mA3vM C9AiY+JkidgF/rSTJegau2Qu0REiaXz4noISDFf7VZz23/JTkTSo2apSFqxyjP24JH2kxGKrDX+wFO Bxq2gSwHv7vGru4aIFdaZPaCrX5O1mvoFvwtLQNo2vYlxkeHn9unr/MDtrVedVN/T5a+xlx5emqmmq 8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/ap-gJO6mfNHDkn1nA1Tgfd4Spfw>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2018 03:09:45 -0000

Yes, if the extent of the state storage distribution matches the extent of the key distribution, which is a natural design, then this is naturally OK.

@kazuho, I'm struggling with your state store ID design.  If the state and key storage is co-extant, then the packet that hits a different store will generate a response that the client won't recognize as a valid stateless reset.  So I'm failing to see how the extra steps you describe help with the problem.

Unless you are suggesting that this key needs to be global (unlike the token, which is scoped to a particular zone).  I don't think going global works though.  An attacker can obtain a key for a given connection ID in one cluster and use it - in combination with the stateless reset oracle Mike described - to attack another.

If we wanted to prove that the server can generate the Stateless Reset without compromising later uses of the Stateless Reset, then we could feed the incoming packet into the process.  For example, rather than include the token in the stateless reset directly, it includes a constant value that is generated by using `HMAC(token, some fixed content)` (or use HKDF[1]).  A client can use that to detect that this is a stateless reset.  In addition, the reset might also include a separate proof of receipt such as `HMAC(token, incoming packet or part thereof)`.  A client might choose to ignore a stateless reset that had an invalid secondary proof.

Of course, the risk here is that clients don't track enough from their outbound packets to reconstruct the input to the HMAC.  After all, it requires tracking packet ciphertext - no other part of a packet is unpredictable enough.  So they might have to treat receipt of a possible stateless reset as a trigger to enable whatever tracking they need, after which they send another packet and hopefully get a stateless reset.  Aside from adding a whole round trip to the process, it just more than doubled the cost of a stateless reset at the server.

[1] We originally have another hash for stateless resets, but removed that in favour of the current, simpler design.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/1230#issuecomment-379959752

v2.38.3 | Report a Bug | By Email | System Status