IETF Logo Mail Archive

Re: [quicwg/base-drafts] Don't allow use of AEAD_AES_128_CCM_8 (#2029)

Martin Thomson <notifications@github.com> Mon, 26 November 2018 03:33 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8190D130EF5 for <quic-issues@ietfa.amsl.com>; Sun, 25 Nov 2018 19:33:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.46
X-Spam-Level:
X-Spam-Status: No, score=-9.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E_aybS8VxDck for <quic-issues@ietfa.amsl.com>; Sun, 25 Nov 2018 19:33:01 -0800 (PST)
Received: from out-3.smtp.github.com (out-3.smtp.github.com [192.30.252.194]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E74D9130E05 for <quic-issues@ietf.org>; Sun, 25 Nov 2018 19:33:00 -0800 (PST)
Date: Sun, 25 Nov 2018 19:33:00 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1543203180; bh=b4fYiYY4PsZrKY/+Y6djh+RRPGbEc9+7x7uv1u6bbb0=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=cmf1aswmlBDxDMYo2lL1selwdUCcOv2gthNoDNOJlETh9AUvs3EpD1B8vyXIBWRdH SgPhnwZyRh9kPOorEWrYt3ytZs0x3yVnhWBBRjLMQAtQ9OKa1htsmkS2fV47JFmGIJ JPVJWmMkIAn1vePf9t3+7Oiya8XZR0G5EfPDX0m8=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4abf59a866fd87f019048186c8bd9b87addf5c1bcfb92cf0000000118132b6c92a169ce16d3575c@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2029/review/178124113@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2029@github.com>
References: <quicwg/base-drafts/pull/2029@github.com>
Subject: Re: [quicwg/base-drafts] Don't allow use of AEAD_AES_128_CCM_8 (#2029)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bfb696c4eadb_16c53fa4852d45c48076a1"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/cEqGbufhJRcYzjUoLujUgPVFqCg>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Nov 2018 03:33:03 -0000

martinthomson commented on this pull request.



> @@ -780,9 +780,12 @@ connection ID in the client's first Initial packet (see {{initial-secrets}}).
 This provides protection against off-path attackers and robustness against QUIC
 version unaware middleboxes, but not against on-path attackers.
 
-All ciphersuites currently defined for TLS 1.3 - and therefore QUIC - have a
-16-byte authentication tag and produce an output 16 bytes larger than their
-input.
+QUIC can use any of the ciphersuites defined in {{!TLS13}} with the exception of
+TLS_AES_128_CCM_8_SHA256.  The AEAD for that ciphersuite, AEAD_AES_128_CCM_8
+{{?CCM=RFC6655}}, does not produce a large enough authentication tag for use
+with header protection ({{header-protect}}).  All other ciphersuites defined in
+{{!TLS13}} have a 16-byte authentication tag and produce an output 16 bytes
+larger than their input.

I broadly agree, though I don't think that we can do (1) here because we don't know what PNE scheme might be devised to be paired with some future AEAD.  It seems like we have a requirement now, but something like FFX might be OK with a smaller sample.  I would prefer, as this does, to simply say that CCM_8 doesn't have a large enough expansion to use with the header protection schemes we have defined.

Should someone address the second question (and the question of whom to convince of this is interesting, but within the IETF it's clearly TLS), and design an header protection scheme based on that, then my hope is that this text wouldn't prevent them from using that.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2029#discussion_r236113733

v2.34.0 | Report a Bug | By Email | System Status