Re: [quicwg/base-drafts] Why does stateless reset have to be checked after MAC failure (#2152)

Kazuho Oku <> Tue, 27 August 2019 17:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 36BBB1200C7 for <>; Tue, 27 Aug 2019 10:29:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.382
X-Spam-Status: No, score=-6.382 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9uApOK0DMjWY for <>; Tue, 27 Aug 2019 10:29:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B807812001B for <>; Tue, 27 Aug 2019 10:29:11 -0700 (PDT)
Date: Tue, 27 Aug 2019 10:29:11 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1566926951; bh=GzhB6/tXu7fCLcmYGtVvNx1SmAfxp3jPAdZmw8hd37s=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=K9SQcaOjm+ZGdOPUoLYJfvbUen7Lg/IGBLk1VyOnCsCAl5UV2/i6WufdgsTZ0y7sA 4uh1YM23P16JEgSHja8SBMdhRQTKAqPTc69y3t3sA90Xrkwo6gTw/TLRWwzZJ3HeJ0 0DWTzEvYQvxG0qWrv42uxsVJlsGIXPiL98m3WjoM=
From: Kazuho Oku <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2152/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Why does stateless reset have to be checked after MAC failure (#2152)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d656867119b2_4d603fb092acd9604395e7"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 27 Aug 2019 17:29:13 -0000

OK for comparing each reset token, I think using PRP can be considered as a way of implementing constant-time comparison.

Then, the discussion would be if we should state something like: "lookup of stateless reset tokens MUST NOT leak timing information. Such lookup table can for example be implemented by using PRP(stateless_reset_token) instead of the stateless reset token itself, for lookup and comparing the values."

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: