IETF Logo Mail Archive

Re: [quicwg/base-drafts] Perform stateless reset token comparisons in constant time (#2993)

Marten Seemann <notifications@github.com> Tue, 03 September 2019 22:45 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A2A712008A for <quic-issues@ietfa.amsl.com>; Tue, 3 Sep 2019 15:45:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.382
X-Spam-Level:
X-Spam-Status: No, score=-6.382 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tyJO4oonzz9p for <quic-issues@ietfa.amsl.com>; Tue, 3 Sep 2019 15:45:35 -0700 (PDT)
Received: from out-22.smtp.github.com (out-22.smtp.github.com [192.30.252.205]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB9AA120044 for <quic-issues@ietf.org>; Tue, 3 Sep 2019 15:45:34 -0700 (PDT)
Date: Tue, 03 Sep 2019 15:45:34 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1567550734; bh=rShRt+BfZVOxMt+bZP0KK4HQr9j8f4PZEbob25t0axY=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=IWmJtPT0EWnyYTIoXD1DYx7PKETHPeoy9smMiw/RCaaIRf8s+MN4VTREn9VqOljHB axmRoH3wL/PCKhF6f2oJmn8qr9KxsbdcRlpWzQUFeponBvdK+tue1j4HROF6GqO3+W 25pgGM6qwqoFq0C9oLF9svVYcmMc5U53r4MHvLOE=
From: Marten Seemann <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKZQHXMRDXMK7OCSZKF3PQPY5EVBNHHBZ4IYAM@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2993/c527669147@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2993@github.com>
References: <quicwg/base-drafts/pull/2993@github.com>
Subject: Re: [quicwg/base-drafts] Perform stateless reset token comparisons in constant time (#2993)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d6eed0e241ef_20703f8ddeecd960753b1"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: marten-seemann
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/f67Lq2uNORWn_JBYVdInwLpcVHM>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 22:45:36 -0000

Maybe I'm missing something obvious here, but how is this easy to implement?

In my implementation, I have a map of reset tokens -> connections. Unless I switch to a constant time map implementation (the standard library doesn't provide one, you'd have to write that yourself), the comparisons are (probably?) not constant time. Given that this would cause some considerable complexity, I don't think it's worth defending against this rather uninteresting attack, and I'm not sure if a MUST is the right way to go here.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2993#issuecomment-527669147

v2.23.0 | Report a Bug | By Email