Re: [quicwg/base-drafts] Reference "Nonces are Noticed" in the header protection analysis section (#3031)

Christopher Wood <notifications@github.com> Wed, 18 September 2019 01:51 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71A38120131 for <quic-issues@ietfa.amsl.com>; Tue, 17 Sep 2019 18:51:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.898
X-Spam-Level:
X-Spam-Status: No, score=-7.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tXXAiQbuR1ks for <quic-issues@ietfa.amsl.com>; Tue, 17 Sep 2019 18:51:43 -0700 (PDT)
Received: from out-17.smtp.github.com (out-17.smtp.github.com [192.30.252.200]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 432CA12011E for <quic-issues@ietf.org>; Tue, 17 Sep 2019 18:51:43 -0700 (PDT)
Received: from github-lowworker-d93c4b6.va3-iad.github.net (github-lowworker-d93c4b6.va3-iad.github.net [10.48.17.47]) by smtp.github.com (Postfix) with ESMTP id A5D206E005C for <quic-issues@ietf.org>; Tue, 17 Sep 2019 18:51:42 -0700 (PDT)
Date: Tue, 17 Sep 2019 18:51:42 -0700
From: Christopher Wood <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK2CFKBZW3FLZVI75U53R3HD5EVBNHHB22UPUM@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3031/review/289632396@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3031@github.com>
References: <quicwg/base-drafts/pull/3031@github.com>
Subject: Re: [quicwg/base-drafts] Reference "Nonces are Noticed" in the header protection analysis section (#3031)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d818dae950d5_1abd3fe7b2acd968224460"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: chris-wood
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/fGYiWLJtVNwId3lbnsE9L6Z7c-4>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2019 01:51:46 -0000

chris-wood commented on this pull request.



> @@ -1440,12 +1441,13 @@ Header protection uses the output of the packet protection AEAD to derive
 protected_field = field XOR PRF(hp_key, sample)
 ~~~
 
-Assuming hp_key is distinct from the packet protection key, this construction
-(HN1) achieves AE2 security and therefore guarantees privacy of `field`, the
-protected packet header. One important distinction between HN1 and the header
-protection construction in this document is that the latter uses an AEAD
-algorithm as the PRF. However, since the encrypted output of an AEAD is
-pseudorandom {{DefnAEAD}}, this achieves the properties desired from a PRF.
+As `hp_key` is distinct from the packet protection key, this construction
+(HN1) achieves AE2 security as defined in {{NAN}} and therefore guarantees
+privacy of `field`, the protected packet header. One important distinction
+between HN1 and the header protection construction in this document is that
+the latter uses an AEAD algorithm as the PRF. However, since the encrypted
+output of an AEAD is pseudorandom {{DefnAEAD}}, this achieves the properties
+desired from a PRF.

Ah, right! I was operating under the assumption that we used AEADs for the mask, but we use the primitives. Since those are PRPs and therefore PRFs, this becomes much simpler. Stay tuned for an update!

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3031#discussion_r325452531