Re: [quicwg/base-drafts] Server Initial verification for Attacker On The Side defense (#2097)

MikkelFJ <notifications@github.com> Tue, 04 December 2018 22:02 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C23D130E7C for <quic-issues@ietfa.amsl.com>; Tue, 4 Dec 2018 14:02:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.46
X-Spam-Level:
X-Spam-Status: No, score=-9.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tp2Su0KYb4ow for <quic-issues@ietfa.amsl.com>; Tue, 4 Dec 2018 14:02:53 -0800 (PST)
Received: from out-2.smtp.github.com (out-2.smtp.github.com [192.30.252.193]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4470B1294D7 for <quic-issues@ietf.org>; Tue, 4 Dec 2018 14:02:53 -0800 (PST)
Date: Tue, 04 Dec 2018 14:02:52 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1543960972; bh=uRXVn6JFlVEs8UMp/1R/7Pr1gKICLjcKRff7mF3Xqd8=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=RPsfH0DFgPk5BQQSCkcKxEe1ZqtXRYel3LWuUu3K3KmXfykC26Wm6bUo/nWmk1Wum b68dWSFszB/N1cBWhoQeSjlZ8gDlmlQ+ges6zyC6wWwLQ3JGddkWDTkV+9l4UMKVNm xRLIDknvGylWcdzFBibKWhr67eTk81ruc6wEWvaQ=
From: MikkelFJ <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab7349d1dd3f7252f0991924beee617dd09333d1eb92cf00000001181ebb8c92a169ce17184276@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2097/444276041@github.com>
In-Reply-To: <quicwg/base-drafts/issues/2097@github.com>
References: <quicwg/base-drafts/issues/2097@github.com>
Subject: Re: [quicwg/base-drafts] Server Initial verification for Attacker On The Side defense (#2097)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c06f98c10292_43433ff1542d45bc197888"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: mikkelfj
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/in7nL__Jb-q2rcnmVDAmpXXbfts>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Dec 2018 22:02:56 -0000

The first scenario can be attacked all the way up to point 8. certificate validation because an attacker seeing only client messages can create its own handshake key that competes with the server. The client will have to process all alternative handshake keys and alternative SCID values until one handshake passes certificate validation.

The second scenario with server token is not an improvement since the attacker can just provide it own fully valid ServerHello with a token. It will also eventually fail certificate, but only after consuming resources.

A fix to the above would be if the client already knows the server public key and the server signs a challenge in the first packet it responds. That challenge could be the ICID. This corresponds to step 4 in the third flow in the above.

If the server knows the clients public key (not usually the case, but can be used server to server), the client can can send a signed nonce.

NOTE: if the ICID is a hash of the ClientHello this prevents an attack where the attacker races a client initial. If the attacker attempts to copy the ICID with its own ClientHello, the handshake key will fail. If the attacker attempts to copy the ICID and the ClientHello, it will just be a retransmission, and the attacker will not have achieved anything. This assumes the initial packet only contains what is hashed in ICID.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/2097#issuecomment-444276041