Re: [quicwg/base-drafts] Expand AEAD limits to consider multi-user security. (#3789)

Martin Thomson <notifications@github.com> Fri, 26 June 2020 01:55 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95A973A10E7 for <quic-issues@ietfa.amsl.com>; Thu, 25 Jun 2020 18:55:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.697
X-Spam-Level:
X-Spam-Status: No, score=-1.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mTXOtC18W6oc for <quic-issues@ietfa.amsl.com>; Thu, 25 Jun 2020 18:55:07 -0700 (PDT)
Received: from out-26.smtp.github.com (out-26.smtp.github.com [192.30.252.209]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA5823A10E6 for <quic-issues@ietf.org>; Thu, 25 Jun 2020 18:55:06 -0700 (PDT)
Received: from github-lowworker-f045d1f.ac4-iad.github.net (github-lowworker-f045d1f.ac4-iad.github.net [10.52.19.54]) by smtp.github.com (Postfix) with ESMTP id 0EC852822D2 for <quic-issues@ietf.org>; Thu, 25 Jun 2020 18:55:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1593136506; bh=qE4Gv+ouhqAJss+8LdzdiJkpqkR0tiT+k99XGqeJO3k=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=CaNWUI9xOBmKSwRP5c+g4ipcCeroiSJL1zvC18N5IdWYQhLmJGFhxqHt/2Q6AbOY6 iIGPUkSmL5J67CqFUDHTlZhKHoayyAYx25OhEF51AmXl3kjU2HeM0Ehuzu5vTxtb4B Pjz1I1WlXKiYhoMo4pKD2kyG33x3rGO+oxgTNVzA=
Date: Thu, 25 Jun 2020 18:55:06 -0700
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK7TMZW7EU6Y5IXORLF5AE3HTEVBNHHCM4U4BA@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3789/review/437967186@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3789@github.com>
References: <quicwg/base-drafts/pull/3789@github.com>
Subject: Re: [quicwg/base-drafts] Expand AEAD limits to consider multi-user security. (#3789)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ef55579f422e_37e73fbdacccd96460864"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/lpZQhetypurQGYy6dzVKtbqeu5Q>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 01:55:09 -0000

@martinthomson commented on this pull request.



> @@ -2207,10 +2206,14 @@ v:
   bound on the number of forged packets that an endpoint can reject before
   updating keys.
 
-The analysis of AEAD_AES_128_CCM relies on a count of the number of block
-operations involved in producing each message. For simplicity, and to match the
-analysis of other AEAD functions in {{AEBounds}}, this analysis assumes a
-packet length of 2^10 blocks and a packet size limit of 2^14.
+o:
+
+: The amount of offline ideal cipher queries made by an adversary.
+
+The analyses that follow rely on a count of the number of block operations
+involved in producing each message. For simplicity, and to match the analysis of
+other AEAD functions in {{AEBounds}}, this analysis assumes a packet length of
+2^10 blocks; that is, a packet size limit of 2^14 bytes.

We decided that matching the TLS analysis in this regard is best.  Using the larger number is more conservative, so the margins in practice will be better than what we have calculated here.

There is of course the theoretical limit on QUIC packets, which is 2^16 bytes or 2^12 blocks, but as you say, they are mostly much smaller.  There is an existing note about this discrepancy for those running a massive MTU.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3789#discussion_r445928115