[quicwg/base-drafts] Packet protection keys not CID-based (#1267)
Mike Bishop <notifications@github.com> Thu, 05 April 2018 18:09 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC05E12AAB6 for <quic-issues@ietfa.amsl.com>; Thu, 5 Apr 2018 11:09:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.008
X-Spam-Level:
X-Spam-Status: No, score=-7.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QD2hkaXbEXRZ for <quic-issues@ietfa.amsl.com>; Thu, 5 Apr 2018 11:09:05 -0700 (PDT)
Received: from out-4.smtp.github.com (out-4.smtp.github.com [192.30.252.195]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4FF4126C22 for <quic-issues@ietf.org>; Thu, 5 Apr 2018 11:09:04 -0700 (PDT)
Date: Thu, 05 Apr 2018 11:09:04 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1522951744; bh=BNVI8km4fLvs501zQZ01c5gXsxOoH0ZV7sKbKPBFH4U=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=FrnNvxhwKOBaAFikLTZ6GjBpMWZGNO4LBMRH9VvrzDJJReJBT/NrVYoHlNp8l+e/d fOsdUUJv6thGBEqa0Vn/yqpSLb+jDGSY7GdJ5Umoxpfkd0gcBHTxRd3FaT6EfqciWD MlifdOTBqjy0RFE8W1Lk0mDiVsvtJgcFo4vaONro=
From: Mike Bishop <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab7b86ab1c5e2255e4658db7b0e9af39de10cef4ff92cf0000000116de283f92a169ce1294612e@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/1267@github.com>
Subject: [quicwg/base-drafts] Packet protection keys not CID-based (#1267)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ac66640256_79ee2aab9f730ecc9075d"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: MikeBishop
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/nQkqOZHhMMZcFnnnRfdADMaRATw>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2018 18:09:07 -0000
@igorlord proposed a possible strategy to mitigate timing attacks / gaps in observable packet numbers from different CIDs, particularly in the case of random offsets per CID. He would send identical packet payload, modulo some PADDING to avoid them being identically-sized, under the same packet number with different CIDs and a random delay on one of them. An observer would no longer see matching gaps between packets from two different CIDs and be able to probabilistically correlate them as easily. The receiver, seeing a duplicate packet number, will discard whichever arrives later. This doesn't appear to work in the current packet protection scheme because, post-handshake, the packet protection keys don't mix in the connection ID, as far as I can tell. That means identical packet numbers produce identical IVs and compromise the payload of the packets (assuming the observer can correlate them some other way). However, if the packet protection secrets were derived from the Connection ID as well as the TLS exporter value, then identical packet numbers on different CIDs would not be a security issue. This might also be a necessary property if we pursue per-CID packet number spaces. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/issues/1267
- [quicwg/base-drafts] Packet protection keys not C… Mike Bishop
- Re: [quicwg/base-drafts] Packet protection keys n… Martin Thomson
- Re: [quicwg/base-drafts] Packet protection keys n… janaiyengar
- Re: [quicwg/base-drafts] Packet protection keys n… janaiyengar