IETF Logo Mail Archive

Re: [quicwg/base-drafts] Perform stateless reset token comparisons in constant time (#2993)

Martin Thomson <notifications@github.com> Wed, 04 September 2019 00:50 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C96FD12006F for <quic-issues@ietfa.amsl.com>; Tue, 3 Sep 2019 17:50:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Level:
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U17gX8MrUWmw for <quic-issues@ietfa.amsl.com>; Tue, 3 Sep 2019 17:50:23 -0700 (PDT)
Received: from out-20.smtp.github.com (out-20.smtp.github.com [192.30.252.203]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 213A612004C for <quic-issues@ietf.org>; Tue, 3 Sep 2019 17:50:23 -0700 (PDT)
Date: Tue, 03 Sep 2019 17:50:22 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1567558222; bh=EwH7QH2SBM3EgCisll1AaFAcH8xkn44iOMLu5f/LxmI=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=cBt5gU+g5hbMkG8jhVZaXh5mlLDIhBr5UkLpT9O8vloHrTJm5SFIdR+7IvMIddhtW Bybv3HPg/eKYgWCrk5KNbHtxcFnbSTIa9Wpmqup9Cy1/K7GzSrMr+D8DxcUQZ9Sg56 tuzcLCjPWnC5nU1UoHAHLNiKriw46QUG8S8w0A4k=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK5LBG5JZEQ43272IPN3PQXL5EVBNHHBZ4IYAM@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2993/c527694231@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2993@github.com>
References: <quicwg/base-drafts/pull/2993@github.com>
Subject: Re: [quicwg/base-drafts] Perform stateless reset token comparisons in constant time (#2993)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d6f0a4e2a585_236e3fdbfa6cd96c3557b"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/r3N1v5o8bu9oHHGoo_Yq02Pjwpc>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 00:50:25 -0000

One thing that I'm trying to protect is the integrity of the specification and the analysis that (I hope) will come.  If we allow weaseling out of this sort of requirement, then the analysis has to allow for that too.

If you are using a hash map, then you can do as @kazuho suggests: use a PRP (a PRF would also work) to produce an intermediate value from the incoming value and compare that in non-constant time.  As long as the operation cannot be reversed by an attacker and the secret input to the PRP (i.e., the token) are handled in constant time, the secret doesn't leak.

We can't assume that resetting a connection is without cost.  QUIC has the nice property that connections can survive network flutters, which means that a lot of investment could be made in a connection.  (That's probably still inadvisable.)  A well-positioned attacker doesn't have to perform a huge amount of work to recover a stateless reset token, relative to the value they might gain in disrupting a "high-value" connection of that sort.

If we use a "MUST", then we're not stopping someone from deciding that this requirement doesn't apply to them.  But they would take responsibility for that, hopefully with some awareness of what is being risked.  Yes, we could use "MUST avoid leaking through timing side channels unless <X>", but determining what X needs to be is tricky as it depends so much on application protocol and other contextual stuff.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2993#issuecomment-527694231

v2.29.0 | Report a Bug | By Email | System Status