IETF Logo Mail Archive

[quicwg/base-drafts] Do Initial secrets change after Retry packet? (#2823)

Nick Harper <notifications@github.com> Thu, 20 June 2019 21:10 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E434A12018F for <quic-issues@ietfa.amsl.com>; Thu, 20 Jun 2019 14:10:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.424
X-Spam-Level:
X-Spam-Status: No, score=-8.424 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.415, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aNY5UiagExU9 for <quic-issues@ietfa.amsl.com>; Thu, 20 Jun 2019 14:10:48 -0700 (PDT)
Received: from out-5.smtp.github.com (out-5.smtp.github.com [192.30.252.196]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EB5612022D for <quic-issues@ietf.org>; Thu, 20 Jun 2019 14:10:48 -0700 (PDT)
Date: Thu, 20 Jun 2019 14:10:46 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1561065046; bh=kq3CLQ3/PvtcmJplOCBQqbbBOPkUucNwu+sgcQBrNZk=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=hKFkuysczLXdcY1OTQiaWsLHxYGefPwO9jIvgdHSXh2UbkwCyl4Ii54uYXiFLuekM 1diB403Hr9tsLj9GSYKA0Z7ygy5QFVwduKm68HRvsbg6q5fEsG5gOIyNJGOBxdsMl5 2Ym4mYkzlrxCY8ympad2r0VqdAjjSboFUddjHycI=
From: Nick Harper <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK7IK4FQNAY3YCDQL3N3DEUNNEVBNHHBWWQD7M@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2823@github.com>
Subject: [quicwg/base-drafts] Do Initial secrets change after Retry packet? (#2823)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d0bf6565d1cc_21153fc50facd96098269"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: nharper
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/smOZ97Q1p53-kGgBERii73rggDU>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2019 21:10:50 -0000

https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#rfc.section.5.2 states that "Initial packets are protected with a secret derived from the Destination Connection ID field from the client’s first Initial packet of the connection." This sounds like a second Initial packet from the client (in response to a server's Retry) would still be encrypted using keys derived from the original DCID instead of a potentially new DCID. However, that section later mentions the client creating an Initial packet in response to a Retry packet and the DCID is selected by the server.

These two statements should be reconciled to clarify that either the initial keys stay the same for the entire connection, or that initial keys can change. (From the discussion in #2180, it sounds like an Initial sent in response to a Retry is still the same connection.)

I think there are 3 options for behavior:
1. The initial keys stay the same for the entire connection
2. The initial keys for encrypting/decrypting a packet are derived from the server's CID listed in that packet
3. The initial keys are derived from the client's first DCID, unless the server sends a Retry packet, after which the initial keys are re-derived from the server's new DCID.

These options are in my preference order.

My understanding for why initial keys change after a Retry is to support servers handling Retry statelessly. A server should still be able to use the original DCID for initial key derivation in this case because the ODCID is needed for transport parameters, and the retry token is sent in the clear in the Initial packet, so the server can recover it from the token.

Option 2 lets the keys change, but follows a simpler principle for what the keys are. When processing a packet for a connection, the information to encrypt or decrypt it is all self-contained - there is no additional connection state to check whether a new encrypter or decrypter is needed because an Initial packet was sent/received after a Retry packet.

One of the reasons why option 3 seems odd to me is that there are multiple ways the server's CID can change between Initial packets on the same connection, but Retry packets are the only case where we change the initial keys. (E.g. consider from a client's perspective sending a second ClientHello in response to a Retry packet has the initial keys change, but sending it in response to a HelloRetryRequest keeps the keys the same, even though the server likely changed its CID in the Initial packet where it sent the HRR.)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/2823

v2.23.0 | Report a Bug | By Email