Re: [quicwg/base-drafts] Don't allow use of AEAD_AES_128_CCM_8 (#2029)

Mike Bishop <> Mon, 26 November 2018 20:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1F285130F80 for <>; Mon, 26 Nov 2018 12:34:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.46
X-Spam-Status: No, score=-9.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Cv3lKtkMwhlW for <>; Mon, 26 Nov 2018 12:34:03 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8AB6D130F41 for <>; Mon, 26 Nov 2018 12:34:03 -0800 (PST)
Date: Mon, 26 Nov 2018 12:34:02 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1543264442; bh=eYWQSi6LkwKPxSbDoPnlCiAuMVG4neXWq/GLrvmRUcQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=uHaLFUxxQaUHVhg2NjomE6i6Tf7FtkN0oHU0FTHeJDz9PJQzgXzwN13VLmIbB+e4L gDYJzEk0ZOvAVfObjBuFzlSW6iFKBQI+f0ZFg7vLaEDvLBMddOrj517m0is9vDFPMc Qgw1l0CxawW2xlpiN9vXHP7+idO4k0zcaym5qnhk=
From: Mike Bishop <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2029/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Don't allow use of AEAD_AES_128_CCM_8 (#2029)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bfc58bacefd1_8063f81370d45c48482c"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: MikeBishop
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Nov 2018 20:34:06 -0000

MikeBishop commented on this pull request.

> @@ -780,9 +780,12 @@ connection ID in the client's first Initial packet (see {{initial-secrets}}).
 This provides protection against off-path attackers and robustness against QUIC
 version unaware middleboxes, but not against on-path attackers.
-All ciphersuites currently defined for TLS 1.3 - and therefore QUIC - have a
-16-byte authentication tag and produce an output 16 bytes larger than their
+QUIC can use any of the ciphersuites defined in {{!TLS13}} with the exception of
+TLS_AES_128_CCM_8_SHA256.  The AEAD for that ciphersuite, AEAD_AES_128_CCM_8
+{{?CCM=RFC6655}}, does not produce a large enough authentication tag for use
+with header protection ({{header-protect}}).  All other ciphersuites defined in
+{{!TLS13}} have a 16-byte authentication tag and produce an output 16 bytes
+larger than their input.

Yes, this does currently require that a PNE algorithm be defined for any new cipher to be used with QUIC v1.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: