[quicwg/base-drafts] 71684b: Expand AEAD limits to consider multi-user security.

Martin Thomson <noreply@github.com> Tue, 01 September 2020 22:08 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F18023A112C for <quic-issues@ietfa.amsl.com>; Tue, 1 Sep 2020 15:08:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LMGVqP5fDu8f for <quic-issues@ietfa.amsl.com>; Tue, 1 Sep 2020 15:08:31 -0700 (PDT)
Received: from out-25.smtp.github.com (out-25.smtp.github.com [192.30.252.208]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 313C23A1128 for <quic-issues@ietf.org>; Tue, 1 Sep 2020 15:08:31 -0700 (PDT)
Received: from github-lowworker-292e294.va3-iad.github.net (github-lowworker-292e294.va3-iad.github.net [10.48.102.70]) by smtp.github.com (Postfix) with ESMTP id 8318C84005C for <quic-issues@ietf.org>; Tue, 1 Sep 2020 15:08:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1598998110; bh=JDv5a8YlM6RAysTSISL5GBgNxpbQxWAG1i5KYi4xSAc=; h=Date:From:To:Subject:From; b=UOo4CCbKaTbTcoj1Cx3rCtQGm6OGN9MoSp1hW8pfhtz29+Yv+dbFpk7+E11Si5gfd hXeQ9S0uPHg95FA5zeVSgPW81vmVKJLiac0qB+QhUlD+j5CFxo32tYA7pPwcpEeFEw 44JbwkT2IAAyi0CJitdpeU8sEGeNOyWUBxSlaM0s=
Date: Tue, 01 Sep 2020 15:08:30 -0700
From: Martin Thomson <noreply@github.com>
To: quic-issues@ietf.org
Message-ID: <quicwg/base-drafts/push/refs/heads/master/0800bc-71a1ff@github.com>
Subject: [quicwg/base-drafts] 71684b: Expand AEAD limits to consider multi-user security.
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-GitHub-Recipient-Address: quic-issues@ietf.org
X-Auto-Response-Suppress: All
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/v6269n6Wq8WVI_VkbdqZA8ZmjjE>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2020 22:08:33 -0000

  Branch: refs/heads/master
  Home:   https://github.com/quicwg/base-drafts
  Commit: 71684bc7e71580cffa434ca1c3255a6c980f3671
      https://github.com/quicwg/base-drafts/commit/71684bc7e71580cffa434ca1c3255a6c980f3671
  Author: Christopher Wood <chriswood@cloudflare.com>
  Date:   2020-06-24 (Wed, 24 Jun 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Expand AEAD limits to consider multi-user security.

In a typical multi-user setting, the adversary is assumed to perform some
(massive) amount of offline work to break the integrity of a single random
connection. Each user is represented as a unique (key, nonce) pair. In
considering the same threat model, we must treat each key resulting from
a KeyUpdate event as a unique user. As a result, roughly speaking, bounds
implied from the multi-user setting imply (minimally) for the lifetime of
a single connection.

Hoang et al. [1] present tight multi-user security bounds for randomized AES-GCM
(as is used in TLS 1.3 and QUIC), so we can take advantage of those for
per-connection integrity limits. (Confidentiality limits still apply per-key, as
the analysis considers only encrypted blocks, which would not change if an endpoint
updated its key or created a new connection.) In contrast, there are no multi-user
security bounds for AEAD_CHACHA20_POLY1305 or AEAD_AES_128_CCM, so we must use the
single-user bounds in their stead.

[1] https://dl.acm.org/doi/10.1145/3243734.3243816


  Commit: 89bbe1515f04766c0fa48dfd1b0fd4126fc3ecae
      https://github.com/quicwg/base-drafts/commit/89bbe1515f04766c0fa48dfd1b0fd4126fc3ecae
  Author: Christopher Wood <chriswood@cloudflare.com>
  Date:   2020-06-24 (Wed, 24 Jun 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Fix linter issues.


  Commit: 7d763fd6e71e4e1c38add4d78dbf3f7c28645f07
      https://github.com/quicwg/base-drafts/commit/7d763fd6e71e4e1c38add4d78dbf3f7c28645f07
  Author: Christopher Wood <caw@heapingbits.net>
  Date:   2020-06-29 (Mon, 29 Jun 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Update draft-ietf-quic-tls.md

Co-authored-by: Jana Iyengar <jri.ietf@gmail.com>


  Commit: 847f3c1666ca1ec23c92c72a9be998e74fb1ce68
      https://github.com/quicwg/base-drafts/commit/847f3c1666ca1ec23c92c72a9be998e74fb1ce68
  Author: Christopher Wood <caw@heapingbits.net>
  Date:   2020-06-29 (Mon, 29 Jun 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Update draft-ietf-quic-tls.md

Co-authored-by: Jana Iyengar <jri.ietf@gmail.com>


  Commit: e50a65d844bf4c09891bf873d64c9211b28f43f5
      https://github.com/quicwg/base-drafts/commit/e50a65d844bf4c09891bf873d64c9211b28f43f5
  Author: Christopher Wood <caw@heapingbits.net>
  Date:   2020-06-29 (Mon, 29 Jun 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Update draft-ietf-quic-tls.md

Co-authored-by: Jana Iyengar <jri.ietf@gmail.com>


  Commit: 69be76608b8f7a81d2e64e210121ddbbe1788c78
      https://github.com/quicwg/base-drafts/commit/69be76608b8f7a81d2e64e210121ddbbe1788c78
  Author: Christopher Wood <chriswood@cloudflare.com>
  Date:   2020-06-29 (Mon, 29 Jun 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Clarify connection close cases for the confidentiality limit.

Also, split out the integrity limit text again for parallel flow.


  Commit: ed9bbfc7a712b67466842abef03932dbf369dc1e
      https://github.com/quicwg/base-drafts/commit/ed9bbfc7a712b67466842abef03932dbf369dc1e
  Author: Martin Thomson <mt@lowentropy.net>
  Date:   2020-07-06 (Mon, 06 Jul 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Update AEAD limits

This corrects an arithmetic error in the calculation of the
confidentiality limit for AES-GCM.

It also changes to using a fixed advantage target of 2^-57 for both
confidentiality and integrity.  The inconsistent use of different limits
was making it hard to reason about.  As the overall target is AE
security, the net effect of this is a factor of 2 improvement in
attacker advantage over what is in the TLS analysis, which was
2^-57+2^-60.  This moves to 2^-56 overall, which is cleaner.

In doing so, I discovered that the integrity limits for both AES-GCM and
AES-CCM were being set independent of the confidentiality limits, but
that the confidentiality limits assumed limits on the number of
forgeries.  As a result, the limits on forgeries had to be capped based
on those assumptions.


  Commit: 2755bcaeeea1f9f6f39f689ceae09d6fadb89ad3
      https://github.com/quicwg/base-drafts/commit/2755bcaeeea1f9f6f39f689ceae09d6fadb89ad3
  Author: Martin Thomson <mt@lowentropy.net>
  Date:   2020-07-06 (Mon, 06 Jul 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Attempt to address some of the other questions


  Commit: ed028b24ad451e18daa5c91412296f3c8be4f70c
      https://github.com/quicwg/base-drafts/commit/ed028b24ad451e18daa5c91412296f3c8be4f70c
  Author: Martin Thomson <mt@lowentropy.net>
  Date:   2020-07-06 (Mon, 06 Jul 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Fix error in adding v to confidentiality calculation


  Commit: 5ef5f06828fe97cc38200b92cadf889c28b32833
      https://github.com/quicwg/base-drafts/commit/5ef5f06828fe97cc38200b92cadf889c28b32833
  Author: Martin Thomson <mt@lowentropy.net>
  Date:   2020-07-06 (Mon, 06 Jul 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Fix heading levels


  Commit: 2e1f5297e5840ee849f213387404053dbe91a4ec
      https://github.com/quicwg/base-drafts/commit/2e1f5297e5840ee849f213387404053dbe91a4ec
  Author: Martin Thomson <mt@lowentropy.net>
  Date:   2020-07-07 (Tue, 07 Jul 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Restore factor of 2


  Commit: 6f58815715679ac0e05ceb8386f7667ca912de9b
      https://github.com/quicwg/base-drafts/commit/6f58815715679ac0e05ceb8386f7667ca912de9b
  Author: Christopher Wood <caw@heapingbits.net>
  Date:   2020-07-09 (Thu, 09 Jul 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Update draft-ietf-quic-tls.md


  Commit: 9dd23dcab6f3eec466284cc8355341875b2fef88
      https://github.com/quicwg/base-drafts/commit/9dd23dcab6f3eec466284cc8355341875b2fef88
  Author: Christopher Wood <caw@heapingbits.net>
  Date:   2020-07-09 (Thu, 09 Jul 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Merge pull request #2 from quicwg/aead-limits2

More on AEAD limits


  Commit: 4e9c4a51dce5a66f3867e289727d01b63d8cd4ae
      https://github.com/quicwg/base-drafts/commit/4e9c4a51dce5a66f3867e289727d01b63d8cd4ae
  Author: Martin Thomson <mt@lowentropy.net>
  Date:   2020-07-14 (Tue, 14 Jul 2020)

  Changed paths:
    A .github/ISSUE_TEMPLATE/quic-draft-issue.md
    M Makefile
    M README.md
    M draft-ietf-quic-http.md
    M draft-ietf-quic-invariants.md
    M draft-ietf-quic-qpack.md
    M draft-ietf-quic-recovery.md
    M draft-ietf-quic-tls.md
    M draft-ietf-quic-transport.md
    M protection-samples.js

  Log Message:
  -----------
  Merge branch 'master' into caw/mu-limits


  Commit: 8c094e9815d402f9c8f4aa4a5d4f8c19995ff14f
      https://github.com/quicwg/base-drafts/commit/8c094e9815d402f9c8f4aa4a5d4f8c19995ff14f
  Author: Martin Thomson <mt@lowentropy.net>
  Date:   2020-07-14 (Tue, 14 Jul 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Trim whitespace


  Commit: 8833f007c9fd77e438e5d99aee40a52e32412426
      https://github.com/quicwg/base-drafts/commit/8833f007c9fd77e438e5d99aee40a52e32412426
  Author: Martin Thomson <mt@lowentropy.net>
  Date:   2020-07-14 (Tue, 14 Jul 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Loooong line


  Commit: 950c6ae004446b2ba0dba4156d1002eaf13dee81
      https://github.com/quicwg/base-drafts/commit/950c6ae004446b2ba0dba4156d1002eaf13dee81
  Author: Christopher Wood <chriswood@cloudflare.com>
  Date:   2020-08-13 (Thu, 13 Aug 2020)

  Changed paths:
    M draft-ietf-quic-tls.md
    M draft-ietf-quic-transport.md

  Log Message:
  -----------
  Add a new AEAD limits error code, and clearly differentiate between the usage limits.


  Commit: 6ada1ac4688ca050869c7f72c6f256ba27cccd8b
      https://github.com/quicwg/base-drafts/commit/6ada1ac4688ca050869c7f72c6f256ba27cccd8b
  Author: Martin Thomson <mt@lowentropy.net>
  Date:   2020-08-31 (Mon, 31 Aug 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Nits


  Commit: 1ab46496fb69c603d1e57f3c5f15f0e0a34d9155
      https://github.com/quicwg/base-drafts/commit/1ab46496fb69c603d1e57f3c5f15f0e0a34d9155
  Author: Martin Thomson <mt@lowentropy.net>
  Date:   2020-08-31 (Mon, 31 Aug 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  rap


  Commit: 81b521dc3b9fe79ce7cba463bbf22af8dd0deb2a
      https://github.com/quicwg/base-drafts/commit/81b521dc3b9fe79ce7cba463bbf22af8dd0deb2a
  Author: Martin Thomson <mt@lowentropy.net>
  Date:   2020-09-02 (Wed, 02 Sep 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  s/forged/invalid


  Commit: 2a6810d9f614262c08dcc9b08f3550631cbc394e
      https://github.com/quicwg/base-drafts/commit/2a6810d9f614262c08dcc9b08f3550631cbc394e
  Author: Martin Thomson <mt@lowentropy.net>
  Date:   2020-09-02 (Wed, 02 Sep 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  More invalid rather than forged

more sleep needed


  Commit: 71a1ff22aef4a3f948b032447dd5bb36e7314e18
      https://github.com/quicwg/base-drafts/commit/71a1ff22aef4a3f948b032447dd5bb36e7314e18
  Author: Martin Thomson <mt@lowentropy.net>
  Date:   2020-09-02 (Wed, 02 Sep 2020)

  Changed paths:
    M draft-ietf-quic-tls.md
    M draft-ietf-quic-transport.md

  Log Message:
  -----------
  Merge pull request #3789 from chris-wood/caw/mu-limits

Expand AEAD limits to consider multi-user security.


Compare: https://github.com/quicwg/base-drafts/compare/0800bcd40e6e...71a1ff22aef4