[quicwg/base-drafts] 71684b: Expand AEAD limits to consider multi-user security.
Martin Thomson <noreply@github.com> Tue, 01 September 2020 22:08 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F18023A112C for <quic-issues@ietfa.amsl.com>; Tue, 1 Sep 2020 15:08:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LMGVqP5fDu8f for <quic-issues@ietfa.amsl.com>; Tue, 1 Sep 2020 15:08:31 -0700 (PDT)
Received: from out-25.smtp.github.com (out-25.smtp.github.com [192.30.252.208]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 313C23A1128 for <quic-issues@ietf.org>; Tue, 1 Sep 2020 15:08:31 -0700 (PDT)
Received: from github-lowworker-292e294.va3-iad.github.net (github-lowworker-292e294.va3-iad.github.net [10.48.102.70]) by smtp.github.com (Postfix) with ESMTP id 8318C84005C for <quic-issues@ietf.org>; Tue, 1 Sep 2020 15:08:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1598998110; bh=JDv5a8YlM6RAysTSISL5GBgNxpbQxWAG1i5KYi4xSAc=; h=Date:From:To:Subject:From; b=UOo4CCbKaTbTcoj1Cx3rCtQGm6OGN9MoSp1hW8pfhtz29+Yv+dbFpk7+E11Si5gfd hXeQ9S0uPHg95FA5zeVSgPW81vmVKJLiac0qB+QhUlD+j5CFxo32tYA7pPwcpEeFEw 44JbwkT2IAAyi0CJitdpeU8sEGeNOyWUBxSlaM0s=
Date: Tue, 01 Sep 2020 15:08:30 -0700
From: Martin Thomson <noreply@github.com>
To: quic-issues@ietf.org
Message-ID: <quicwg/base-drafts/push/refs/heads/master/0800bc-71a1ff@github.com>
Subject: [quicwg/base-drafts] 71684b: Expand AEAD limits to consider multi-user security.
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-GitHub-Recipient-Address: quic-issues@ietf.org
X-Auto-Response-Suppress: All
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/v6269n6Wq8WVI_VkbdqZA8ZmjjE>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2020 22:08:33 -0000
Branch: refs/heads/master Home: https://github.com/quicwg/base-drafts Commit: 71684bc7e71580cffa434ca1c3255a6c980f3671 https://github.com/quicwg/base-drafts/commit/71684bc7e71580cffa434ca1c3255a6c980f3671 Author: Christopher Wood <chriswood@cloudflare.com> Date: 2020-06-24 (Wed, 24 Jun 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Expand AEAD limits to consider multi-user security. In a typical multi-user setting, the adversary is assumed to perform some (massive) amount of offline work to break the integrity of a single random connection. Each user is represented as a unique (key, nonce) pair. In considering the same threat model, we must treat each key resulting from a KeyUpdate event as a unique user. As a result, roughly speaking, bounds implied from the multi-user setting imply (minimally) for the lifetime of a single connection. Hoang et al. [1] present tight multi-user security bounds for randomized AES-GCM (as is used in TLS 1.3 and QUIC), so we can take advantage of those for per-connection integrity limits. (Confidentiality limits still apply per-key, as the analysis considers only encrypted blocks, which would not change if an endpoint updated its key or created a new connection.) In contrast, there are no multi-user security bounds for AEAD_CHACHA20_POLY1305 or AEAD_AES_128_CCM, so we must use the single-user bounds in their stead. [1] https://dl.acm.org/doi/10.1145/3243734.3243816 Commit: 89bbe1515f04766c0fa48dfd1b0fd4126fc3ecae https://github.com/quicwg/base-drafts/commit/89bbe1515f04766c0fa48dfd1b0fd4126fc3ecae Author: Christopher Wood <chriswood@cloudflare.com> Date: 2020-06-24 (Wed, 24 Jun 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Fix linter issues. Commit: 7d763fd6e71e4e1c38add4d78dbf3f7c28645f07 https://github.com/quicwg/base-drafts/commit/7d763fd6e71e4e1c38add4d78dbf3f7c28645f07 Author: Christopher Wood <caw@heapingbits.net> Date: 2020-06-29 (Mon, 29 Jun 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Update draft-ietf-quic-tls.md Co-authored-by: Jana Iyengar <jri.ietf@gmail.com> Commit: 847f3c1666ca1ec23c92c72a9be998e74fb1ce68 https://github.com/quicwg/base-drafts/commit/847f3c1666ca1ec23c92c72a9be998e74fb1ce68 Author: Christopher Wood <caw@heapingbits.net> Date: 2020-06-29 (Mon, 29 Jun 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Update draft-ietf-quic-tls.md Co-authored-by: Jana Iyengar <jri.ietf@gmail.com> Commit: e50a65d844bf4c09891bf873d64c9211b28f43f5 https://github.com/quicwg/base-drafts/commit/e50a65d844bf4c09891bf873d64c9211b28f43f5 Author: Christopher Wood <caw@heapingbits.net> Date: 2020-06-29 (Mon, 29 Jun 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Update draft-ietf-quic-tls.md Co-authored-by: Jana Iyengar <jri.ietf@gmail.com> Commit: 69be76608b8f7a81d2e64e210121ddbbe1788c78 https://github.com/quicwg/base-drafts/commit/69be76608b8f7a81d2e64e210121ddbbe1788c78 Author: Christopher Wood <chriswood@cloudflare.com> Date: 2020-06-29 (Mon, 29 Jun 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Clarify connection close cases for the confidentiality limit. Also, split out the integrity limit text again for parallel flow. Commit: ed9bbfc7a712b67466842abef03932dbf369dc1e https://github.com/quicwg/base-drafts/commit/ed9bbfc7a712b67466842abef03932dbf369dc1e Author: Martin Thomson <mt@lowentropy.net> Date: 2020-07-06 (Mon, 06 Jul 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Update AEAD limits This corrects an arithmetic error in the calculation of the confidentiality limit for AES-GCM. It also changes to using a fixed advantage target of 2^-57 for both confidentiality and integrity. The inconsistent use of different limits was making it hard to reason about. As the overall target is AE security, the net effect of this is a factor of 2 improvement in attacker advantage over what is in the TLS analysis, which was 2^-57+2^-60. This moves to 2^-56 overall, which is cleaner. In doing so, I discovered that the integrity limits for both AES-GCM and AES-CCM were being set independent of the confidentiality limits, but that the confidentiality limits assumed limits on the number of forgeries. As a result, the limits on forgeries had to be capped based on those assumptions. Commit: 2755bcaeeea1f9f6f39f689ceae09d6fadb89ad3 https://github.com/quicwg/base-drafts/commit/2755bcaeeea1f9f6f39f689ceae09d6fadb89ad3 Author: Martin Thomson <mt@lowentropy.net> Date: 2020-07-06 (Mon, 06 Jul 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Attempt to address some of the other questions Commit: ed028b24ad451e18daa5c91412296f3c8be4f70c https://github.com/quicwg/base-drafts/commit/ed028b24ad451e18daa5c91412296f3c8be4f70c Author: Martin Thomson <mt@lowentropy.net> Date: 2020-07-06 (Mon, 06 Jul 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Fix error in adding v to confidentiality calculation Commit: 5ef5f06828fe97cc38200b92cadf889c28b32833 https://github.com/quicwg/base-drafts/commit/5ef5f06828fe97cc38200b92cadf889c28b32833 Author: Martin Thomson <mt@lowentropy.net> Date: 2020-07-06 (Mon, 06 Jul 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Fix heading levels Commit: 2e1f5297e5840ee849f213387404053dbe91a4ec https://github.com/quicwg/base-drafts/commit/2e1f5297e5840ee849f213387404053dbe91a4ec Author: Martin Thomson <mt@lowentropy.net> Date: 2020-07-07 (Tue, 07 Jul 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Restore factor of 2 Commit: 6f58815715679ac0e05ceb8386f7667ca912de9b https://github.com/quicwg/base-drafts/commit/6f58815715679ac0e05ceb8386f7667ca912de9b Author: Christopher Wood <caw@heapingbits.net> Date: 2020-07-09 (Thu, 09 Jul 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Update draft-ietf-quic-tls.md Commit: 9dd23dcab6f3eec466284cc8355341875b2fef88 https://github.com/quicwg/base-drafts/commit/9dd23dcab6f3eec466284cc8355341875b2fef88 Author: Christopher Wood <caw@heapingbits.net> Date: 2020-07-09 (Thu, 09 Jul 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Merge pull request #2 from quicwg/aead-limits2 More on AEAD limits Commit: 4e9c4a51dce5a66f3867e289727d01b63d8cd4ae https://github.com/quicwg/base-drafts/commit/4e9c4a51dce5a66f3867e289727d01b63d8cd4ae Author: Martin Thomson <mt@lowentropy.net> Date: 2020-07-14 (Tue, 14 Jul 2020) Changed paths: A .github/ISSUE_TEMPLATE/quic-draft-issue.md M Makefile M README.md M draft-ietf-quic-http.md M draft-ietf-quic-invariants.md M draft-ietf-quic-qpack.md M draft-ietf-quic-recovery.md M draft-ietf-quic-tls.md M draft-ietf-quic-transport.md M protection-samples.js Log Message: ----------- Merge branch 'master' into caw/mu-limits Commit: 8c094e9815d402f9c8f4aa4a5d4f8c19995ff14f https://github.com/quicwg/base-drafts/commit/8c094e9815d402f9c8f4aa4a5d4f8c19995ff14f Author: Martin Thomson <mt@lowentropy.net> Date: 2020-07-14 (Tue, 14 Jul 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Trim whitespace Commit: 8833f007c9fd77e438e5d99aee40a52e32412426 https://github.com/quicwg/base-drafts/commit/8833f007c9fd77e438e5d99aee40a52e32412426 Author: Martin Thomson <mt@lowentropy.net> Date: 2020-07-14 (Tue, 14 Jul 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Loooong line Commit: 950c6ae004446b2ba0dba4156d1002eaf13dee81 https://github.com/quicwg/base-drafts/commit/950c6ae004446b2ba0dba4156d1002eaf13dee81 Author: Christopher Wood <chriswood@cloudflare.com> Date: 2020-08-13 (Thu, 13 Aug 2020) Changed paths: M draft-ietf-quic-tls.md M draft-ietf-quic-transport.md Log Message: ----------- Add a new AEAD limits error code, and clearly differentiate between the usage limits. Commit: 6ada1ac4688ca050869c7f72c6f256ba27cccd8b https://github.com/quicwg/base-drafts/commit/6ada1ac4688ca050869c7f72c6f256ba27cccd8b Author: Martin Thomson <mt@lowentropy.net> Date: 2020-08-31 (Mon, 31 Aug 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Nits Commit: 1ab46496fb69c603d1e57f3c5f15f0e0a34d9155 https://github.com/quicwg/base-drafts/commit/1ab46496fb69c603d1e57f3c5f15f0e0a34d9155 Author: Martin Thomson <mt@lowentropy.net> Date: 2020-08-31 (Mon, 31 Aug 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- rap Commit: 81b521dc3b9fe79ce7cba463bbf22af8dd0deb2a https://github.com/quicwg/base-drafts/commit/81b521dc3b9fe79ce7cba463bbf22af8dd0deb2a Author: Martin Thomson <mt@lowentropy.net> Date: 2020-09-02 (Wed, 02 Sep 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- s/forged/invalid Commit: 2a6810d9f614262c08dcc9b08f3550631cbc394e https://github.com/quicwg/base-drafts/commit/2a6810d9f614262c08dcc9b08f3550631cbc394e Author: Martin Thomson <mt@lowentropy.net> Date: 2020-09-02 (Wed, 02 Sep 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- More invalid rather than forged more sleep needed Commit: 71a1ff22aef4a3f948b032447dd5bb36e7314e18 https://github.com/quicwg/base-drafts/commit/71a1ff22aef4a3f948b032447dd5bb36e7314e18 Author: Martin Thomson <mt@lowentropy.net> Date: 2020-09-02 (Wed, 02 Sep 2020) Changed paths: M draft-ietf-quic-tls.md M draft-ietf-quic-transport.md Log Message: ----------- Merge pull request #3789 from chris-wood/caw/mu-limits Expand AEAD limits to consider multi-user security. Compare: https://github.com/quicwg/base-drafts/compare/0800bcd40e6e...71a1ff22aef4
- [quicwg/base-drafts] 71684b: Expand AEAD limits t… Martin Thomson