[quicwg/base-drafts] 71684b: Expand AEAD limits to consider multi-user security.
Martin Thomson <noreply@github.com> Mon, 06 July 2020 06:55 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2BEC3A116E for <quic-issues@ietfa.amsl.com>; Sun, 5 Jul 2020 23:55:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R7eUyxd_mlbZ for <quic-issues@ietfa.amsl.com>; Sun, 5 Jul 2020 23:55:07 -0700 (PDT)
Received: from out-18.smtp.github.com (out-18.smtp.github.com [192.30.252.201]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDA1D3A115D for <quic-issues@ietf.org>; Sun, 5 Jul 2020 23:55:06 -0700 (PDT)
Received: from github-lowworker-1dbcc59.ash1-iad.github.net (github-lowworker-1dbcc59.ash1-iad.github.net [10.56.105.54]) by smtp.github.com (Postfix) with ESMTP id 2BDFC6E2118 for <quic-issues@ietf.org>; Sun, 5 Jul 2020 23:55:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1594018506; bh=GKQSXFvbkOMShbYxInFRHvKDWUWuUuD1r70bg+Ib8P8=; h=Date:From:To:Subject:From; b=MBnauUwC36Y11OPnuWpYvSc7FN+4fmzfiEH5scquP+c6MpZrXsAuXpggwLiQliJWF RRuGElsMwg8mF8YpYwXv4PMmbSAVYdqri6EdhcozxkKFROJ66BAgcfAVgRlLzmptg+ fXwqAteXPpUrWVrumpWjTN0+tLPCsjDT2kgk5HmQ=
Date: Sun, 05 Jul 2020 23:55:06 -0700
From: Martin Thomson <noreply@github.com>
To: quic-issues@ietf.org
Message-ID: <quicwg/base-drafts/push/refs/heads/aead-limits2/000000-5e7bfa@github.com>
Subject: [quicwg/base-drafts] 71684b: Expand AEAD limits to consider multi-user security.
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-GitHub-Recipient-Address: quic-issues@ietf.org
X-Auto-Response-Suppress: All
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/vB29LLydan1biTbZJWaaZNAyArU>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 06:55:09 -0000
Branch: refs/heads/aead-limits2 Home: https://github.com/quicwg/base-drafts Commit: 71684bc7e71580cffa434ca1c3255a6c980f3671 https://github.com/quicwg/base-drafts/commit/71684bc7e71580cffa434ca1c3255a6c980f3671 Author: Christopher Wood <chriswood@cloudflare.com> Date: 2020-06-24 (Wed, 24 Jun 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Expand AEAD limits to consider multi-user security. In a typical multi-user setting, the adversary is assumed to perform some (massive) amount of offline work to break the integrity of a single random connection. Each user is represented as a unique (key, nonce) pair. In considering the same threat model, we must treat each key resulting from a KeyUpdate event as a unique user. As a result, roughly speaking, bounds implied from the multi-user setting imply (minimally) for the lifetime of a single connection. Hoang et al. [1] present tight multi-user security bounds for randomized AES-GCM (as is used in TLS 1.3 and QUIC), so we can take advantage of those for per-connection integrity limits. (Confidentiality limits still apply per-key, as the analysis considers only encrypted blocks, which would not change if an endpoint updated its key or created a new connection.) In contrast, there are no multi-user security bounds for AEAD_CHACHA20_POLY1305 or AEAD_AES_128_CCM, so we must use the single-user bounds in their stead. [1] https://dl.acm.org/doi/10.1145/3243734.3243816 Commit: 89bbe1515f04766c0fa48dfd1b0fd4126fc3ecae https://github.com/quicwg/base-drafts/commit/89bbe1515f04766c0fa48dfd1b0fd4126fc3ecae Author: Christopher Wood <chriswood@cloudflare.com> Date: 2020-06-24 (Wed, 24 Jun 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Fix linter issues. Commit: 7d763fd6e71e4e1c38add4d78dbf3f7c28645f07 https://github.com/quicwg/base-drafts/commit/7d763fd6e71e4e1c38add4d78dbf3f7c28645f07 Author: Christopher Wood <caw@heapingbits.net> Date: 2020-06-29 (Mon, 29 Jun 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Update draft-ietf-quic-tls.md Co-authored-by: Jana Iyengar <jri.ietf@gmail.com> Commit: 847f3c1666ca1ec23c92c72a9be998e74fb1ce68 https://github.com/quicwg/base-drafts/commit/847f3c1666ca1ec23c92c72a9be998e74fb1ce68 Author: Christopher Wood <caw@heapingbits.net> Date: 2020-06-29 (Mon, 29 Jun 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Update draft-ietf-quic-tls.md Co-authored-by: Jana Iyengar <jri.ietf@gmail.com> Commit: e50a65d844bf4c09891bf873d64c9211b28f43f5 https://github.com/quicwg/base-drafts/commit/e50a65d844bf4c09891bf873d64c9211b28f43f5 Author: Christopher Wood <caw@heapingbits.net> Date: 2020-06-29 (Mon, 29 Jun 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Update draft-ietf-quic-tls.md Co-authored-by: Jana Iyengar <jri.ietf@gmail.com> Commit: 69be76608b8f7a81d2e64e210121ddbbe1788c78 https://github.com/quicwg/base-drafts/commit/69be76608b8f7a81d2e64e210121ddbbe1788c78 Author: Christopher Wood <chriswood@cloudflare.com> Date: 2020-06-29 (Mon, 29 Jun 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Clarify connection close cases for the confidentiality limit. Also, split out the integrity limit text again for parallel flow. Commit: 5e7bfa9688a218d75590134a116cedb3127443d0 https://github.com/quicwg/base-drafts/commit/5e7bfa9688a218d75590134a116cedb3127443d0 Author: Martin Thomson <mt@lowentropy.net> Date: 2020-07-06 (Mon, 06 Jul 2020) Changed paths: M draft-ietf-quic-tls.md Log Message: ----------- Update AEAD limits This corrects an arithmetic error in the calculation of the confidentiality limit for AES-GCM. It also changes to using a fixed advantage target of 2^-57 for both confidentiality and integrity. The inconsistent use of different limits was making it hard to reason about. As the overall target is AE security, the net effect of this is a factor of 2 improvement in attacker advantage over what is in the TLS analysis, which was 2^-57+2^-60. This moves to 2^-56 overall, which is cleaner. In doing so, I discovered that the integrity limits for both AES-GCM and AES-CCM were being set independent of the confidentiality limits, but that the confidentiality limits assumed limits on the number of forgeries. As a result, the limits on forgeries had to be capped based on those assumptions. Compare: https://github.com/quicwg/base-drafts/compare/71684bc7e715%5E...5e7bfa9688a2
- [quicwg/base-drafts] 71684b: Expand AEAD limits t… Martin Thomson