[quicwg/base-drafts] 71684b: Expand AEAD limits to consider multi-user security.

Martin Thomson <noreply@github.com> Mon, 06 July 2020 06:55 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2BEC3A116E for <quic-issues@ietfa.amsl.com>; Sun, 5 Jul 2020 23:55:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R7eUyxd_mlbZ for <quic-issues@ietfa.amsl.com>; Sun, 5 Jul 2020 23:55:07 -0700 (PDT)
Received: from out-18.smtp.github.com (out-18.smtp.github.com [192.30.252.201]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDA1D3A115D for <quic-issues@ietf.org>; Sun, 5 Jul 2020 23:55:06 -0700 (PDT)
Received: from github-lowworker-1dbcc59.ash1-iad.github.net (github-lowworker-1dbcc59.ash1-iad.github.net [10.56.105.54]) by smtp.github.com (Postfix) with ESMTP id 2BDFC6E2118 for <quic-issues@ietf.org>; Sun, 5 Jul 2020 23:55:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1594018506; bh=GKQSXFvbkOMShbYxInFRHvKDWUWuUuD1r70bg+Ib8P8=; h=Date:From:To:Subject:From; b=MBnauUwC36Y11OPnuWpYvSc7FN+4fmzfiEH5scquP+c6MpZrXsAuXpggwLiQliJWF RRuGElsMwg8mF8YpYwXv4PMmbSAVYdqri6EdhcozxkKFROJ66BAgcfAVgRlLzmptg+ fXwqAteXPpUrWVrumpWjTN0+tLPCsjDT2kgk5HmQ=
Date: Sun, 05 Jul 2020 23:55:06 -0700
From: Martin Thomson <noreply@github.com>
To: quic-issues@ietf.org
Message-ID: <quicwg/base-drafts/push/refs/heads/aead-limits2/000000-5e7bfa@github.com>
Subject: [quicwg/base-drafts] 71684b: Expand AEAD limits to consider multi-user security.
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-GitHub-Recipient-Address: quic-issues@ietf.org
X-Auto-Response-Suppress: All
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/vB29LLydan1biTbZJWaaZNAyArU>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 06:55:09 -0000

  Branch: refs/heads/aead-limits2
  Home:   https://github.com/quicwg/base-drafts
  Commit: 71684bc7e71580cffa434ca1c3255a6c980f3671
      https://github.com/quicwg/base-drafts/commit/71684bc7e71580cffa434ca1c3255a6c980f3671
  Author: Christopher Wood <chriswood@cloudflare.com>
  Date:   2020-06-24 (Wed, 24 Jun 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Expand AEAD limits to consider multi-user security.

In a typical multi-user setting, the adversary is assumed to perform some
(massive) amount of offline work to break the integrity of a single random
connection. Each user is represented as a unique (key, nonce) pair. In
considering the same threat model, we must treat each key resulting from
a KeyUpdate event as a unique user. As a result, roughly speaking, bounds
implied from the multi-user setting imply (minimally) for the lifetime of
a single connection.

Hoang et al. [1] present tight multi-user security bounds for randomized AES-GCM
(as is used in TLS 1.3 and QUIC), so we can take advantage of those for
per-connection integrity limits. (Confidentiality limits still apply per-key, as
the analysis considers only encrypted blocks, which would not change if an endpoint
updated its key or created a new connection.) In contrast, there are no multi-user
security bounds for AEAD_CHACHA20_POLY1305 or AEAD_AES_128_CCM, so we must use the
single-user bounds in their stead.

[1] https://dl.acm.org/doi/10.1145/3243734.3243816


  Commit: 89bbe1515f04766c0fa48dfd1b0fd4126fc3ecae
      https://github.com/quicwg/base-drafts/commit/89bbe1515f04766c0fa48dfd1b0fd4126fc3ecae
  Author: Christopher Wood <chriswood@cloudflare.com>
  Date:   2020-06-24 (Wed, 24 Jun 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Fix linter issues.


  Commit: 7d763fd6e71e4e1c38add4d78dbf3f7c28645f07
      https://github.com/quicwg/base-drafts/commit/7d763fd6e71e4e1c38add4d78dbf3f7c28645f07
  Author: Christopher Wood <caw@heapingbits.net>
  Date:   2020-06-29 (Mon, 29 Jun 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Update draft-ietf-quic-tls.md

Co-authored-by: Jana Iyengar <jri.ietf@gmail.com>


  Commit: 847f3c1666ca1ec23c92c72a9be998e74fb1ce68
      https://github.com/quicwg/base-drafts/commit/847f3c1666ca1ec23c92c72a9be998e74fb1ce68
  Author: Christopher Wood <caw@heapingbits.net>
  Date:   2020-06-29 (Mon, 29 Jun 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Update draft-ietf-quic-tls.md

Co-authored-by: Jana Iyengar <jri.ietf@gmail.com>


  Commit: e50a65d844bf4c09891bf873d64c9211b28f43f5
      https://github.com/quicwg/base-drafts/commit/e50a65d844bf4c09891bf873d64c9211b28f43f5
  Author: Christopher Wood <caw@heapingbits.net>
  Date:   2020-06-29 (Mon, 29 Jun 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Update draft-ietf-quic-tls.md

Co-authored-by: Jana Iyengar <jri.ietf@gmail.com>


  Commit: 69be76608b8f7a81d2e64e210121ddbbe1788c78
      https://github.com/quicwg/base-drafts/commit/69be76608b8f7a81d2e64e210121ddbbe1788c78
  Author: Christopher Wood <chriswood@cloudflare.com>
  Date:   2020-06-29 (Mon, 29 Jun 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Clarify connection close cases for the confidentiality limit.

Also, split out the integrity limit text again for parallel flow.


  Commit: 5e7bfa9688a218d75590134a116cedb3127443d0
      https://github.com/quicwg/base-drafts/commit/5e7bfa9688a218d75590134a116cedb3127443d0
  Author: Martin Thomson <mt@lowentropy.net>
  Date:   2020-07-06 (Mon, 06 Jul 2020)

  Changed paths:
    M draft-ietf-quic-tls.md

  Log Message:
  -----------
  Update AEAD limits

This corrects an arithmetic error in the calculation of the
confidentiality limit for AES-GCM.

It also changes to using a fixed advantage target of 2^-57 for both
confidentiality and integrity.  The inconsistent use of different limits
was making it hard to reason about.  As the overall target is AE
security, the net effect of this is a factor of 2 improvement in
attacker advantage over what is in the TLS analysis, which was
2^-57+2^-60.  This moves to 2^-56 overall, which is cleaner.

In doing so, I discovered that the integrity limits for both AES-GCM and
AES-CCM were being set independent of the confidentiality limits, but
that the confidentiality limits assumed limits on the number of
forgeries.  As a result, the limits on forgeries had to be capped based
on those assumptions.


Compare: https://github.com/quicwg/base-drafts/compare/71684bc7e715%5E...5e7bfa9688a2