IETF Logo Mail Archive

Re: [quicwg/base-drafts] Packet number encryption (#1079)

Christian Huitema <notifications@github.com> Wed, 18 April 2018 17:06 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2AD127869 for <quic-issues@ietfa.amsl.com>; Wed, 18 Apr 2018 10:06:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.01
X-Spam-Level:
X-Spam-Status: No, score=-8.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aqf7bD8Hspks for <quic-issues@ietfa.amsl.com>; Wed, 18 Apr 2018 10:06:26 -0700 (PDT)
Received: from out-6.smtp.github.com (out-6.smtp.github.com [192.30.252.197]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 031EC1275AB for <quic-issues@ietf.org>; Wed, 18 Apr 2018 10:06:26 -0700 (PDT)
Date: Wed, 18 Apr 2018 10:06:24 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1524071185; bh=SgzAd5oToWlnlx7Mv4FRo5xONcDRgcvBMbbCEXXDqzs=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=12s3GnKBPVcypeUyP75bUsNASGt1xN5vCAI5BIoav5X0ZWJkR8czy+pGFnF0Y9hSJ IQL1OQjHYICUBbPHygprOB6Kox0dHlnyl0KFuHSbKPC/EX/25qSgK7g1A1BJBAsj+4 lPJ2xOyUHRns+8tJDm53+x39L5P/WEaujfBP3U4M=
From: Christian Huitema <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4abbecb4510e953cc996b0a353bc21b906b218c4eee92cf0000000116ef3d1092a169ce116c0848@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/1079/c382459179@github.com>
In-Reply-To: <quicwg/base-drafts/pull/1079@github.com>
References: <quicwg/base-drafts/pull/1079@github.com>
Subject: Re: [quicwg/base-drafts] Packet number encryption (#1079)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ad77b10f2e0b_5e812b167f44cf588543f"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: huitema
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/vxO1VGFGb-BKc2HQhT0PoJ_7K-0>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2018 17:06:29 -0000

On 4/18/2018 9:22 AM, ekr wrote:

> On Tue, Apr 17, 2018 at 7:13 AM, Antoine Delignat-Lavaud <
> notifications@github.com> wrote:
>
> > We have been discussing this PR at Microsoft with Cedric Fournet and
> Nick
> > Banks and have some comments on the current proposal:
> >
> > 1.
> >
> > As pointed out in the other reviews of this PR, there is a lot of
> > ambiguity regarding whether the packet number length is or isn’t
> encrypted.
> > In the current PR, the formula to compute the sample_offset only makes
> > sense if the packet number is a “varint”. However, the proposed
> change does
> > not alter the short packet header, and the PN length is indicated by the
> > last 3 bits of the flags byte, and restricted to be one of 8, 16, or 32
> > bits. Under this assumption, the sample_offset can be redefined as the
> > length of the packet header - we think it is reasonable to keep the PN
> > length public, and avoid having a fuzzy limit between packet header and
> > contents, which could be a source of side channels in the processing
> of the
> > packet after PN decryption, in particular considering point 2 below.
> > 2.
> >
> > Given that packet numbers in short packets are only a few bytes and
> > get encrypted without authentication, they are extremely vulnerable to
> > malleability, and using a XOR mask encryption (such as CTR mode or
> ChaCha20
> > keystream) compounds the problem even further, because an adversary can
> > selectively flip the few bits of interests for him (the low weight
> ones) to
> > find out using side channels what position the reader is at in the
> stream
> > (as discussed in the PR comments). We are concerned that some
> > implementations may try to perform optimizations based on the
> decrypted PN
> > without first first decrypting the packet (for instance, an
> implementation
> > may chose not to decrypt the packet if the decrypted SN has been
> acked, or
> > above some threshold). Any such optimization is a side channel that
> can be
> > extremely efficiently used to recover the PN. We think it is a
> weakness of
> > the PN encryption scheme to allow implementations to fall into this
> trap.
> > Using a 32-bit permutation cipher rather than AES-CTR or ChaCha20 would
> > make such attacks less effective. A cipher such as Speck with 32 bit
> blocks
> > could be well suited for this purpose, and also much faster.
> >
> >
> Note that if we're willing to bake in a permutation, we can just go
> back to
> Kazuho's original proposal of AES-ECBing the PN + <X bytes of ciphertext>
> in place.

I am not sure that I understand Cedric's proposal to use Speck. Would
that be a variant of #1079 in which the only change is the use of a
block cipher like Speck instead of a stream cipher like AES-CTR?

Clearly, using a block cipher with exactly the same length as the PN
will have some advantages in term of implementation. But it is not a
straight win:

* Malleability is still there. Since the permutation only affects the
low bits of the sequence number, there are still reasonable chances that
decrypting a random number results in an acceptable sequence number. The
risk goes down from 100% with a stream cipher to at most 50% with a
permutation cipher.

* The current proposal has baked-in crypto agility, because it uses the
same stream cipher for content encryption and for PN encryption, and
thus negotiates it at the same time. We would need to specify which
permutation cipher is associated with each of the content encryption
methods. AES-ECB is indeed an option when using AES for content, but
what about ChaCha20?

* As for the AES-ECB proposal, the effect on hardware acceleration is
probably even more drastic than the current design, since some bits
would have to be decrypted twice.

Cedric is "concerned that some implementations may try to perform
optimizations based on the decrypted PN without first first decrypting
the packet", and that would provide a "side channel that can be
extremely efficiently used to recover the PN". But then, what he
describes is not just an optimization. It is a standard defense against
denial of service attacks, filtering out implausible sequence numbers
and avoiding the CPU cost of decrypting the forged packets. I am not
sure about the trade-off there, between "maybe helping recover the PN"
and "further exposure to DOS".

-- Christian Huitema



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/1079#issuecomment-382459179

v2.34.0 | Report a Bug | By Email | System Status