Re: [quicwg/base-drafts] Why does stateless reset have to be checked after MAC failure (#2152)

Martin Thomson <> Tue, 27 August 2019 13:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0A7E4120047 for <>; Tue, 27 Aug 2019 06:44:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.382
X-Spam-Status: No, score=-6.382 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YVENUy0X433x for <>; Tue, 27 Aug 2019 06:44:49 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B1AEC12003F for <>; Tue, 27 Aug 2019 06:44:49 -0700 (PDT)
Date: Tue, 27 Aug 2019 06:44:48 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1566913489; bh=DcsFf4RviaCHuXwuDxVMnEL70+hg1oSUNTirRNAHNvc=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=kkt9k0ZWGmWyZsiH9T752wqvA20qK06DKmRKufKjBr02l7Z9wcBGD2JDvCqlcWAdt 2T0znjG2vGZ5yUTQp4ABtkwyQTZdruE4BnIcseA75E94oLeEfNzeKdCZyYkPklpNsu TUXsRzS4rU+UnLCFLFbzBc1VTEvpM4K9OqvGCV/4=
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2152/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Why does stateless reset have to be checked after MAC failure (#2152)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d6533d0d9b2e_71693f85522cd9602231df"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 27 Aug 2019 13:44:51 -0000

Assume that you do have a way of measuring how long it takes to process a garbage packet.  Also assume that there is just one token.  If you don't compare in constant time, the attacker can measure how long it takes to compare the possible token with the real token.  For every byte that matches, you take a tiny bit longer.  A complete search takes just 2^12 guesses, multiplied by any oversampling factor you might need to extract the side channel information.  That makes it not very hard.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: