IETF Logo Mail Archive

Re: [quicwg/base-drafts] First octet changes (#2006)

Kazuho Oku <notifications@github.com> Sat, 17 November 2018 03:25 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB90F130DD6 for <quic-issues@ietfa.amsl.com>; Fri, 16 Nov 2018 19:25:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.47
X-Spam-Level:
X-Spam-Status: No, score=-8.47 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ogPcqOwwFG43 for <quic-issues@ietfa.amsl.com>; Fri, 16 Nov 2018 19:25:15 -0800 (PST)
Received: from out-3.smtp.github.com (out-3.smtp.github.com [192.30.252.194]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEB39128CF2 for <quic-issues@ietf.org>; Fri, 16 Nov 2018 19:25:14 -0800 (PST)
Date: Fri, 16 Nov 2018 19:25:13 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1542425113; bh=KpML1XKqz6QVSwcy+rYvHYwDUUtzqB4JEVgIwqZT3PY=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=oGahHTU8TDBzqInQ+vEGdsEcq525XhCyZJ9aiZWiuUz9eljxDmIVnT0gKYIW6NEA0 6Em6a7SlQyFNVUYieWQ2SHhKViIVEvx0x299mhI6KJ6jybCu6cGiocbfSYw8MumGgW 7ix7FsLqsQP6Ubkf2X+TgG4EuB6QyuOVBjYjTyKo=
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4abc994ab201feceaabef72433840ca61a7c729bae692cf0000000118074c1992a169ce16b57ba1@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2006/review/176038723@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2006@github.com>
References: <quicwg/base-drafts/pull/2006@github.com>
Subject: Re: [quicwg/base-drafts] First octet changes (#2006)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bef8a196183a_270d3fdaeb0d45c01438f2"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/zVmnIk9tx9PeRVZE-N4wQvZDpuc>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Nov 2018 03:25:17 -0000

kazuho commented on this pull request.



> +Before a TLS ciphersuite can be used with QUIC, a header protection algorithm
+MUST be specified for the AEAD used with that ciphersuite.  This document
+defines algorithms for AEAD_AES_128_GCM, AEAD_AES_128_CCM, AEAD_AES_256_GCM,
+AEAD_AES_256_CCM (all AES AEADs are defined in {{!AEAD=RFC5116}}), and
+AEAD_CHACHA20_POLY1305 {{!CHACHA=RFC8439}}.
+
+
+### Header Protection Sample {#hp-sample}
+
+The header protection algorithm uses both the header protection key and a sample
+of the ciphertext from the packet Payload field.
+
+The same number of bytes are always sampled, but an allowance needs to be made
+for the endpoint removing protection, which will not know the length of the
+Packet Number field.  In sampling the packet ciphertext, the Packet Number field
+is assumed to be 4 bytes long (its maximum possible encoded length), unless

@mikkelfj I tend to agree that 128 bits will be enough (because PN space is 62 bits and IV needs to be indistinguishable from random), but I think we might want to define the number for each cipher-suite.

@marten-seemann The reason we introduced PNE was to prevent packet numbers sent in clear as a tracking vector among multiple CIDs of a connection (that possibly roams). As you state, IV collision leaks the XOR between two packet numbers. The risk of that being used as a tracking vector will become higher as the chance of collision arises.

Anyways, I think that requiring `length(packet number) + length(payload) >= 4 + length(iv) - length(aead tag)` would be a good idea, because it is a simplification at the same time giving us agility against cipher-suites that we might add in the future. Current spec requires both the encoder and decoder to adjust the position of IV if the payload length is below 4. The proposed change concentrates the adjustment into one point; i.e. when encoder builds the payload.

FWIW, for the cipher-suites that are defined now, the right-hand side of the expression (i.e. `4 + length(iv) - length(aead tag)`) is always 4, which makes the equation exactly the same as what @DavidSchinazi suggests.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2006#discussion_r234394614

v2.38.3 | Report a Bug | By Email | System Status