RE: Packet Number Encryption outside of AEAD

"Deval, Manasi" <manasi.deval@intel.com> Fri, 27 July 2018 22:11 UTC

Return-Path: <manasi.deval@intel.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B667712E039 for <quic@ietfa.amsl.com>; Fri, 27 Jul 2018 15:11:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dWUcNC_Ddzvs for <quic@ietfa.amsl.com>; Fri, 27 Jul 2018 15:11:43 -0700 (PDT)
Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32FFA12DD85 for <quic@ietf.org>; Fri, 27 Jul 2018 15:11:43 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Jul 2018 15:11:42 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.51,411,1526367600"; d="scan'208";a="219726300"
Received: from orsmsx105.amr.corp.intel.com ([10.22.225.132]) by orsmga004.jf.intel.com with ESMTP; 27 Jul 2018 15:11:32 -0700
Received: from orsmsx153.amr.corp.intel.com (10.22.226.247) by ORSMSX105.amr.corp.intel.com (10.22.225.132) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 27 Jul 2018 15:11:32 -0700
Received: from orsmsx111.amr.corp.intel.com ([169.254.12.141]) by ORSMSX153.amr.corp.intel.com ([169.254.12.164]) with mapi id 14.03.0319.002; Fri, 27 Jul 2018 15:11:32 -0700
From: "Deval, Manasi" <manasi.deval@intel.com>
To: Christian Huitema <huitema@huitema.net>, Kazuho Oku <kazuhooku@gmail.com>, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
CC: IETF QUIC WG <quic@ietf.org>
Subject: RE: Packet Number Encryption outside of AEAD
Thread-Topic: Packet Number Encryption outside of AEAD
Thread-Index: AQHUJKkAtask1KfWg0ikoziD8HV0hqSi7JQAgACfBAD//7ZHcA==
Date: Fri, 27 Jul 2018 22:11:31 +0000
Message-ID: <1F436ED13A22A246A59CA374CBC543998B87F778@ORSMSX111.amr.corp.intel.com>
References: <CAN1APdcCdPGVEHJh4FiQBirunHUxY7HV_idYPtyQT09Fe-fSUw@mail.gmail.com> <CANatvzzMhYowiCCCz+_q+zT6LYRjDa9ru33G-tcs44G8r8cBjg@mail.gmail.com> <97ef2887-7e02-7a57-efe9-f6e54dcbf0dc@huitema.net>
In-Reply-To: <97ef2887-7e02-7a57-efe9-f6e54dcbf0dc@huitema.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZGZjY2MzYTgtYTcyYi00OTQ2LTgyNGYtZTU4NDNkZDFhYjkxIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiRFg1V1wvVjE1SXhjUDQxb2diUE5FOW4xVWJJdm90TE9ZNDlGM0FKNzY2eTQ5dXJTZ2pBWklPbmNRR3VBd0FpVnEifQ==
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.0.400.15
dlp-reaction: no-action
x-originating-ip: [10.22.254.138]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/1LW-MTKBO7OV_zPY22Pb4jfC8D4>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 22:11:45 -0000

About the issue of Packet Number Encryption outside of AEAD - We agree it simplifies both hardware and software logic. It also allows the2 encryption operations to run mostly in parallel, so it is a welcome modification.

Thanks,
Manasi


-----Original Message-----
From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Christian Huitema
Sent: Friday, July 27, 2018 6:43 AM
To: Kazuho Oku <kazuhooku@gmail.com>; Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
Cc: IETF QUIC WG <quic@ietf.org>
Subject: Re: Packet Number Encryption outside of AEAD



On 7/26/2018 9:14 PM, Kazuho Oku wrote:
> Consider the case where a sender encodes a packet number using 4
> octets even when just using 1 octet is enough.
>
> An on-path attacker rewrites the packet by applying XOR 0x80 to the
> first octet of the encrypted PN, and trimming the latter three octets
> of the encrypted PN.
That attack does not work, because the encoding of the PN is big-endian.
The actual packet number is in the fourth octet. Or rather, it only
works in the special case where the PN is 0.

-- Christian Huitema