Forgery limits in QUIC

Martin Thomson <mt@lowentropy.net> Fri, 01 May 2020 04:45 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E666B3A0879 for <quic@ietfa.amsl.com>; Thu, 30 Apr 2020 21:45:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=kfXj6lUP; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=uSVqX11X
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mxX7_rHMJrHg for <quic@ietfa.amsl.com>; Thu, 30 Apr 2020 21:45:58 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D12A3A0878 for <quic@ietf.org>; Thu, 30 Apr 2020 21:45:58 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id A061E5C02D4 for <quic@ietf.org>; Fri, 1 May 2020 00:45:57 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute2.internal (MEProxy); Fri, 01 May 2020 00:45:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:date:from:to:subject:content-type :content-transfer-encoding; s=fm2; bh=qXlcEYXz0oqYOwKqNPFETVWW/a BNTfMrrOhuS2FuSTI=; b=kfXj6lUP4EI26MyaUYwFefsKsZ2VK9t834Iz0EBaYD RrCtY4a5nx3kbNiQUVjHbaSfzxuxNuF+XCvcrVxyTEL5Cgb8z0xZ4atJNKjgpndZ a/vVEwcgKLFFJoOWLO6QZtOwkgxwjJAUS9bparWopBjfXyUz/UGikNFcRx9Nm761 ZZcR3E743chpb0ir83e623WzhJ+3nchEAYONO5vSwoIIqeyro2/CPUzGn/CVKog+ 5AHzVWvu6f5PDAnNizeD87lLgqCAXKqXKteFpK1W0mdYPD0cjSw2Bzu1tXYvFUKn 5sU0gMGIoV4RYdvbVjvKruxqyjs4G2N3gh/C+SM0dKNA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=qXlcEY Xz0oqYOwKqNPFETVWW/aBNTfMrrOhuS2FuSTI=; b=uSVqX11X8VGBn2K7jc51zO Rj4+R4nXgFQZhWPRrgncZo0ejIQwoRJhcvMFyRecJqyJJUnqaKHuZ+ZTfW79XBnS SKwBvoq8rxOvwcr8+3UbJEpK1PnshT5v8vLIE4+IlsYYPW7zZY1Kmxr0I6N02gNp ENfKlzjpv9lgZ5OZBrOydgAa08vrgrtZpDEiGMxrEsLKW2iK1uNnxWGo9oyu7RVl dJyHDf8StGxuxjRxuhLfLldrnF7WA9WUv+1ECJYD32FbcNGPFQIOan8ACeUCLsap 4GVvn3kcVmnjEOHBV+2U04kSS1IqOohDDC5/GU2hlOn7Ja42+xIpd5esNZO7wx9w ==
X-ME-Sender: <xms:hamrXrmj2a8lih-uVT_V3Knq7DxcV0xQJi4pKdTeedW_xkfW4pClPg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrieeigdekgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkfffhvffutgfgsehtqhertd erreejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigv nhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpefggfetfefgvedvhefhhfehhe ehfeekveehgeduveehjeevteeggfevheelhffgjeenucffohhmrghinhepghhithhhuhgs rdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:hamrXgFgJHGVFXOH_U4S3KZsDECsIS7iki9PT-ohAoNpRV1UtazJuQ> <xmx:hamrXusjvNQIQzzPsSAWrTvfK73fysQrh6ydesM2xABeWoS5hduISw> <xmx:hamrXmlvKFaX1OxVlZeASCvYHz43DMXDNLq8_wRRkHeCKjcVCMPqlQ> <xmx:hamrXu_YZjxZlpLJGNcpBIqGu9B_MYuedVScyEhFjyL6CdLkWHwZEg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 3BD95E00A9; Fri, 1 May 2020 00:45:57 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-351-g9981f4f-fmstable-20200421v1
Mime-Version: 1.0
Message-Id: <c32379cb-43c1-4db8-9f0a-b7294085dd6d@www.fastmail.com>
Date: Fri, 01 May 2020 14:45:39 +1000
From: "Martin Thomson" <mt@lowentropy.net>
To: quic@ietf.org
Subject: Forgery limits in QUIC
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/28W4-5HxqHSf62PTICnxKU3izks>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2020 04:46:00 -0000

I have just opened https://github.com/quicwg/base-drafts/issues/3619

tl;dr We need to recommend limits on the number of failed decryptions.

I am now working on a pull request to add this to the spec.

I realize that we're nearing the end, but this is an important security improvement and the result of some good work by cryptography researchers, who have done a lot to improve our confidence that QUIC can deliver on its promises of providing confidentiality and integrity.

A big thanks to Felix G√ľnther, Marc Fischlin, Christian Janson, and Kenny Paterson for their work on this.