Re: Packet number encryption
Kazuho Oku <kazuhooku@gmail.com> Fri, 02 February 2018 13:13 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1C4912422F for <quic@ietfa.amsl.com>; Fri, 2 Feb 2018 05:13:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iiERvrONVztT for <quic@ietfa.amsl.com>; Fri, 2 Feb 2018 05:13:49 -0800 (PST)
Received: from mail-pg0-x22f.google.com (mail-pg0-x22f.google.com [IPv6:2607:f8b0:400e:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64C31120713 for <quic@ietf.org>; Fri, 2 Feb 2018 05:13:49 -0800 (PST)
Received: by mail-pg0-x22f.google.com with SMTP id o13so14053294pgs.2 for <quic@ietf.org>; Fri, 02 Feb 2018 05:13:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=ivkoDLZifOflvdKaFG4MGQJFD17nnQkOGCz6PYWFth0=; b=EvTi9IXMedY/2Frx5ySEipVqd/9FexGiIMxqkojVF3zj7dJTcR9XQTQ8axxwWHJlAK WyWCry/qLQCVq8IJRt1sW2KiNtxaUwJVA/DenDmh05LcW8JpK3UXT4UPodh5NfEJgBLZ YjPhaBZcuXNtstzj+qeqM7lsTsjcv6PswUoF4AY/S3mNjftep+aKYk1Otezyy9OB3tXg h5yxpG8Wqkk+VZsDdlqFZ7k1G0i40iXk/MA9OnRgJaQBAfe70MMp3dk1y91D7ICbS331 WcB/oUU6XqYJLFhugK9WKaqnJYDJ58GDXxmAUgomXJPuhrlTQkUi1zKIOEvAWDSqptyV OouA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=ivkoDLZifOflvdKaFG4MGQJFD17nnQkOGCz6PYWFth0=; b=TH80gnWq40bl/cwUbXr6djsvimvZztS0s651s8pNcpuFhlw+qAt2bjzMKo5UyheEhE 7FT0g4yZiGaK6hER7UdWUGVAIT6RmDuohbMantdQyMfS8WVrDVR9cQ2YxvKKYeOauUlZ VyRneYd0o24GgsE032N+NGMmF28zssItzyilXVWfT+TVWkVQr+vQPSqj2m/22EpNWfsG SL+hp8eixlSuWYSCWGN/ut98LqucotNhTapK8Jk5XEt54iXVA9/0AFpyY15Mum5/qmrC jIDj7BFfIv3iV/5n4KJRRs+MepdDqGcmWfXEW2Puk2TvlOZfp6qfUIYZVwVgGGiKjDSi vOiA==
X-Gm-Message-State: AKwxytd6jBCAd122r/1aexa7ozho8pyIxaTh6MWHThR/8MZYDPoHZzuM /gdWW39EAlTUw214hKvk9x9gBw99y94j1E//1+c=
X-Google-Smtp-Source: AH8x226JKQgUITLw6yQPchp5JsOGPEyunRtsxlR0IUaOCLUJDmkP5OlDxiS/fTNb2pV4aAYOwW5eNVTpHfl6NLMNg5w=
X-Received: by 10.99.123.78 with SMTP id k14mr1469061pgn.173.1517577228720; Fri, 02 Feb 2018 05:13:48 -0800 (PST)
MIME-Version: 1.0
Received: by 10.236.156.11 with HTTP; Fri, 2 Feb 2018 05:13:47 -0800 (PST)
In-Reply-To: <F9586DED-4A7B-4C7C-98BB-711610530A73@tik.ee.ethz.ch>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <1F7FB3B8-A94C-4354-9944-FB09FB8DB68B@trammell.ch> <CABcZeBMbwdwyC9TxxHBLYaZKfNB-FG2wCGjqUZ_mNR-A1R47FA@mail.gmail.com> <9096e5ec-581e-875a-b1dd-bff0b05206fd@huitema.net> <CABkgnnWRQSAufwPss+qf=xAzCwRYeNNH8XLPm3yFaHxOb+ba4g@mail.gmail.com> <BF80500A-6277-45DC-8525-9C3FE138B76D@tik.ee.ethz.ch> <5A7191E0.6010003@erg.abdn.ac.uk> <5214AD93-8376-4B25-922F-AF5551CC2E95@netapp.com> <CANatvzwoih1zXo6iG3XL=xM3xmN-QX_fiSb5wBBUdmdr926URw@mail.gmail.com> <F9586DED-4A7B-4C7C-98BB-711610530A73@tik.ee.ethz.ch>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Fri, 02 Feb 2018 22:13:47 +0900
Message-ID: <CANatvzy6-keF9kiGRJ1T0=LnNY6TZOegADLyGN7L9K13ZuOL0g@mail.gmail.com>
Subject: Re: Packet number encryption
To: Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>
Cc: "Eggert, Lars" <lars@netapp.com>, Gorry Fairhust <gorry@erg.abdn.ac.uk>, Eric Rescorla <ekr@rtfm.com>, Christian Huitema <huitema@huitema.net>, Brian Trammell <ietf@trammell.ch>, QUIC WG <quic@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/DdGhelgaJUtT679cbRmhN8o4ZIc>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2018 13:13:52 -0000
2018-02-02 21:24 GMT+09:00 Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>: > Please see below. > >> Am 02.02.2018 um 01:56 schrieb Kazuho Oku <kazuhooku@gmail.com>: >> >> 2018-01-31 19:00 GMT+09:00 Eggert, Lars <lars@netapp.com>: >>> On 2018-1-31, at 10:52, Gorry Fairhurst <gorry@erg.abdn.ac.uk> wrote: >>>> +1 - Simply: This *is* complicated and seems to add little. >>> >>> So as an implementor (chair hat off), this adds very little to the overall complexity of the protocol. >> >> +1 >> >> The algorithm defined in the PR is easy to implement. > > I didn’t say that it is too complex (I actually explicitly said in my original mail it is not very complex) but it adds additional complexity to a protocol that is already complex and doesn’t provide much benefit from my point of view but can be an additional source for errors. Regarding CID migration, I would argue that the current draft is already complex due to the use of HKDF based on a derived key to calculate the gap. But it still has issues (please refer to https://github.com/quicwg/base-drafts/issues/1034). Switching to packet number encryption resolves those issues. You no longer need to do special calculation of the packet number upon CID migration. Having a consistent logic to handle packet numbers is IMO a better choice than requiring complex operations in a corner case. > After all it must also be possible to implement QUIC if you just read the final specs and have not participated in the wg design discussion or can easy ask a clarifying question on the list. > >> >> When using OpenSSL what you need to do is: > > If you don’t want to use OpenSSL or are in an environment where you can use such a library, it is definitely more complex than this. I agree that the mileage may vary depending on the crypto library you use. However, I would also argue that it would be fairly natural to assume that you have access to the underlying cipher of an AEAD cipher that you would be using (e.g. AES-ECB (or AES-CTR) for AES-GCM, Chacha20 for Chacha20-Poly1305). Then, it is easy to construct the proposed logic, though you might need to write code specific to each cipher. > >> >> * when switching to a new pn_key, call EVP_EncryptInit_ex to setup a >> CTR cipher (e.g., EVP_aes_128_ctr, EVP_chacha20) along with the pn_key >> passed as the argument. >> >> * for each packet, call EVP_EncryptInit_ex to set the IV to the 16 >> bytes of the AEAD ciphertext, then call EVP_EncryptUpdate to obtain >> the encrypted packet number >> >> Decryption is exactly the same as encryption, since it is CTR mode. >> >> To me it seems that using packet number encryption actually simplifies >> the implementation, since we no longer need to care about randomizing >> the initial packet number or implement special measures to avoid >> linkability when switching to a new CID. > > Choosing a random number is definitely less complex than encrypting something. It might simply your current code because you are using a library that implements the complexity already. And special measures when switch to a new path are needed anyway for the CID. I agree that calculating a random number is not a big deal. Regarding the amount of the special measures in relation to CID migration, please refer to my comment above. > > Mirja > > > > >> >>> Lars >> >> >> >> -- >> Kazuho Oku > -- Kazuho Oku
- Packet number encryption Martin Thomson
- Re: Packet number encryption Ian Swett
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Eric Rescorla
- Re: Packet number encryption Christian Huitema
- Re: Packet number encryption Martin Thomson
- Re: Packet number encryption Mirja Kühlewind
- Re: Packet number encryption Gorry Fairhurst
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Eggert, Lars
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Martin Thomson
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Martin Thomson
- Re: Packet number encryption Roberto Peon
- Re: Packet number encryption Martin Thomson
- Re: Packet number encryption Ted Hardie
- Re: Packet number encryption Ted Hardie
- Re: Packet number encryption Christian Huitema
- Re: Packet number encryption Roberto Peon
- Re: Packet number encryption Martin Thomson
- Re: Packet number encryption Christian Huitema
- Re: Packet number encryption Jana Iyengar
- RE: Packet number encryption Roni Even (A)
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Roberto Peon
- Re: Packet number encryption Roberto Peon
- Re: Packet number encryption Martin Duke
- Re: Packet number encryption Kazuho Oku
- Re: Packet number encryption Christian Huitema
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mirja Kühlewind
- Re: Packet number encryption Mirja Kühlewind
- Re: Packet number encryption Kazuho Oku
- Re: Packet number encryption Dmitri Tikhonov
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: Packet number encryption Jana Iyengar
- RE: Packet number encryption Piotr Galecki
- Re: Re: Packet number encryption alexandre.ferrieux
- Re: Packet number encryption Patrick McManus
- Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
- Re: Packet number encryption Stephen Farrell
- Re: Packet number encryption Roberto Peon
- RE: Packet number encryption Piotr Galecki
- RE: Packet number encryption Roni Even (A)
- RE: Packet number encryption Lubashev, Igor
- RE: Packet number encryption Lubashev, Igor
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Christian Huitema
- RE: Packet number encryption Lubashev, Igor
- Re: Packet number encryption Stephen Farrell
- Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
- Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
- Re: Packet number encryption Stephen Farrell
- Re: Packet number encryption Willy Tarreau
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Christian Huitema
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Brian Trammell (IETF)
- Reducing ossification through protocol design (wa… Brian Trammell (IETF)
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Roberto Peon
- Re: Packet number encryption Roberto Peon
- Re: Packet number encryption Salz, Rich
- Re: Packet number encryption Jana Iyengar
- RE: Packet number encryption Roni Even
- Re: Packet number encryption Christian Huitema
- RE: Packet number encryption Roni Even (A)
- Re: Packet number encryption Roberto Peon
- Re: Reducing ossification through protocol design… Gorry Fairhurst
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Kazuho Oku
- RE: Packet number encryption Roni Even (A)
- Re: Reducing ossification through protocol design… Mirja Kühlewind
- Re: Reducing ossification through protocol design… Salz, Rich
- Re: Reducing ossification through protocol design… Mirja Kühlewind
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Mike Bishop
- RE: Reducing ossification through protocol design… Mike Bishop
- Re: Packet number encryption Jana Iyengar
- Re: Packet number encryption Jana Iyengar
- Re: Packet number encryption Martin Thomson
- Re: Packet number encryption Ted Hardie
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Marten Seemann
- RE: Packet number encryption Roni Even (A)
- Re: Packet number encryption Marten Seemann
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Kazuho Oku
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Gorry Fairhurst
- Explicit measurability in the QUIC wire image (wa… Brian Trammell (IETF)
- Explicit measurability in the QUIC wire image (wa… Brian Trammell (IETF)
- RE: Explicit measurability in the QUIC wire image… Roni Even (A)
- Re: Explicit measurability in the QUIC wire image… Kazuho Oku
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mirja Kühlewind
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Stephen Farrell
- Re: Explicit measurability in the QUIC wire image… Kazuho Oku
- RE: Packet number encryption Mike Bishop
- Re: Packet number encryption Jana Iyengar
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Eric Rescorla
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Ian Swett
- Re: Packet number encryption Christian Huitema
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Martin Thomson
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Christian Huitema
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Christian Huitema
- Re: Packet number encryption Marten Seemann
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Explicit measurability in the QUIC wire image… Kazuho Oku
- Re: Explicit measurability in the QUIC wire image… Martin Thomson
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mirja Kühlewind
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Explicit measurability in the QUIC wire image… Kazuho Oku
- Re: Explicit measurability in the QUIC wire image… Kazuho Oku
- Re: Packet number encryption Brian Trammell (IETF)
- RE: Packet number encryption Praveen Balasubramanian
- Re: Explicit measurability in the QUIC wire image… Christian Huitema
- Re: Explicit measurability in the QUIC wire image… Christian Huitema
- Re: Explicit measurability in the QUIC wire image… Kazuho Oku
- Re: Explicit measurability in the QUIC wire image… Kazuho Oku
- Re: Packet number encryption Victor Vasiliev
- Re: Packet number encryption Salz, Rich
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Mike Bishop
- Re: Packet number encryption Christian Huitema
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Mike Bishop
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Salz, Rich
- Re: Packet number encryption Eric Rescorla
- Re: Packet number encryption Eric Rescorla
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Eric Rescorla
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Ian Swett
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Salz, Rich
- Re: Packet number encryption Ian Swett
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption David Benjamin
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Deval, Manasi
- RE: Packet number encryption Deval, Manasi
- Re: Packet number encryption Victor Vasiliev
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: hardware offload (was: Packet number encrypti… Ian Swett
- Re: Packet number encryption Ian Swett
- Re: Packet number encryption Martin Thomson
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Salz, Rich
- RE: Packet number encryption Praveen Balasubramanian
- RE: hardware offload (was: Packet number encrypti… Praveen Balasubramanian
- Re: Packet number encryption Salz, Rich
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Victor Vasiliev
- Re: hardware offload (was: Packet number encrypti… Christian Huitema
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: hardware offload (was: Packet number encrypti… Eggert, Lars
- RE: Packet number encryption Praveen Balasubramanian
- RE: hardware offload (was: Packet number encrypti… Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Victor Vasiliev
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Kazuho Oku
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen