Re: Forgery limits in QUIC
Martin Thomson <mt@lowentropy.net> Thu, 07 May 2020 09:46 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D55D63A0B0A for <quic@ietfa.amsl.com>; Thu, 7 May 2020 02:46:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=W39cgNYP; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=opnLXKaj
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1oR1VsarWfyS for <quic@ietfa.amsl.com>; Thu, 7 May 2020 02:46:46 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 748323A0B00 for <quic@ietf.org>; Thu, 7 May 2020 02:46:46 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id ADFAE5C0114 for <quic@ietf.org>; Thu, 7 May 2020 05:46:45 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute2.internal (MEProxy); Thu, 07 May 2020 05:46:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=bny/V UJzWMW0+CubJ2yug80tbXJC7F0fKp19Vmuw8JM=; b=W39cgNYPasL8ZK4d+inyN Uv34E7qRyFG3UGQ/JmemcH7jIE9WwEEydB1HZyqRdrTzYuyA9IETHDUE4Q77qkpl oxTLEwfvbDjQZ0/ra+59Pv3F1jTg1NzBOnvIv+S9/VJAWwjWEcpJMiWaAiPLphWm pt9lFNwih5vO9WfIU/9+n071AqYy5woGLiI4WmpIN0x+wMvxOSNtr3hqS6RCHvJc sBU69c9jNItVA4Yeo43IZ/pXSCFHoW4a8jR46rVKOJdC4+zquUvV4w2e9OYyk/L7 +P9tB4HXkR8iKH9wjj5lxnNkbQQWdDp6jWWWtSrytr8CgG8nun2w4Wb1cLn4ea5W A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=bny/VUJzWMW0+CubJ2yug80tbXJC7F0fKp19Vmuw8 JM=; b=opnLXKaj1XdE2MwrbJkHKbiVJJZq3yM/BYP/KeVJBr94Xa5iBG40Zak/T VXOoGvA5qYixQqN274IQT2BUxXbL1tGawdSGx31Omkja7yXWYJTGuCHuC76rphCL CLuxkRcXZQ5U0lqhbp357iA5OymoPhKOaslRFETCitT7/JgZEk913Yl5Xudq90Xl TOYpGzZOfOgiGBajzCr66TwBKAH/vXITXTMRvojjATBAskiY/cTuu7bmSJXBvB34 mugpCl7ZaYuOwTId1At3QWGY/VHpXHWlBu4W2HQvh/X4c9U0DlM9tZlI5kSTAkVz C4o0xau0ZE+bm9ED9BiB10MjjC0ng==
X-ME-Sender: <xms:BdmzXsFhXcXEDkEjNjePP7MyKnTTt3OAwEqUj28ATg510ndQ6uugUA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrkedtgddukecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgsehtqh ertderreejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeejhfffleehvedufeejfe dvvdfhvdeiteduheeuffduveduueegleefffffledvfeenucffohhmrghinhepghhithhh uhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:BdmzXgMhfuCI9RtLMFKilOniS41_WVnw191XLnSdNoabpnGmdVTN4A> <xmx:BdmzXgUMh8GzanhEnqfAoxxF7QbowGh7Fm_FwXCybhSDY7ZHcw-0Jg> <xmx:BdmzXvzZ5_X5_-27rUoTZYgZum43pdf0LTCAE7PY7TRB3CcfT9j3LA> <xmx:BdmzXn2CxNvy61f9_TJ-Wil6JPmaztG0kKUVtUP5AaoJcNeppH9YBw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 001D5E00A9; Thu, 7 May 2020 05:46:44 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-351-g9981f4f-fmstable-20200421v1
Mime-Version: 1.0
Message-Id: <42b341ae-5488-466c-bf85-1bd9400e8068@www.fastmail.com>
In-Reply-To: <d7f385d4-b6cb-4565-ba35-4c096239fd34@www.fastmail.com>
References: <c32379cb-43c1-4db8-9f0a-b7294085dd6d@www.fastmail.com> <d7f385d4-b6cb-4565-ba35-4c096239fd34@www.fastmail.com>
Date: Thu, 07 May 2020 19:46:24 +1000
From: Martin Thomson <mt@lowentropy.net>
To: quic@ietf.org
Subject: Re: Forgery limits in QUIC
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/E1zRSMgYJPCAtPPyzeqy3ML8LU0>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2020 09:46:49 -0000
Good news. We saved CCM. I consider the pull to be ready for review. Felix has validated - and corrected - the analysis. Antoine has promised to double check the numbers. More eyes would be good. On Fri, May 1, 2020, at 16:14, Martin Thomson wrote: > OK, I thought this would be easy. I was wrong. But it still might be easy. > > The draft currently defines four AEAD functions. We have a good > analysis for three of those functions. We lack an analysis of the > last. That is AEAD_AES_128_CCM. > > It turns out that we never really had a good analysis of CCM. TLS 1.3 > conveniently fails to say anything about it. > > My suggestion is that we remove CCM from QUIC until we have an > understanding of its robustness against confidentiality attacks with > multiple successful applications of protection AND integrity attacks > with multiple forgery attempts. We need to base our recommendations > about limits on something more than what we have now. > > I realize that this is a fairly dramatic change, but I think we need to > hold our ciphers to a high standard. I will attempt to find an > analysis myself, as I would expect it to exist, but I have a poor > history of success finding the right cryptographic paper. If anyone is > able to provide pointers, that would be appreciated. > > On Fri, May 1, 2020, at 14:45, Martin Thomson wrote: > > I have just opened https://github.com/quicwg/base-drafts/issues/3619 > > > > tl;dr We need to recommend limits on the number of failed decryptions. > > > > I am now working on a pull request to add this to the spec. > > > > I realize that we're nearing the end, but this is an important security > > improvement and the result of some good work by cryptography > > researchers, who have done a lot to improve our confidence that QUIC > > can deliver on its promises of providing confidentiality and integrity.. > > > > A big thanks to Felix Günther, Marc Fischlin, Christian Janson, and > > Kenny Paterson for their work on this. > > > > > >
- Re: Forgery limits in QUIC Martin Thomson
- Forgery limits in QUIC Martin Thomson
- Re: Forgery limits in QUIC Dirkjan Ochtman
- Re: Forgery limits in QUIC Florentin Rochet
- Re: Forgery limits in QUIC Matt Joras
- Re: Forgery limits in QUIC Ian Swett
- Re: Forgery limits in QUIC Ted Hardie
- Re: Forgery limits in QUIC Martin Thomson