IETF Logo Mail Archive

Re: Getting to consensus on packet number encryption

Christian Huitema <huitema@huitema.net> Tue, 17 April 2018 18:59 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02D6E12D95F for <quic@ietfa.amsl.com>; Tue, 17 Apr 2018 11:59:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wnhizbdWtQXS for <quic@ietfa.amsl.com>; Tue, 17 Apr 2018 11:59:14 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16DD1127909 for <quic@ietf.org>; Tue, 17 Apr 2018 11:59:14 -0700 (PDT)
Received: from xsmtp01.mail2web.com ([168.144.250.230]) by mx37.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1f8Vos-0003om-7K for quic@ietf.org; Tue, 17 Apr 2018 20:59:11 +0200
Received: from [10.5.2.52] (helo=xmail12.myhosting.com) by xsmtp01.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1f8Voq-0006dy-CA for quic@ietf.org; Tue, 17 Apr 2018 14:59:08 -0400
Received: (qmail 23089 invoked from network); 17 Apr 2018 18:59:06 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.56.42.78]) (envelope-sender <huitema@huitema.net>) by xmail12.myhosting.com (qmail-ldap-1.03) with ESMTPA for <quic@ietf.org>; 17 Apr 2018 18:59:06 -0000
To: Kazuho Oku <kazuhooku@gmail.com>
Cc: "quic@ietf.org" <quic@ietf.org>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <CAKcm_gNffwpraF-H2LQBF33vUhYFx0bi_UXJ3N14k4Xj4NmWUw@mail.gmail.com> <40C1F6FE-2B2C-469F-8F98-66329703ED50@mnot.net> <21C36B57-6AE2-40EF-9549-7196D7FA9B45@tik.ee.ethz.ch> <B176FC07-887D-4135-B01E-FE8B4986A5EE@mnot.net> <CAKcm_gOCeocLyrYpOS7Ud332xdz3xHSH0psPN8T6BGRjoL9ptQ@mail.gmail.com> <CY4PR21MB0630FA0EDD343396AD414641B6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <CAN1APde13JTzCvKFFvMd183Fka6QGD1kGBjsa9fcoLrYeA2hsA@mail.gmail.com> <CY4PR21MB0630C0FD4FBECBFEC3C863BBB6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <047d2ff0-ff8b-64c9-8983-0ecabeb9fea5@huitema.net> <B0F49097-F77A-4831-B68B-4266AA880A86@tik.ee.ethz.ch> <74E2F5C2-66AD-4902-8A4A-E481CC0A015C@fb.com> <75050158-3812-44F1-A01E-D70EED7FDFD6@tik.ee.ethz.ch> <BY2PR15MB0775B4ACF7DB9124E89016F0CDB00@BY2PR15MB0775.namprd15.prod.outlook.com> <c8e60ba4-d6be-c4fc-5bac-d569a28fb4e8@huitema.net> <CANatvzx=1a+7FHbMVBzEMEY4cODL0N5gELt02dofvQDgz=LaAQ@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Openpgp: preference=signencrypt
Message-ID: <1412f856-5eaf-1c7a-266f-2b4d77355647@huitema.net>
Date: Tue, 17 Apr 2018 11:58:58 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <CANatvzx=1a+7FHbMVBzEMEY4cODL0N5gELt02dofvQDgz=LaAQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Subject: Re: Getting to consensus on packet number encryption
X-Originating-IP: 168.144.250.230
X-AntiSpamCloud-Domain: xsmtpout.mail2web.com
X-AntiSpamCloud-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-AntiSpamCloud-Outgoing-Class: unsure
X-AntiSpamCloud-Outgoing-Evidence: Combined (0.54)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5mCWEWvzJWIliBsvjgr9231602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvO37pNwwF1lRXh5rzvPzo9Jts1ujulqUFmMITHM77eiViSl8/m5x/t9e5a8VLcvu9687i TvJ2/ZGzVWB9scFAaCdIFaUvXN+CI+RGy3Me16pB1c1FPznmLv13i1NL5aXaHx/TBCf6oYXAWGet lavcAjD9ytQxIHf9lN5jjLJaPK8lRJSPf/SXbEnDSsal/zZzc4n9VZdr7RAFD5mRwooUYhwMPaBP aKeQW+/QlaOdv8isl/qMm08Zpim2AHUKEWvQ6G/bWfgucjnNmABpGhD9TTttrFCuZ0NkwnSz2Luu o1u9uevuNfM1HjkNEFwape+IgNezYqxGMqsKjARq8PBC4qjpVMhqNcdjhoIlgrKzBvjTmdySlZou 9qHIGOZDEEo7Oyc1nq0gsY582CWqKjiRB3ukywmZtiDkyd4mEBjJGGEJgawbllbHk+xyUKopM6rc KCaQX/lIXcRWtobViGg9fpU1moK5+umQAfdUHagyvOVYknoPWk5MqTqGy8eyW1C49Ln4bjYtAivC cFEEK40iaDBz1HQkoj+jjvmw3UQ3Zextr+7/jg66NXUoieIpLIJirIV7hPvBDpgDmC+XXO9ws5qS dbWrmlMqpoC2dVXCySAV5ZxrRnRt4PqMzH3k7hTkr1YE7tCqypI5WX0qWh4YQLAmBiF3PbpKUeSn XrfzBBAqbr8Ks0SqCpRWIiXMtOo8/pI8jnU4taLGlA8rnD8bXLVBfU8ctw02+BCtWDMNtlI8QKHY 6H+wSCoVvwvquzDDiBiyp9ZnkUf43DmQkwMxjMGYdub/YU/cH64QiTAnRDmAKMFEHS3+vt/Njsed NDmPw/Ld14/y82ebPziYNS9mrGcHWFhVQvKDd9aHm1tzPaYBnxycJOQKmrvtOUL1jquCMfd5HnMi k4ibTRVHi8subW0=
X-Report-Abuse-To: spam@quarantine6.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/FSgYmPHP7If1w-Ou0VKSDxNcvmM>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Apr 2018 18:59:17 -0000


On 4/16/2018 11:15 PM, Kazuho Oku wrote:
> Hi Christian,
>
> Thank you for writing the wonderful summary.
>
> Reading it, I think that I now see two issues with the alternative
> approaches that use a weaker cipher (i..e. alternative PN encryption,
> 64bit encrypted PN).
>
> > We can argue that the algorithm does not have to be as robust as
> AES.. The main requirement is to prevent real time analysis of
> sequence numbers by middle-boxes. This is achieved as long as the
> encryption key cannot be retrieved in a short time by the
> middle-boxes. If they could do that, we would be once again on the
> path to ossification. XOR and simple obfuscation probably don't meet
> that goal, but IPCrypt probably does, and a more robust algorithm
> certainly would.
>
> As you state, it is true that preventing real time analysis is
> important. But are we sure that we do not need to consider offline
> attacks? I would be interested in arguing about the other requirement
> than ossification: privacy.
>
> A pervasive monitor might collect CIDs and encrypted PNs that were
> being used, and then use the encrypted PNs as a source to correlate
> CIDs to reconstruct a QUIC connection. Are we sure that a weak cipher
> does not leak such trace?

Yes, you are right. The argument about tolerating weak algorithms only
applies if we have another solution to prevent linkability, such as
different sequence numbers and encryption keys for each Connection ID.
So it comes with a high cost in term of software complexity.


>
> Considering that, I think that the alternative approaches should have
> per-CID PN encryption keys, even though I am not sure if there are no
> other privacy-related issues.
Yes.
>
> The other issue is about crypto agility. #1179 has agility in sense
> that the corresponding CTR mode is used for encrypting the PN. OTOH,
> the two alternatives using a simple cipher are not agile. So we might
> need to define two types of simpler ciphers for PN encryption, if
> consider that privacy issues (like the one above) might arise in the
> future.
Yes.  I updated the Wiki page to reflect your comments.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email