IETF Logo Mail Archive

Re: Packet number encryption

Eric Rescorla <ekr@rtfm.com> Fri, 09 February 2018 14:08 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B01DA12946D for <quic@ietfa.amsl.com>; Fri, 9 Feb 2018 06:08:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V3dZLo4Wc6Cd for <quic@ietfa.amsl.com>; Fri, 9 Feb 2018 06:07:58 -0800 (PST)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0832D127698 for <quic@ietf.org>; Fri, 9 Feb 2018 06:07:58 -0800 (PST)
Received: by mail-yw0-x230.google.com with SMTP id l11so1962424ywh.2 for <quic@ietf.org>; Fri, 09 Feb 2018 06:07:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lToDSt1EWQMhyUAOb5RJrRTzPgmkx3+FUCt3xNtuw+E=; b=zKcjOFUhF4X0lJEp2yjob0fzR9CnX7ipn5faZ4OKJeUCbfvjJd3pgEfPjM92FZTccr C45J0IowVt6YVWE2VZcBEfcabpUzQwJyXhbT3kGowO/IejPdpxylYeQDUidQSpWORgG/ vyK8YvFIKru6K9yuOkbYi8rXwOQ7J/ETF/EizzM6jkCu577O+aX1WdpZj4AJHjW38gOa 5+MKNuZgUSPlYa0x3B/Xy9me0JM35DPWN+VOsEuDq31qB9i5w78ccL/Wo2qpSKBbbUxK bX7WWGUmDGXl8a+uLXlQd4By13QjObkpUffl81JY+cJiDW3lx1g/3rEJZpiAh9HbROK7 3NRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lToDSt1EWQMhyUAOb5RJrRTzPgmkx3+FUCt3xNtuw+E=; b=cqf+hL/d1HyZyD+Tapjwcpoyhotsa79lygsibqqham80LEUdyhujyTNOi/C5IrusrG +FLLonRrWz4EULS1LGuItv3BW5GNJ99CFMOgLSQRTwviPQnUl2jk+/uiwOy/TtmjF+eJ q2ELOGERD/ljypVUzHd98rfJrfWoMd5gOj3CJzlOCZIRqapY41Ha5dZd4PJwbstPAYBG HBCk/c/DbuqvuKuKYNXkAcgcgVtcmIIih1q1R0Kqut0XiWYr74EfSk27YAffgrlC/n6f 7DpU2s7NjPkLSdwR3Fdi8MR+lmVgdstmDA3cMAtR4nNj1k2JlZ/qlmcqpTrxtbg+TwhI w2bw==
X-Gm-Message-State: APf1xPBdNUVnyYDDPjOwhqiWyZcXmteop9DkONjbjl7RbUC/HCIi0GO5 oQbs3X0F3hX2ktrPhHSnoX00ase5ZyyHOWLzfKyGtg==
X-Google-Smtp-Source: AH8x224KnDT+mTxxsF/fSmyQpihIYUrYkl+/bsQHcJy62Aq8kNLQRS+PEa4C1PkjfE+pqq58w0kam9nKRKgHjryuX14=
X-Received: by 10.129.172.90 with SMTP id z26mr1924878ywj.363.1518185276963; Fri, 09 Feb 2018 06:07:56 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.160.201 with HTTP; Fri, 9 Feb 2018 06:07:16 -0800 (PST)
In-Reply-To: <CAN1APdf6YkiKzPmR04_9M4L807iZ0Ph=k9Cd8+2Q9rhfnMgORA@mail.gmail.com>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <CAGD1bZauKbucs_5n7RQbK8H2HiyfiqpGVEcKreGA6umhMBSFgg@mail.gmail.com> <CABcZeBPNrc-9vANSH02r++p53s6gN4pVB8DMd80nUxOhKTp3dA@mail.gmail.com> <CAKcm_gMvHSBhpUvsQCCkV2_o+d_wchF3R3L6H8mp6nKNaaRmSw@mail.gmail.com> <CY4PR21MB0133CCAA6807469BA983D00BB6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <CABkgnnW4xr_YzpsvCxaJJgcQdBTuX=Yv735_sdd4VoMfji8mbA@mail.gmail.com> <CY4PR21MB0133C759D4A08A4988B641B2B6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <bdf88936-8edc-d56e-ee59-c9d597058edd@huitema.net> <CY4PR21MB01337C8A700E58B49D90B712B6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <119b3276-5799-1cc3-8982-7479171bbf27@huitema.net> <CAOYVs2pi8-NVuS+crNMfjsP-n5upK3=5tPeQ8OSGpOvL6RTrjA@mail.gmail.com> <CY4PR21MB0133A1117B2733BBCF049C5FB6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <MWHPR08MB24327A7BB5AE1AE70FE5CDB1DAF30@MWHPR08MB2432.namprd08.prod.outlook.com> <533a0a2e-3a87-b55f-84ce-c52bc03cd81c@huitema.net> <MWHPR21MB0144C68102972A668611E1FCB6F20@MWHPR21MB0144.namprd21.prod.outlook.com> <CY4PR21MB01332141C3563ABBA240C566B6F20@CY4PR21MB0133.namprd21.prod.outlook.com> <MWHPR08MB2432EAF7D176BBFCA28DF3FFDAF20@MWHPR08MB2432.namprd08.prod.outlook.com> <CAN1APdeUzoxMaA-U6Ls4q_hw1b4BXZzwOCvo2dGm=s8YTokWAQ@mail.gmail.com> <CABcZeBNx4r5kCF8=CUUwmj=SWmTsAEHcMx_RLnKJ0JZ+ZCjnVw@mail.gmail.com> <CAN1APdf6YkiKzPmR04_9M4L807iZ0Ph=k9Cd8+2Q9rhfnMgORA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 09 Feb 2018 06:07:16 -0800
Message-ID: <CABcZeBOchSCZ8u5eY9pvBiMMZZCmXPKBb1thH_V9w9EOZT4G7w@mail.gmail.com>
Subject: Re: Packet number encryption
To: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
Cc: Praveen Balasubramanian <pravb@microsoft.com>, Mike Bishop <mbishop@evequefou.be>, "quic@ietf.org" <quic@ietf.org>, huitema <huitema@huitema.net>
Content-Type: multipart/alternative; boundary="f403045f1076232e840564c80e70"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/GGST6MX4DpjcmQdqdTYGDAHXINM>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Feb 2018 14:08:01 -0000

As far as I know, this is just NIST's judgement of how low a risk of
nonce-reuse has to be in order to be safe. To the best of my knowledge,
there's still no safe level of actual reuse. For that you'd need something
like AES-GCM-SIV.

-Ekr


On Fri, Feb 9, 2018 at 6:05 AM, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
wrote:

> On 9 February 2018 at 14.34.17, Eric Rescorla (ekr@rtfm.com) wrote:
>
>
> I'm not sure where you are getting this from. Any nonce reuse at all with
> AES-GCM is catastrophic:
> http://csrc.nist.gov/groups/ ST/toolkit/BCM/documents/comments/800-38_
> Series-Drafts/GCM/Joux_comments.pdf
>
>
> I read it in a NIST paper I also linked to in other mail here, but it
> appears they have gone back on that based on the Ferguson paper. It nows
> says Legacy in url, but still shows up prominently in a google search.
>
> http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.
> pdf
>

v2.23.0 | Report a Bug | By Email