IETF Logo Mail Archive

Re: Simple transform for improving PN ossification prevention

Christian Huitema <huitema@huitema.net> Tue, 10 April 2018 07:18 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 528ED126579 for <quic@ietfa.amsl.com>; Tue, 10 Apr 2018 00:18:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b9FZU5C-n4Xx for <quic@ietfa.amsl.com>; Tue, 10 Apr 2018 00:18:22 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19FDE120454 for <quic@ietf.org>; Tue, 10 Apr 2018 00:18:21 -0700 (PDT)
Received: from xsmtp24.mail2web.com ([168.144.250.190] helo=xsmtp04.mail2web.com) by mx65.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1f5nXn-0009Zo-Hk for quic@ietf.org; Tue, 10 Apr 2018 09:18:20 +0200
Received: from [10.5.2.52] (helo=xmail12.myhosting.com) by xsmtp04.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1f5nXE-0001yy-M3 for quic@ietf.org; Tue, 10 Apr 2018 03:18:15 -0400
Received: (qmail 27405 invoked from network); 10 Apr 2018 07:17:42 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.56.42.61]) (envelope-sender <huitema@huitema.net>) by xmail12.myhosting.com (qmail-ldap-1.03) with ESMTPA for <quic@ietf.org>; 10 Apr 2018 07:17:42 -0000
To: quic@ietf.org
References: <CY4PR21MB063025EF8B5F228BB242920AB6BF0@CY4PR21MB0630.namprd21.prod.outlook.com> <CAN1APdfdn8qH+dw9WDO8K6hfBXAMJiE3duom4NPycOLiUnAghQ@mail.gmail.com> <DM5PR2101MB0901BDA387CF7CA119926CAFB3BF0@DM5PR2101MB0901.namprd21.prod.outlook.com> <CAN1APdfLFTmOq_59PRMqJdFzoJOaeqAH+J_zMk133U3FOo97ow@mail.gmail.com> <CAN1APddykmGKoRmJGVe+BygsHgec4n=tgJSt+hrOdX4Ne1gdKg@mail.gmail.com> <CY4PR21MB0630A663DA8595170C9135C1B6BE0@CY4PR21MB0630.namprd21.prod.outlook.com>
From: Christian Huitema <huitema@huitema.net>
Openpgp: preference=signencrypt
Message-ID: <1537bdf0-c0cc-587c-bd16-39244df431d9@huitema.net>
Date: Tue, 10 Apr 2018 00:17:39 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <CY4PR21MB0630A663DA8595170C9135C1B6BE0@CY4PR21MB0630.namprd21.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Subject: Re: Simple transform for improving PN ossification prevention
X-Originating-IP: 168.144.250.190
X-AntiSpamCloud-Domain: xsmtpout.mail2web.com
X-AntiSpamCloud-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-AntiSpamCloud-Outgoing-Class: unsure
X-AntiSpamCloud-Outgoing-Evidence: Combined (0.37)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5qkf05i3xqB7yMNxm8niRpV602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvO37pNwwF1lRXh5rzvPzo9Jts1ujulqUFmMITHM77eiVi4okXa374YtaRXoUS8acy6M7i TvJ2/ZGzVWB9scFAaCdIFaUvXN+CI+RGy3Me16pBuzDn5j2tUhjYPVPi3bwTCB/TBCf6oYXAWGet lavcAjD9ytQxIHf9lN5jjLJaPK8lRJSPf/SXbEnDSsal/zZzc4n9VZdr7RAFD5mRwooUYhwMPaBP aKeQW+/QlaOdv8isl/qMm08Zpim2AHUKEWvQ6G/bWfgucjnNmABpGhD9TTttrFCuZ0NkwnSz2Luu o1u9uevuNfM1HjkNEFwape+IgNezYqxGMqsKjARq8PBC4qjpVMhqNcdjhoIlgrKzBvjTmdySlZou 9qHIGOZDEEo7Oyc1nq0gsY582CWqKjiRB3ukywmZtiDkyd4mEBjJGGEJgawbllbHk+xyUKopM6rc KCaQX/lIXcRWtobViGg9fpX1dGJ7HPnOCWRaxVuHANylF8FcHzzV3acxBudgYcInbwbsPAzRm9xw pTi7hmYLiviZ4+t4LK79cWIqQA4tGr3po0jfgLl+Ahd0TIbt0Zij6hgeJ07QR0GiieIKGR3KfdmQ xACKGgjW6av7lJfpYBfZXUaHqdOKLJ13TYQgD1U8MFwBl1z1+w2zS/h3e6UiVRf5Ii9QMXeDgzsK v4AYW3hVzfP/kMb+220rqmNKF5VwAWeqA47D/juB1cx4exzYk7wIdHXqmiNP5dvI77+8YOq/647l NwN4qOsSZg+fYhVZG9EQ9b9YI+9ZsqMLtlmzzH7VwaDsyRiTeu4Ip+KAECko9HdE0Smt1e6HZuGs N7RwePAFMvX7q8M4x6bP/gjzw0OFbIWNJOiaifOc2xlkb46Pa4K5MPGI7fF8+j7E9IwdcQR2aish SbQcCCOvcJLn8v/2OKHH5lr9xXvSM4nM3avg
X-Report-Abuse-To: spam@quarantine6.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/KYAk1kdwgqguP9-_RQ6swHknQYw>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2018 07:18:25 -0000

I am not sure that I understand well the limitations of the shuffle
scheme. I am concerned that it smells like encryption, but can be
trivially broken, and if it is broken we will get ossification.

In my spare time, I have been thinking of similar schemes, but they
start with a big assumption: assume that we can encrypt short numbers.
That is, assume for example that we have a reasonable 32 bit encryption
code. I understand that the current such codes are a bit limited, and
that IPCrypt in particular may not be safe, but bear with me please
because of two reasons:

1) With 32 bit numbers, the number of permutations of a set of 2^32
values is much larger than 2**256. It is thus plausible that we can
design a symmetric encryption scheme keyed with a 256 bit or 128 bit key.

2) Designing encryption schemes is hard, but I assume that
cryptographers can come with plausible schemes if we ask them,
especially if we do not insist too much on performance. For example,
given a 32 bit permutation, repeat in a loop "XOR with 32-bit word index
I mod N of Key, then apply permutation" enough times and you get a
pretty reasonable scheme. (IPCrypt had just 3 passes of the loop and a
final XOR; that seemed a bit optimistic; more passes would be harder to
crack; my vote would be for at least 8; it would be more than twice
slower but who really cares?)

The big issue is that the same sequence of PN would repeat after 2*32
packets, but there is an obvious fix to that: rekey after at most 2**31
packets. Bingo, we get people to actually implement key rotation...

The other downside is that packets would be encoded on 4 bytes all the
time. But that might be an OK price for those who really want hardware
acceleration.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email