IETF Logo Mail Archive

Re: New Version Notification for draft-kazuho-quic-authenticated-handshake-00.txt

Christian Huitema <huitema@huitema.net> Sun, 16 December 2018 00:45 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D657E130E9B for <quic@ietfa.amsl.com>; Sat, 15 Dec 2018 16:45:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I7Zn0pfH6AGi for <quic@ietfa.amsl.com>; Sat, 15 Dec 2018 16:45:53 -0800 (PST)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18D8B130E8E for <quic@ietf.org>; Sat, 15 Dec 2018 16:45:52 -0800 (PST)
Received: from xsmtp01.mail2web.com ([168.144.250.230]) by mx36.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1gYKZ1-0007Y3-T6 for quic@ietf.org; Sun, 16 Dec 2018 01:45:48 +0100
Received: from [10.5.2.15] (helo=xmail05.myhosting.com) by xsmtp01.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1gYKYw-00026E-Kb for quic@ietf.org; Sat, 15 Dec 2018 19:45:44 -0500
Received: (qmail 31992 invoked from network); 16 Dec 2018 00:45:39 -0000
Received: from unknown (HELO [192.168.1.100]) (Authenticated-user:_huitema@huitema.net@[172.56.42.39]) (envelope-sender <huitema@huitema.net>) by xmail05.myhosting.com (qmail-ldap-1.03) with ESMTPA for <quic@ietf.org>; 16 Dec 2018 00:45:39 -0000
To: Eric Rescorla <ekr@rtfm.com>, Kazuho Oku <kazuhooku@gmail.com>
Cc: IETF QUIC WG <quic@ietf.org>
References: <154475462982.32005.8870303572182973327.idtracker@ietfa.amsl.com> <CANatvzwbL-NoRK1boZmFkA8kEvJzCQTP26FCh31_c0rRrYvSOw@mail.gmail.com> <CABcZeBNOAw3b504yZ5rV2THroe0K_y-T=_ya8-t0zDC5k6X8+g@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Openpgp: preference=signencrypt
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mQENBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAG0J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PokBOQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1a5AQ0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAYkCPgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <98ac8dac-393c-92e4-776c-2c27c55be7a2@huitema.net>
Date: Sat, 15 Dec 2018 16:44:47 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.3
MIME-Version: 1.0
In-Reply-To: <CABcZeBNOAw3b504yZ5rV2THroe0K_y-T=_ya8-t0zDC5k6X8+g@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Content-Language: en-US
Subject: Re: New Version Notification for draft-kazuho-quic-authenticated-handshake-00.txt
X-Originating-IP: 168.144.250.230
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.34)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5iF/VrO9+BkjVz0Xq8BoSj1602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvO37pNwwF1lRXh5rzvPzo9Jts1ujulqUFmMITHM77eiVi8UZDU9R6jN+77SGHAX9etc7i TvJ2/ZGzVWB9scFAaCdIFaUvXN+CI+RGy3Me16pBpxvnk7PJGygctl3LC86inx/TBCf6oYXAWGet lavcAjD9ytQxIHf9lN5jjLJaPK8l4YBmPrqPoeRXD34azf1rYZv5uZUEePrXZkexHL9EC3AAJAfA 9MMVcQ9WVjD1q+Rbd9IPG/DQ2p+GU04sTuYFs91jhnM/Mbva2XLV/LIEzaKyLm0zESXAkIAT8ZKA DvsGI5uh86ZVnyOrYkLMWyEaRt9fxN2oReTDHAyOynaY0CmHJLVH4DfVNbPXJmiLfub/IRFsicyJ MEhQFtD8PLoiniWmsFByBoXAuCZEyg59LM/9rUJrEbVA84BZVscMTXpbpuxXJTL417vaJWq5kk+j cuidX4Ts4xdG+C13IyWeZaIRAGcxrXh6p78nNqdl8fWv5nvmah7oAQX1Q8bvqOef6xMJRU5ia11I nZK0ERxtWfBqJvBXd7I82n0qpCzrPWiSwKPXNKNk2RVY2K5nyLgw1RWkNIWnHjoiI9QIik6sV5hq 8RGminksXtFq8ejOBuf1PiUt8a2Lj9MmCjDfgJI6+RA1ehb6HWONF4LFnY3FB8iDg5/bq7ChmPMN Ycw1QSmRqSYMcI8appGuNlPDz7lQUxwkBlU/QrN7tBfYXQ/OVk5m4zuNRcgRKiGg7nXFaZTxCXRq rnqpvNj9xYi9OgZhih19I4GlR3I7yPSC6eTb8vy+NTKQHNkjJg8xvPcdYB8XrwJaVYn9nnZjaUrj DGzQ2f27lItOpPwlvQ6ktwDuRituj6ZEfB9v4x8THVh0rVtlyOZYRaCjaXhrY3nerbmurCmoQsay Zkd2YakTHWoyevr4xM5tUrEfL92iWzfzWX2vc1ctxv2vDEIpeWV/lG6Wmg==
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/L7kebBvVcz4ol3RIuJ2VTsNXIOI>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Dec 2018 00:45:57 -0000

Quoting the whole message, because it is a nice analysis.

On 12/15/2018 10:50 AM, Eric Rescorla wrote:
> Kazuho,
>
> Thanks for sending this. I think it's a very interesting direction. I have
> some comments below.
>
> DEPLOYMENT MODEL
> It seems to me that there are two models to consider here. In the
> first, the server *only* supports authenticated handshakes (AH) and in
> the second, it supports both authenticated and unauthenticated
> handshakes. In general, I think the second case is far more likely,
> because in general we can't assume that clients can receive the
> ESNIKeys records, and that means that some clients will not use AH.
>
>
> THREAT MODEL
> This leads us directly to the question of the threat model. I assume
> that we have what I termed a Class (3) attacker, which can inject
> packets and will always win the race but cannot delete packets.
> With that, you get the following pattern:
>
>
> Client                  Attacker                Server
>
> CInitial ->
>                         CInitial' ->
>                         CInitial  ->
>                                            <- SInitial
>                         <- SInitial'
>                         <- SInitial
>
> CHandshake ->
>                         CHandshake ->
>                        
> Our objective is to have the handshake survive this treatment. In an
> ideal world, we would cause the server and client to reject X' and
> process X but this isn't possible, with the design you suggest,
> because the attacker can always take CInitial, replace the CRYPTO
> frames with his own and then send it to the server, computing
> a new MAC based on *his* Zx. Note that this won't necessarily have
> the right ESNI but that doesn't matter, because it will have
> the same [SC]CID, and so will cause cause CInitial to be discarded
> when it is received. As far as I can tell, your current design
> does not prevent this. If I'm missing something here, let me
> know [0]


Agreed.

>
>
>
> FIRST CLIENT INITIAL
> It seems like the obvious defense is the one you suggest in S 3.2.2,
> namely to treat each distinct CInitial as its own handshake and create
> separate state on the server for each one. Then this will cause the
> server to send two SInitials, one in response to CInitial and one
> in response to CInitial'. This gives us the diagram below.
>
> Client                  Attacker                Server
>
> CInitial ->
>                         CInitial' ->
>                                            <- SInitialX   //
> Corresponds to CInitial'
>                                            
>                         <- SInitialX'
>                         <- SInitialX
>                                           
>                         CInitial  ->
>                                             <- Sinitial   //
> Corresponds to CInitial
>                         <- Sinitial'
>                         <- SInitial 
>
> CHandshake ->
>                         CHandshake ->
>
> Note that the attacker can duplicate and tamper with any message
> either side sends so because the server sends two SInitials, the
> attacker ends up potentially sending 4.

The suggestion is S 3.2.2. is basically the same as PR 2706: create a
separate server context for each separate CH. Like Kazuho, I think it is
pretty much required for any good defense.

>
>
> SERVER INITIAL FLIGHT
> So, what we need at this point is to ensure that the client rejects
> (a) SInitial', SInitialX' and (b) SInitialX, and accepts SInitial (I'm
> ignoring subsequent Initial packets from the Client at this point),
> but I'll get there shortly. Rejecting SInitial' happens automatically
> in your design. The attacker doesn't have Zx and so SInitial' will not
> deprotect correctly.
>
> Rejecting SInitialX is harder, but I think can be fixed by mixing
> CInitial1
> into the the key schedule. I.e., the initial key would be something
> like:
>
>   IS = HKDF-Extract(0xef4fb0abb47470c41befcf8031334fae485e09a0,
>                     Zx)
>  
>   initial_secret = HKDF-Extract(HKDF-Expand(IS, ...),
>                                 F(CInitial))
>
> Where F(CInitial is some sanitized version of CInitial, that is
> invariant under retransmission, perhaps the payload + the CIDs.
> The result of this is that SInitialX and SInitial will be encrypted
> with separate keys (with only the one for SInitial being the one
> that the client expects) and the client will discard SInitialX
> after it fails to decrypt.

We tried to not have rekeying at the client, i.e. keep the same hmac key
throughout the session. The assumption is that the data incorporated in
the "hmac_key" contains something that client and server know, but the
attacker cannot guess. The structure "ClientESNIInner" has that
property, as long as the nonce really is unguessable. Caveats about
random number generation seem to apply. Now it may well be that our
draft refers to "ESNIContents" when in fact it should refer to
"ClientESNIInner". That would be a simple fix.

>
>
> SUBSEQUENT CLIENT INITIALS
> The diagram looks like this
>
> Client                  Attacker                Server
>
> CInitial ->
>                         CInitial' ->
>                                            <- SInitialX   //
> Corresponds to SInitial'
>                         CInitial  ->
>                                             <- Sinitial
>
>                         <- SInitialX'
>                         <- SInitialX
>                         <- SInitial
>                         <- Sinitial'
>
> CInitial2 ->
>                         CInitial2' ->
>                         CInitial2 ->
>
> There are actually two types of subsequent client Initials
>
>
> 1. Those after SH that contain ACKs (and the like) for server
>    Initial.
> 2. Those after HRR
>
> With case (1), we should just rekey off of Initial secret. The server
> can sort out which keys to use based on trial decryption or perhaps
> some extra flag in the packet (probably the second is better).

This gets better if the client switches to using the server chosen SCID
instead of the ICID in the subsequent initials. If we do that, then
there is no ambiguity: Clinitial2 arrives with the SCID chosen by the
server when sending SInitial, and is authenticated using the HMAC key
derived from CInitial.

If we insist that all Initial packets shall have Dest=ICID, then we do
indeed have a problem, and we need to put a unique token somewhere in
the payload. Hash(CInitial) would work.

>
> Case (2) (HRR) is more complicated. Trying to use data in the ESNI
> extension when you're not going to use g^x is tricky (though maybe
> possible), so we could potentially handle this as in case (1). Another
> alternative is to use the same general strategy we used for the
> first Initial and bucket the CInitial1/CInitial2 pairs. This is
> easiest done
> if we force each CInitial2 to commit to a specific CInitial1 (thus
> avoiding
> the need to do combinatoric explosion on the server). You could
> do this by including a hash of CInitial1 in CInitial2. The attacker
> can obviously bind CInitial2' to any CInitial he wants, but he has
> to transmit one message for each, so the result is the same as
> sending N CInitial1s.

That, or sending the messages with dest=SCID instead of dest=ICID.

I think we went back and forth with that idea. I don't quite remember
why we nixed it. Is there a potential deployment issue?


> VERSION NEGOTIATION
> In your design you move version negotiation to the client and forbid
> VN:
>
>    A client MUST ignore Version Negotiation packets.  When the client
>    gives up of establishing a connection, it MAY report the failure
>    differently based on the receipt of (or lack of) Version Negotiation
>    packets.
>
> More concerning, this moves the QUIC version negotiation to the ESNI
> record, which permits downgrade attacks by that server (or anyone who
> controls DNS). We've generally avoided this in TLS ESNI. It could
> be solved by having the true origin sign the ESNIKeys structure
> (as we have discussed for semi-static).
>
> It's worth noting that this is a consequence of QUIC's VN design. With
> the simplified VN design I suggested in PR #2113, you wouldn't have
> this problem: the server would commit to its *minimum* version (this
> is implicit in ESNIKeys already, as it requires TLS 1.3) and then you
> could upward negotiate as expected.

And maybe we should specify that. After all, we are creating a new QUIC
version, so we can just as well have a couple of extra transport parameters.


> [0] Another possibility with your current design is for the attacker
> to tamper with CH, for instance by adding a dummy extension, because
> the ESNI extension doesn't protect all of CH, just g^x. This will
> cause the server's Handshake messages to deprotect incorrectly. One
> could imagine a fix for this if the ESNI extensions covered more
> of the CH.

If the attacker did that, wouldn't the HMAC fail at the server? Also,
isn't that just a variant of CInitial' ?

-- Christian Huitema

v2.23.0 | Report a Bug | By Email