Re: Packet number encryption

Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Thu, 01 March 2018 19:58 UTC

From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <CAKcm_gMvHSBhpUvsQCCkV2_o+d_wchF3R3L6H8mp6nKNaaRmSw@mail.gmail.com>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <2C515BE8694C6F4B9B6A578BCAC32E2F83BA1443@MBX021-W3-CA-2.exch021.domain.local> <BY2PR15MB07757473DB9788558B902EB5CDF80@BY2PR15MB0775.namprd15.prod.outlook.com> <6E58094ECC8D8344914996DAD28F1CCD861B7F@DGGEMM506-MBX.china.huawei.com> <e529144067624fcba636fc8c24ee3ff4@usma1ex-dag1mb5.msg.corp.akamai.com> <BY2PR15MB07754D83A1721F2BD742359BCDFE0@BY2PR15MB0775.namprd15.prod.outlook.com> <2CD9DC43-D69B-43F0-8474-DFE798850A52@akamai.com> <CAGD1bZaUuNxqpDkn62B0wWcFD8=mCUWrAwWGG-rAOxH7Mf1=cQ@mail.gmail.com> <CY4PR21MB01334E30C7AF6AE75F58EEFDB6FE0@CY4PR21MB0133.namprd21.prod.outlook.com> <CAGD1bZaxrqzdkk0wxRaULwOTgg6wnrSrXNBK31s4uxdozaACBA@mail.gmail.com> <CAGD1bZbOAaSBcQw4nVtGuwRunaAW8MYHq9yPxNN6DdKHzt5HtQ@mail.gmail.com> <2102BDC2-62C0-4A76-8ADE-8167437E2D07@trammell.ch> <CAN1APde6o6=aCXuWajPFSU=jXv-ERdVHk=uyjM71uQ_uU-oMTg@mail.gmail.com> <8e833029-68b5-2787-3897-a0f7818a259f@tik.ee.ethz.ch> <1de39727-eeec-0e7a-1e8b-5ed50433c5bd@cs.tcd.ie> <MWHPR08MB2432D0216BC8FE1B0D9E3690DAFD0@MWHPR08MB2432.namprd08.prod.outlook.com> <CAGD1bZauKbucs_5n7RQbK8H2HiyfiqpGVEcKreGA6umhMBSFgg@mail.gmail.com> <CABcZeBPNrc-9vANSH02r++p53s6gN4pVB8DMd80nUxOhKTp3dA@mail.gmail.com> <CAKcm_gMvHSBhpUvsQCCkV2_o+d_wchF3R3L6H8mp6nKNaaRmSw@mail.gmail.com>
MIME-Version: 1.0
Date: Thu, 01 Mar 2018 14:58:34 -0500
Message-ID: <CAN1APddA3KDR+fFayxHzSU=2sBcDOWmvo1xAhRA9=tfeAvyv4g@mail.gmail.com>
Subject: Re: Packet number encryption
To: Eric Rescorla <ekr@rtfm.com>, Ian Swett <ianswett@google.com>
Cc: Jana Iyengar <jri@google.com>, QUIC WG <quic@ietf.org>, Roberto Peon <fenix@fb.com>, Mike Bishop <mbishop@evequefou.be>, "Salz, Rich" <rsalz@akamai.com>, "Brian Trammell (IETF)" <ietf@trammell.ch>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "Lubashev, Igor" <ilubashe@akamai.com>, Praveen Balasubramanian <pravb@microsoft.com>
Content-Type: multipart/alternative; boundary="001a1140444af11ba105665f482d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/_6fyB9AindxDwrS1o8eKbq2YI7U>
Precedence: list

While considering some redundancy scenarios it occurred to me that packet
number encryption could interfere with integrity checks in middleware and
in cooperating servers:

A server might forward a packet only if it passes an integrity check.

AES-GCM encodes it tag based on the cipher text. This means that it is
possible to verify packet integrity without decrypting the packet first.
This not necessarily true for all schemes, but servers might rely on having
AES-GCM.

It might be relatively easy to decrypt a packet number considering that you
need a key to verify a GCM tag anyway, but it does depend on the final
implementation.

It is possible to verify the tag without being able to decrypt the content
because GCM splits the traffic key into an encryption key and a GHASH key H
provided that H and IV is available. This does not in itself prevent
content manipulation, but it does prevent reading the data in clear text.
One could also imagine other encryption schemes not found in TLS 1.3 better
suited for such tasks.

In either case, packet number encryption would interfere with such
validation unless the output of the encryption is the IV used for that
packet, or the clear text content is leaked.


Kind Regards,
Mikkel Fahnøe Jørgensen


On 7 February 2018 at 02.05.27, Ian Swett (ianswett@google.com) wrote:

Thanks Jana, I think this is a nice framing of the problem and discussion.

On Tue, Feb 6, 2018 at 7:13 PM, Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Tue, Feb 6, 2018 at 3:00 PM, Jana Iyengar <jri@google.com> wrote:
>
>> I'm going to try a different attempt at moving towards
>> convergence. Thinking about this some more, and picking up something that
>> Mirja said way earlier in this thread, I think the following decomposition
>> is useful.
>>
>> 1. In the transport, all packet numbers start at 0, increasing
>> monotonically. ACK frames carry these packet numbers, and therefore do not
>> have to span large gaps and do not have to deal with increases in the size
>> of the largest acked. Basically, no gaps are visible within the transport
>> processing engine.
>> 2. Before sending a packet on the wire, and before processing the packet,
>> QUIC transforms the packet number with some function, replacing the visible
>> packet number with the transformed value.
>>
>> I think we can all agree that (1) is goodness. A sender is also free to
>> use packet numbers from non-contiguous spaces here FWIW, but that's
>> entirely independent of what's visible on the wire. This helps me separate
>> transport processing complexity from the rest of it, which I think is
>> helpful.
>>
>> I think we are disagreeing on the precise properties we want from the
>> transformation in (2). If we can agree on these properties, we can then
>> figure out whether it's possible and how to construct such a transform.
>> Here's a union of what folks are concerned about:
>> 1. Packet number must be unlinkable across connection ID change (for
>> migration.)
>> 2. Packet number must start at an arbitrary value, to avoid ossification
>> of the first packet number.
>>
> 3. Some sequencing information -- a few bits of the packet number perhaps
>> -- should be revealed (for monitoring. Number of bits TBD.)
>>
>
> I'm not sure I am persuaded of this point
>

Yes, I think this seems like the largest point of contention, and #4 is the
second largest concern.  Given that, I think it makes sense to try to
resolve #3, if that is possible.


> -Ekr
>
>
>> 4. Any packet number transformation should not be compute intensive.
>>
>> I'm not looking for a construction, but I'd like to agree on the problem
>> first. Does this sound like the set of properties we want? Or is there a
>> contradiction among these properties that I'm not seeing?
>>
>> On Tue, Feb 6, 2018 at 9:56 AM, Mike Bishop <mbishop@evequefou.be> wrote:
>>
>>> Packet number encryption *does* improve linkability equivalently to
>>> random jumps, but without the fragmentation of the ACK packet which those
>>> jumps otherwise cause.  So I'm with Stephen, we don't yet have agreement on
>>> that assertion.
>>>
>>> -----Original Message-----
>>> From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Stephen Farrell
>>> Sent: Tuesday, February 6, 2018 7:35 AM
>>> To: Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>; Mikkel Fahnøe
>>> Jørgensen <mikkelfj@gmail.com>; Brian Trammell (IETF) <ietf@trammell.ch>;
>>> Jana Iyengar <jri@google.com>
>>> Cc: Praveen Balasubramanian <pravb@microsoft.com>; QUIC WG <
>>> quic@ietf.org>; Roberto Peon <fenix@fb.com>; Lubashev, Igor <
>>> ilubashe@akamai.com>; Salz, Rich <rsalz@akamai.com>
>>> Subject: Re: Packet number encryption
>>>
>>>
>>>
>>> On 06/02/18 15:23, Mirja Kühlewind wrote:
>>> >
>>> > It's also my understanding that we do agree that packet number
>>> > encryption does not help likability (and thereby privacy) a lot, or at
>>> > least that the benefits we might get (or not) do not justify the
>>> > additional complexity.
>>>
>>> FWIW, which isn't much, I don't (yet) agree to the above.
>>> I reckon it'll be a while before we know how linkability pans out. I do
>>> agree that packet number encryption is not a panacea for unlinkability, but
>>> it may help, or may even end up being required, to do a good job wrt
>>> linkability.
>>>
>>> I also heard people say it was less complex for them so "additional
>>> complexity" may also not be quite right. (I guess "differently complex" is
>>> correct though.)
>>>
>>> S.
>>>
>>> --
>>> PGP key change time for me.
>>> New-ID 7B172BEA; old-ID 805F8DA2 expires Jan 24 2018.
>>> NewWithOld sigs in keyservers.
>>> Sorry if that mucks something up;-)
>>>
>>
>>
>

Packet number encryption Martin Thomson
Re: Packet number encryption Ian Swett
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Gorry Fairhurst
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Eggert, Lars
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Ted Hardie
Re: Packet number encryption Ted Hardie
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Jana Iyengar
RE: Packet number encryption Roni Even (A)
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Martin Duke
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Dmitri Tikhonov
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge, UK)
Re: Packet number encryption Jana Iyengar
RE: Packet number encryption Piotr Galecki
Re: Re: Packet number encryption alexandre.ferrieux
Re: Packet number encryption Patrick McManus
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
Re: Packet number encryption Stephen Farrell
Re: Packet number encryption Roberto Peon
RE: Packet number encryption Piotr Galecki
RE: Packet number encryption Roni Even (A)
RE: Packet number encryption Lubashev, Igor
RE: Packet number encryption Lubashev, Igor
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Lubashev, Igor
Re: Packet number encryption Stephen Farrell
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
Re: Packet number encryption Stephen Farrell
Re: Packet number encryption Willy Tarreau
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Brian Trammell (IETF)
Reducing ossification through protocol design (wa… Brian Trammell (IETF)
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Salz, Rich
Re: Packet number encryption Jana Iyengar
RE: Packet number encryption Roni Even
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Roni Even (A)
Re: Packet number encryption Roberto Peon
Re: Reducing ossification through protocol design… Gorry Fairhurst
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Kazuho Oku
RE: Packet number encryption Roni Even (A)
Re: Reducing ossification through protocol design… Mirja Kühlewind
Re: Reducing ossification through protocol design… Salz, Rich
Re: Reducing ossification through protocol design… Mirja Kühlewind
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mike Bishop
RE: Reducing ossification through protocol design… Mike Bishop
Re: Packet number encryption Jana Iyengar
Re: Packet number encryption Jana Iyengar
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Ted Hardie
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Marten Seemann
RE: Packet number encryption Roni Even (A)
Re: Packet number encryption Marten Seemann
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Gorry Fairhurst
Explicit measurability in the QUIC wire image (wa… Brian Trammell (IETF)
Explicit measurability in the QUIC wire image (wa… Brian Trammell (IETF)
RE: Explicit measurability in the QUIC wire image… Roni Even (A)
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Stephen Farrell
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
RE: Packet number encryption Mike Bishop
Re: Packet number encryption Jana Iyengar
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Eric Rescorla
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Ian Swett
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Martin Thomson
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Marten Seemann
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Martin Thomson
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mirja Kühlewind
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Packet number encryption Brian Trammell (IETF)
RE: Packet number encryption Praveen Balasubramanian
Re: Explicit measurability in the QUIC wire image… Christian Huitema
Re: Explicit measurability in the QUIC wire image… Christian Huitema
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Packet number encryption Victor Vasiliev
Re: Packet number encryption Salz, Rich
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mike Bishop
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mike Bishop
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Salz, Rich
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Ian Swett
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Salz, Rich
Re: Packet number encryption Ian Swett
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption David Benjamin
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Deval, Manasi
RE: Packet number encryption Deval, Manasi
Re: Packet number encryption Victor Vasiliev
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: hardware offload (was: Packet number encrypti… Ian Swett
Re: Packet number encryption Ian Swett
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Salz, Rich
RE: Packet number encryption Praveen Balasubramanian
RE: hardware offload (was: Packet number encrypti… Praveen Balasubramanian
Re: Packet number encryption Salz, Rich
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Victor Vasiliev
Re: hardware offload (was: Packet number encrypti… Christian Huitema
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: hardware offload (was: Packet number encrypti… Eggert, Lars
RE: Packet number encryption Praveen Balasubramanian
RE: hardware offload (was: Packet number encrypti… Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Victor Vasiliev
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen