Re: Forgery limits in QUIC

Florentin Rochet <florentin.rochet@uclouvain.be> Fri, 01 May 2020 19:51 UTC

Return-Path: <florentin.rochet@uclouvain.be>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3438D3A1B95 for <quic@ietfa.amsl.com>; Fri, 1 May 2020 12:51:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.919
X-Spam-Level:
X-Spam-Status: No, score=-2.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=uclouvain.be
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PSAaB7ZS7n2h for <quic@ietfa.amsl.com>; Fri, 1 May 2020 12:51:04 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30135.outbound.protection.outlook.com [40.107.3.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F15023A1B91 for <quic@ietf.org>; Fri, 1 May 2020 12:51:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GZ8/WznmCo9bOJ3DZUMJ3F00rKcukDAr9pTc75RxzXypsOpUL4y4EV5XGGIUH7Mzz0U+HNDg2K+L4fF4pbAeyiqpUFs3wL1yNeLqW5m6fBJ26Q8iCl4te3PngNDEUqwNIv8kd5mJcylQQihaJ+mbvMy7BxtUqnceKCgbtaO5mAU55DesiPZm5sDVzMiRLHjHoJHQiGYgFQFSZJKE/gk/SPybV+HSwqrXFBLi3j2wSO7rAbmI+PYYSZM0F4mZSD81MKDA34wBHXtg+TpydDy/KPIbTu/G8NdqS02VbdNcmeN5Dyym1AM557JXM557Ym9KK8yox/A5+QdaZHNTPaVOnA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4JZUZ3Yzgh6ayP+YZ0NGq85FiKq97A6Th2IwQDyyemc=; b=kXCK+jjlj1c/Mu26/u07so7aj7Yu9g7g5NvBiHX1sTQrlOekncCkYARatvBn3dHwJHaeVG6JWCuPsWEj82GwSbAaLdjr/Ja2HHsXezxC7vAH/XoHjFO9g+oRXjEWR3MaoiCPWIztBUn3LABtRcstHRepEGOE7fQCFpdQZWNmGV6JmOoS1kwR57zqusBqoUa4CaJcKjFIxBMKhbfHEALNGk3HU0SSPdsggixmGVE+99QrHOSNsIAr+D0yPqOJvldnUZlG9SNdtK+OTlMtOsxxJ11rnSL7EPqmchcV+sgJ5CduA7KcEs40QKE17cksz8Vk3Oi5+EXdo+OWj5OzJUVZqg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uclouvain.be; dmarc=pass action=none header.from=uclouvain.be; dkim=pass header.d=uclouvain.be; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uclouvain.be; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4JZUZ3Yzgh6ayP+YZ0NGq85FiKq97A6Th2IwQDyyemc=; b=hSHXPzvlV878CuHqTkmSNl8vWKIn4VxAbSGVRY58pVE7YKWLRE7dETNEMppIb+d0KPjyPl1ZGnpjtTnqauNzx8bEO/fIMhVX9cgi5FqmUM1U4a7tvm2L2HHAMCVbwzRl4iPKElwbzDpl2DJESB8wDYO7YdK4AFIIzOMKZZD5UL8=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=uclouvain.be;
Received: from AM0PR03MB4977.eurprd03.prod.outlook.com (2603:10a6:208:107::26) by AM0PR03MB5012.eurprd03.prod.outlook.com (2603:10a6:208:106::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13; Fri, 1 May 2020 19:51:01 +0000
Received: from AM0PR03MB4977.eurprd03.prod.outlook.com ([fe80::ddfc:6356:9fd3:d325]) by AM0PR03MB4977.eurprd03.prod.outlook.com ([fe80::ddfc:6356:9fd3:d325%3]) with mapi id 15.20.2937.028; Fri, 1 May 2020 19:51:01 +0000
Subject: Re: Forgery limits in QUIC
To: quic@ietf.org
References: <c32379cb-43c1-4db8-9f0a-b7294085dd6d@www.fastmail.com> <d7f385d4-b6cb-4565-ba35-4c096239fd34@www.fastmail.com>
From: Florentin Rochet <florentin.rochet@uclouvain.be>
Message-ID: <b52db222-9061-6006-2a30-6d54bad5e1ab@uclouvain.be>
Date: Fri, 1 May 2020 21:51:00 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
In-Reply-To: <d7f385d4-b6cb-4565-ba35-4c096239fd34@www.fastmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-ClientProxiedBy: AM0P190CA0003.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:190::13) To AM0PR03MB4977.eurprd03.prod.outlook.com (2603:10a6:208:107::26)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.178.59] (213.211.156.164) by AM0P190CA0003.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:190::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.19 via Frontend Transport; Fri, 1 May 2020 19:51:00 +0000
X-Originating-IP: [213.211.156.164]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 1c928243-c3d6-4e49-a830-08d7ee08f973
X-MS-TrafficTypeDiagnostic: AM0PR03MB5012:
X-Microsoft-Antispam-PRVS: <AM0PR03MB501258F4AA57457F7F568E2DE5AB0@AM0PR03MB5012.eurprd03.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 0390DB4BDA
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR03MB4977.eurprd03.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(366004)(136003)(346002)(396003)(39860400002)(16526019)(966005)(31686004)(52116002)(8936002)(26005)(86362001)(53546011)(6486002)(66556008)(6916009)(66476007)(66946007)(3480700007)(31696002)(8676002)(478600001)(186003)(2906002)(2616005)(956004)(44832011)(36756003)(5660300002)(66574012)(786003)(316002)(16576012); DIR:OUT; SFP:1102;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 24WdPiuAXABY4ZX1/h4bP7j3tOUZM+yk4i8Hb3yTfQBgtSuglFl4ERWo9zFK8B9fETYpDCiDzUxr5Cefk3pfbIoBB/A/vySFzRDzshUQgTnbnEkpbyfy1SIKif8+/O7iLU4sxQ3N6zfAwAX3Br1CSPifg5wHR+BoHBBVDUdccdOHSurOldiDlqfkzex9B7Cbq+gNTFp7cnqHQMyVdaa2PVA9f8rd1Us+1Fudzs6j8M4Q5FmX1jo2U1MYP845kn8SMG47kMwp7e5sk7m/Uy4pEmOQMgE/GjIszeV2Ef6/pCxdV1wNO5k0gv7D31sdIi11EQ1KS4Cw6re3FJx/N96CwGL0sAOl985ZIz5l64PexB+Dz5HvciJRGi6JYSGyRI9riqrZmBW7BeMRaIq20CKJHdozAN7oZ6kWxXtzElzN6LJVT9gyrUitAIqhS2rdpFxTUIgRnBaF8vV3RS6odfcEg2OVIF08qhxFgaitX4I222k9D3t/IppGYw5mMAei3f7G0MsixXqjzrrORj110NeoAw==
X-MS-Exchange-AntiSpam-MessageData: zRliajzP9Hms0OvNypjPzrY13/kTmDDwkf9PWoQfu+U8q5ErX21EQp2jBFVzOlctsmLYECNCfbVqu9uONm6RRrfC+9xWZP6NZrsEBuvCzHOHQqejJA3uCOvuRuhPDxU/Jx198DHHzxRqx4ccL0YJLqWMHy0WHkfTtZZi8iMmLZK47XB+ivHRUUn28nHGcrQqM+T5iG7i73vlWvStZVm/YcWfKg5g2j8MgzJvP49a5U5ScPn7JIYtVXE32OGqAIfprqvWiUs3hWcofQid+OcYfrzUSL6NUnoCwyIYPAXvYL0mI5Fo9uaghrLa6/v0JnWqQ9ewU/W2DAiLefMrcYO9yymk9RggSSiQJeHIi5BtsDc5wA8RcUBhBv8AtmKZy+B600E8cZ2eh62xBSVbLvIWxxDmAfAAXtf8n/RnB8H54XSGckpO55WpXbxHGEKiHJgqjxfnGh1lGk78R9YnIHL19SRQiKI8IxeK8fCivnNRudBDPKSNtt4W+cJz92pIsfMV5vAF7YZ2e98eWhANOEaq/zjixWi5/p1Sqb4zz8xoxrMWCj29kek9Zs32kjiEEsCAsaRo6qM1cf9DzOgqRrA8Sj9J4qxV1DuFS45r0Zoi6ob0JTdf7HyXHsGHWAJXKVFvyLIzn8tSo4NeP0kCGDqrI0tWSC61X+lNVYfGRqRfKvBxkWygB5Cyjfe0Imf4VwjhulRyK8KrefQUJUNgOiy31PJuXNnofo5h4WvY3EWf+B/wddbowgkdCg+Edaf2KRAWvQqcL+Mkv84V6jbFk2aZMfFo47rUN2sVkO4ndmuheN7VZjEdOsWtZMwHzpcPWE96
X-OriginatorOrg: uclouvain.be
X-MS-Exchange-CrossTenant-Network-Message-Id: 1c928243-c3d6-4e49-a830-08d7ee08f973
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 May 2020 19:51:01.0568 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 7ab090d4-fa2e-4ecf-bc7c-4127b4d582ec
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: TPTZkhFijao9j34hDmYluz+t85kEBo3lbdPTtDU7fEwsw+u8toXzrvxcKQwOUdMBQJZRgF/liE2nLZPR3m64BJHvZtjCeROlyDRaBf5OjNc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR03MB5012
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/_C-NkyqpiVLYTUQ22GkvWoFuFHY>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2020 19:51:12 -0000

Hi Martin,

On 01.05.20 08:14, Martin Thomson wrote:
> OK, I thought this would be easy.  I was wrong.  But it still might be easy.
>
> The draft currently defines four AEAD functions.  We have a good analysis for three of those functions.  We lack an analysis of the last.  That is AEAD_AES_128_CCM.
>
> It turns out that we never really had a good analysis of CCM.  TLS 1.3 conveniently fails to say anything about it.
>
> My suggestion is that we remove CCM from QUIC until we have an understanding of its robustness against confidentiality attacks with multiple successful applications of protection AND integrity attacks with multiple forgery attempts.  We need to base our recommendations about limits on something more than what we have now.
>
> I realize that this is a fairly dramatic change, but I think we need to hold our ciphers to a high standard.  I will attempt to find an analysis myself, as I would expect it to exist, but I have a poor history of success finding the right cryptographic paper.

Maybe this formal analysis of CCM helps: 
https://link.springer.com/content/pdf/10.1007/3-540-36492-7_7.pdf

It is dated from 2002, so you might also want to dive within the papers 
that cite this one. The security bound on integrity is a birthday bound 
(AES might be called max 2^64 times).

Best,

Florentin


>    If anyone is able to provide pointers, that would be appreciated.
>
> On Fri, May 1, 2020, at 14:45, Martin Thomson wrote:
>> I have just opened https://github.com/quicwg/base-drafts/issues/3619
>>
>> tl;dr We need to recommend limits on the number of failed decryptions.
>>
>> I am now working on a pull request to add this to the spec.
>>
>> I realize that we're nearing the end, but this is an important security
>> improvement and the result of some good work by cryptography
>> researchers, who have done a lot to improve our confidence that QUIC
>> can deliver on its promises of providing confidentiality and integrity..
>>
>> A big thanks to Felix G√ľnther, Marc Fischlin, Christian Janson, and
>> Kenny Paterson for their work on this.
>>
>>