IETF Logo Mail Archive

Re: Questions about Version Negotiation Concerning Possible Handshake Interruption

Lingmo Zhu <zlm2006@gmail.com> Sat, 10 February 2018 10:30 UTC

Return-Path: <zlm2006@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9C9512D86A for <quic@ietfa.amsl.com>; Sat, 10 Feb 2018 02:30:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4c8y_ocKSgsW for <quic@ietfa.amsl.com>; Sat, 10 Feb 2018 02:30:32 -0800 (PST)
Received: from mail-it0-x229.google.com (mail-it0-x229.google.com [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4674C12D86C for <quic@ietf.org>; Sat, 10 Feb 2018 02:30:32 -0800 (PST)
Received: by mail-it0-x229.google.com with SMTP id p139so1446926itb.1 for <quic@ietf.org>; Sat, 10 Feb 2018 02:30:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=eq9k9LRg3i+zCLaIpmVWkJMD+kXyzkJHyfu2bnh9ugo=; b=SHGQ4hLdb1aLBQ0j9XB5ouE12YyC1dswfEskerDjNNksfFaw/uNGMCML7fbGocb8Ma 0x8gxsFVS2wOCbVKfe22161bw9N7V91BLGZ+8oqqjuLYvaFSNmKHflFDToAw+UNOCAQz k9EkMqdStTvduiM9FrQX2e249PegjHphNdMGAy2qfrk4OvbaHda739/0o7l3Sh7py4YP fG0Q8oygFKBRnqgtsi/L2knB0/mvLciWaycOeH4MyODNfqYNM3dJfXiafr+eniz8EWWV FfZuvMZwfII+eYAytVXXhfcqJO1WyXMqR7yrnk30Xi0ZgUo9mJb0+b/LR7oHbL2vXPxy D/gQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=eq9k9LRg3i+zCLaIpmVWkJMD+kXyzkJHyfu2bnh9ugo=; b=qTVXmA/aDolBjg24aU3lto163/+N4yTUVO03UotaB6X6oVchX3R9951/pW+/jPMDAB NQ1vvoKM8ydtvnTdHPshRizUXoLTcYJftZEU2hl4xBN4tlDbGqBnKrrOjo4jEeTG1eqd 3MNVG8DC6lKz4RBkz/6tlNescjzpeV5j+RPVPzw4r4OjM5LIvF1/zaN7txMa/IZTeuXY 7g3YNuTsylWJTwAoupyn2ggk0U3hkUrozVyenTKODpPEtMN2j3k1SNCTuZvxZLvgvc3H 1qr4L1kmN3JVvzc9ZqqcJGXv3r3DEWienhTRPur4hDNbysbK1Bo+G1ygLvlnls9Y5JNe lZ8w==
X-Gm-Message-State: APf1xPAW8cYENMjte5EH4PI+3flW0MtfPeWQEEbBCAbM1h1CffvQv8Xe D/dXX7K2Lrvc2IyVjh9M9uI=
X-Google-Smtp-Source: AH8x225JAN3ltYYla+3uLf4AMqJAdqhNEdCVxGbdB4SSupG7OuLW1C1GfQEfnJ29wNuvDV9q2Y9XdA==
X-Received: by 10.36.179.14 with SMTP id e14mr7099519itf.139.1518258631529; Sat, 10 Feb 2018 02:30:31 -0800 (PST)
Received: from Justins-MacBook-Pro.local (tk2-262-40902.vs.sakura.ne.jp. [160.16.241.156]) by smtp.gmail.com with ESMTPSA id s20sm5101087ioa.26.2018.02.10.02.30.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 10 Feb 2018 02:30:31 -0800 (PST)
Subject: Re: Questions about Version Negotiation Concerning Possible Handshake Interruption
To: Kazuho Oku <kazuhooku@gmail.com>, alexandre.ferrieux@orange.com, Christian Huitema <huitema@huitema.net>
Cc: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>, "quic@ietf.org" <quic@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
References: <1d386744-c46a-842a-b172-24e290e03668@gmail.com> <CABkgnnVRn+1sNZQFB8BZc4VyzN5usLmYJ3xLo+p2uTeW_0Ji_Q@mail.gmail.com> <CAN1APdfpJ0rYPPiOgfcdDRx3noh+YYvJatP0MYTqRRXMBwF6pA@mail.gmail.com> <3d558827-f2a7-877c-e00a-d6a22ef241c5@gmail.com> <CANatvzzZEuJ3TY=+0BMLqbBE5mScG_Jnrypg3xkciykOX78G8A@mail.gmail.com> <CAN1APdfov8Q3E+5NkT5pmMeU=eB=fsnDFe_=BK7TDE0TpXD3yA@mail.gmail.com> <142211e0-c7c9-642f-69ef-5f0d722b77cc@gmail.com> <529ac475-5291-2b2e-acf9-05efe720d584@huitema.net> <6937_1518251684_5A7EAEA4_6937_191_1_5A7EAEA5.2000605@orange.com> <CANatvzz_2BeRns5E-OO=CKKwK66LgMd=3vVCM84_+OAxj8CutQ@mail.gmail.com>
From: Lingmo Zhu <zlm2006@gmail.com>
Message-ID: <d3c8688a-3f01-30b1-a3de-1300a43c1d99@gmail.com>
Date: Sat, 10 Feb 2018 18:30:22 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <CANatvzz_2BeRns5E-OO=CKKwK66LgMd=3vVCM84_+OAxj8CutQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/_OTxXyisZC7Jox0bAIV01nIAjY0>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Feb 2018 10:30:34 -0000

On 10/02/2018 07:24, Christian Huitema wrote:
 >
 > In theory, it should be possible to protect against "man on the side"
 > attacks. Do some kind of speculative execution on the first packet that
 > you receive, but also keep the context available for some time in case a
 > "better" packet comes later. With that approach, the attacker could not
 > just inject a "packet of death"; they will also need to suppress the
 > correct response from the actual server. That's an interesting idea.
 > Have you tried some experiments?

No experiments yet but I'd love to. Though my current work is not so
related to this field so maybe I'm not professional enough.


On 2018/02/10 17:00, Kazuho Oku wrote:
> 2018-02-10 17:34 GMT+09:00  <alexandre.ferrieux@orange.com>:
>> On 10/02/2018 07:24, Christian Huitema wrote:
>>>
>>> In theory, it should be possible to protect against "man on the side"
>>> attacks. Do some kind of speculative execution on the first packet that
>>> you receive, but also keep the context available for some time in case a
>>> "better" packet comes later. With that approach, the attacker could not
>>> just inject a "packet of death"; they will also need to suppress the
>>> correct response from the actual server. That's an interesting idea.
>>> Have you tried some experiments?
>>
>>
>> Alternatively, what about a "no fallback" mode for sensitive applications
>> like DNS ?
> 
> I agree that providing such an option would narrow the attack window.
> The other option is to let the client propose multiple versions and
> the server select one, as proposed in my previous mail.
> 
> But even if we do that, there's still the chance of an attacker
> injecting a Handshake packet that contains a corrupt ServerHello
> message. In such case, the client would fail to complete the handshake
> with the server.
> 
> To evade such attacks, a client is required to create a backup of its
> TLS context before handling the Handshake packet that might have been
> sent from an attacker, so that it could restore the context one the
> TLS handshake ends up in an error.
> 
> However, I am not sure if any of the TLS stacks provide such a feature
> (personally I would be interested in adding one in picotls, though).
> 
> 

IMHO even though we want no fallback for service like DNS, in reality
that could not be possible for several years due to deploying progress
and its critical position (if no fallback, no name resolving would be
available if QUIC & TLS connection failed if my understanding is
correct).

To be cleared, spoofing clear text VERSION NEGOTIATION packet is cheap
from my POV so it could be misused easily. I'm not sure but injecting
corrupt ServerHello message could be sort of expensive thanks to
encryption so I didn't consider that far. So if we still decide to use
current version negotiation mechanism, considering only the attack
approach using VERSION NEGOTIATION and we hold different contexts for
a short period, there would be several cases:

* fake VERSION NEGOTIATION with no acceptable versions was sent to the
   client but the server could accept the QUIC version INITIAL packet
   used, it could be mitigated by simply wait for a short period. Retry
   might be applied considering packet lost.
* sever actually could not accept any version that the client supported,
   client would abort the QUIC connection after several retries and that
   should be expected.
* fake VERSION NEGOTIATION with no acceptable versions was sent to the
   client and the server also rejected the QUIC version with a VERSION
   NEGOTIATION with acceptable versions, client could try an acceptable
   version and process the handshake.
* fake VERSION NEGOTIATION with acceptable versions was sent to the
   client and the server could accept the QUIC version INITIAL packet
   used, things could be tricky. At least two contexts should be hold
   by the client. If the new version selected by client is not acceptable
   to server, that could be a better scenario since the original context
   would simply become the finally negotiated one. But if the new version
   is also acceptable by server, I'm not sure what would happen.
* fake VERSION NEGOTIATION with acceptable versions was sent to the
   client but the server rejected the QUIC version with a VERSION
   NEGOTIATION with acceptable versions, things would be really complex.
   But the downgrade attack mentioned by Mikkel should be tolerant by
   current verifying mechanism. I'm not sure if we should consider this
   case.

So as a summary, holding original context for a short period should be
enough for mitigating the interruption caused by VERSION NEGOTIATION
according to the first three cases. But for the remaining misuse cases,
it might need further consideration if they should.

Lingmo Zhu

>> _________________________________________________________________________________________________________________________
>>
>> Ce message et ses pieces jointes peuvent contenir des informations
>> confidentielles ou privilegiees et ne doivent donc
>> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu
>> ce message par erreur, veuillez le signaler
>> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
>> electroniques etant susceptibles d'alteration,
>> Orange decline toute responsabilite si ce message a ete altere, deforme ou
>> falsifie. Merci.
>>
>> This message and its attachments may contain confidential or privileged
>> information that may be protected by law;
>> they should not be distributed, used or copied without authorisation.
>> If you have received this email in error, please notify the sender and
>> delete this message and its attachments.
>> As emails may be altered, Orange is not liable for messages that have been
>> modified, changed or falsified.
>> Thank you.
>>
> 
> 
>

v2.23.0 | Report a Bug | By Email