Re: Questions about Version Negotiation Concerning Possible Handshake Interruption
Lingmo Zhu <zlm2006@gmail.com> Sat, 10 February 2018 10:30 UTC
Return-Path: <zlm2006@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9C9512D86A for <quic@ietfa.amsl.com>; Sat, 10 Feb 2018 02:30:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4c8y_ocKSgsW for <quic@ietfa.amsl.com>; Sat, 10 Feb 2018 02:30:32 -0800 (PST)
Received: from mail-it0-x229.google.com (mail-it0-x229.google.com [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4674C12D86C for <quic@ietf.org>; Sat, 10 Feb 2018 02:30:32 -0800 (PST)
Received: by mail-it0-x229.google.com with SMTP id p139so1446926itb.1 for <quic@ietf.org>; Sat, 10 Feb 2018 02:30:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=eq9k9LRg3i+zCLaIpmVWkJMD+kXyzkJHyfu2bnh9ugo=; b=SHGQ4hLdb1aLBQ0j9XB5ouE12YyC1dswfEskerDjNNksfFaw/uNGMCML7fbGocb8Ma 0x8gxsFVS2wOCbVKfe22161bw9N7V91BLGZ+8oqqjuLYvaFSNmKHflFDToAw+UNOCAQz k9EkMqdStTvduiM9FrQX2e249PegjHphNdMGAy2qfrk4OvbaHda739/0o7l3Sh7py4YP fG0Q8oygFKBRnqgtsi/L2knB0/mvLciWaycOeH4MyODNfqYNM3dJfXiafr+eniz8EWWV FfZuvMZwfII+eYAytVXXhfcqJO1WyXMqR7yrnk30Xi0ZgUo9mJb0+b/LR7oHbL2vXPxy D/gQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=eq9k9LRg3i+zCLaIpmVWkJMD+kXyzkJHyfu2bnh9ugo=; b=qTVXmA/aDolBjg24aU3lto163/+N4yTUVO03UotaB6X6oVchX3R9951/pW+/jPMDAB NQ1vvoKM8ydtvnTdHPshRizUXoLTcYJftZEU2hl4xBN4tlDbGqBnKrrOjo4jEeTG1eqd 3MNVG8DC6lKz4RBkz/6tlNescjzpeV5j+RPVPzw4r4OjM5LIvF1/zaN7txMa/IZTeuXY 7g3YNuTsylWJTwAoupyn2ggk0U3hkUrozVyenTKODpPEtMN2j3k1SNCTuZvxZLvgvc3H 1qr4L1kmN3JVvzc9ZqqcJGXv3r3DEWienhTRPur4hDNbysbK1Bo+G1ygLvlnls9Y5JNe lZ8w==
X-Gm-Message-State: APf1xPAW8cYENMjte5EH4PI+3flW0MtfPeWQEEbBCAbM1h1CffvQv8Xe D/dXX7K2Lrvc2IyVjh9M9uI=
X-Google-Smtp-Source: AH8x225JAN3ltYYla+3uLf4AMqJAdqhNEdCVxGbdB4SSupG7OuLW1C1GfQEfnJ29wNuvDV9q2Y9XdA==
X-Received: by 10.36.179.14 with SMTP id e14mr7099519itf.139.1518258631529; Sat, 10 Feb 2018 02:30:31 -0800 (PST)
Received: from Justins-MacBook-Pro.local (tk2-262-40902.vs.sakura.ne.jp. [160.16.241.156]) by smtp.gmail.com with ESMTPSA id s20sm5101087ioa.26.2018.02.10.02.30.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 10 Feb 2018 02:30:31 -0800 (PST)
Subject: Re: Questions about Version Negotiation Concerning Possible Handshake Interruption
To: Kazuho Oku <kazuhooku@gmail.com>, alexandre.ferrieux@orange.com, Christian Huitema <huitema@huitema.net>
Cc: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>, "quic@ietf.org" <quic@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
References: <1d386744-c46a-842a-b172-24e290e03668@gmail.com> <CABkgnnVRn+1sNZQFB8BZc4VyzN5usLmYJ3xLo+p2uTeW_0Ji_Q@mail.gmail.com> <CAN1APdfpJ0rYPPiOgfcdDRx3noh+YYvJatP0MYTqRRXMBwF6pA@mail.gmail.com> <3d558827-f2a7-877c-e00a-d6a22ef241c5@gmail.com> <CANatvzzZEuJ3TY=+0BMLqbBE5mScG_Jnrypg3xkciykOX78G8A@mail.gmail.com> <CAN1APdfov8Q3E+5NkT5pmMeU=eB=fsnDFe_=BK7TDE0TpXD3yA@mail.gmail.com> <142211e0-c7c9-642f-69ef-5f0d722b77cc@gmail.com> <529ac475-5291-2b2e-acf9-05efe720d584@huitema.net> <6937_1518251684_5A7EAEA4_6937_191_1_5A7EAEA5.2000605@orange.com> <CANatvzz_2BeRns5E-OO=CKKwK66LgMd=3vVCM84_+OAxj8CutQ@mail.gmail.com>
From: Lingmo Zhu <zlm2006@gmail.com>
Message-ID: <d3c8688a-3f01-30b1-a3de-1300a43c1d99@gmail.com>
Date: Sat, 10 Feb 2018 18:30:22 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <CANatvzz_2BeRns5E-OO=CKKwK66LgMd=3vVCM84_+OAxj8CutQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/_OTxXyisZC7Jox0bAIV01nIAjY0>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Feb 2018 10:30:34 -0000
On 10/02/2018 07:24, Christian Huitema wrote: > > In theory, it should be possible to protect against "man on the side" > attacks. Do some kind of speculative execution on the first packet that > you receive, but also keep the context available for some time in case a > "better" packet comes later. With that approach, the attacker could not > just inject a "packet of death"; they will also need to suppress the > correct response from the actual server. That's an interesting idea. > Have you tried some experiments? No experiments yet but I'd love to. Though my current work is not so related to this field so maybe I'm not professional enough. On 2018/02/10 17:00, Kazuho Oku wrote: > 2018-02-10 17:34 GMT+09:00 <alexandre.ferrieux@orange.com>: >> On 10/02/2018 07:24, Christian Huitema wrote: >>> >>> In theory, it should be possible to protect against "man on the side" >>> attacks. Do some kind of speculative execution on the first packet that >>> you receive, but also keep the context available for some time in case a >>> "better" packet comes later. With that approach, the attacker could not >>> just inject a "packet of death"; they will also need to suppress the >>> correct response from the actual server. That's an interesting idea. >>> Have you tried some experiments? >> >> >> Alternatively, what about a "no fallback" mode for sensitive applications >> like DNS ? > > I agree that providing such an option would narrow the attack window. > The other option is to let the client propose multiple versions and > the server select one, as proposed in my previous mail. > > But even if we do that, there's still the chance of an attacker > injecting a Handshake packet that contains a corrupt ServerHello > message. In such case, the client would fail to complete the handshake > with the server. > > To evade such attacks, a client is required to create a backup of its > TLS context before handling the Handshake packet that might have been > sent from an attacker, so that it could restore the context one the > TLS handshake ends up in an error. > > However, I am not sure if any of the TLS stacks provide such a feature > (personally I would be interested in adding one in picotls, though). > > IMHO even though we want no fallback for service like DNS, in reality that could not be possible for several years due to deploying progress and its critical position (if no fallback, no name resolving would be available if QUIC & TLS connection failed if my understanding is correct). To be cleared, spoofing clear text VERSION NEGOTIATION packet is cheap from my POV so it could be misused easily. I'm not sure but injecting corrupt ServerHello message could be sort of expensive thanks to encryption so I didn't consider that far. So if we still decide to use current version negotiation mechanism, considering only the attack approach using VERSION NEGOTIATION and we hold different contexts for a short period, there would be several cases: * fake VERSION NEGOTIATION with no acceptable versions was sent to the client but the server could accept the QUIC version INITIAL packet used, it could be mitigated by simply wait for a short period. Retry might be applied considering packet lost. * sever actually could not accept any version that the client supported, client would abort the QUIC connection after several retries and that should be expected. * fake VERSION NEGOTIATION with no acceptable versions was sent to the client and the server also rejected the QUIC version with a VERSION NEGOTIATION with acceptable versions, client could try an acceptable version and process the handshake. * fake VERSION NEGOTIATION with acceptable versions was sent to the client and the server could accept the QUIC version INITIAL packet used, things could be tricky. At least two contexts should be hold by the client. If the new version selected by client is not acceptable to server, that could be a better scenario since the original context would simply become the finally negotiated one. But if the new version is also acceptable by server, I'm not sure what would happen. * fake VERSION NEGOTIATION with acceptable versions was sent to the client but the server rejected the QUIC version with a VERSION NEGOTIATION with acceptable versions, things would be really complex. But the downgrade attack mentioned by Mikkel should be tolerant by current verifying mechanism. I'm not sure if we should consider this case. So as a summary, holding original context for a short period should be enough for mitigating the interruption caused by VERSION NEGOTIATION according to the first three cases. But for the remaining misuse cases, it might need further consideration if they should. Lingmo Zhu >> _________________________________________________________________________________________________________________________ >> >> Ce message et ses pieces jointes peuvent contenir des informations >> confidentielles ou privilegiees et ne doivent donc >> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu >> ce message par erreur, veuillez le signaler >> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages >> electroniques etant susceptibles d'alteration, >> Orange decline toute responsabilite si ce message a ete altere, deforme ou >> falsifie. Merci. >> >> This message and its attachments may contain confidential or privileged >> information that may be protected by law; >> they should not be distributed, used or copied without authorisation. >> If you have received this email in error, please notify the sender and >> delete this message and its attachments. >> As emails may be altered, Orange is not liable for messages that have been >> modified, changed or falsified. >> Thank you. >> > > >
- Questions about Version Negotiation Concerning Po… Lingmo Zhu
- Re: Questions about Version Negotiation Concernin… Mikkel Fahnøe Jørgensen
- Re: Questions about Version Negotiation Concernin… Martin Thomson
- Re: Questions about Version Negotiation Concernin… Mikkel Fahnøe Jørgensen
- Re: Questions about Version Negotiation Concernin… Lingmo Zhu
- Re: Questions about Version Negotiation Concernin… Mikkel Fahnøe Jørgensen
- Re: Questions about Version Negotiation Concernin… Kazuho Oku
- Re: Questions about Version Negotiation Concernin… Mikkel Fahnøe Jørgensen
- Re: Questions about Version Negotiation Concernin… Lingmo Zhu
- Re: Questions about Version Negotiation Concernin… Christian Huitema
- Re: Questions about Version Negotiation Concernin… alexandre.ferrieux
- Re: Questions about Version Negotiation Concernin… Martin Thomson
- Re: Questions about Version Negotiation Concernin… Kazuho Oku
- Re: Questions about Version Negotiation Concernin… alexandre.ferrieux
- Re: Questions about Version Negotiation Concernin… Lingmo Zhu
- Malicious Version Negotiation Handling (Was: Ques… Lingmo Zhu
- Re: Malicious Version Negotiation Handling (Was: … Mikkel Fahnøe Jørgensen
- Re: Malicious Version Negotiation Handling (Was: … Eric Rescorla
- Re: Malicious Version Negotiation Handling (Was: … Lingmo Zhu
- Re: Malicious Version Negotiation Handling (Was: … Eric Rescorla
- Re: Malicious Version Negotiation Handling (Was: … Subodh Iyengar
- Re: Malicious Version Negotiation Handling (Was: … Lingmo Zhu
- Re: Malicious Version Negotiation Handling (Was: … Eric Rescorla
- Re: Malicious Version Negotiation Handling (Was: … Christian Huitema
- Re: Malicious Version Negotiation Handling (Was: … Eric Rescorla
- RE: Malicious Version Negotiation Handling (Was: … Lubashev, Igor
- Re: Malicious Version Negotiation Handling (Was: … Christian Huitema
- Re: Malicious Version Negotiation Handling (Was: … Mikkel Fahnøe Jørgensen
- Re: Malicious Version Negotiation Handling (Was: … Spencer Dawkins at IETF