IETF Logo Mail Archive

Re: KEYS_READY

Martin Thomson <mt@lowentropy.net> Thu, 14 February 2019 02:12 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C976D130E8B for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 18:12:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=I5ci4EKI; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=pQQYjhy1
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t12TskFgucxz for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 18:12:43 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CA70124B0C for <quic@ietf.org>; Wed, 13 Feb 2019 18:12:43 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 85FD720EF7; Wed, 13 Feb 2019 21:12:42 -0500 (EST)
Received: from web3 ([10.202.2.213]) by compute1.internal (MEProxy); Wed, 13 Feb 2019 21:12:42 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=message-id:from:to:cc:mime-version:content-transfer-encoding :content-type:references:subject:in-reply-to:date; s=fm1; bh=qG0 wFSjiuDX+xVEQ5bpc5eb/uthBIkMq7NWZMVK0gL0=; b=I5ci4EKIjFQeRrkMqRi tIQWvbOlxGQxiBW6MfJPu8lqGdBYsaH1b+rGjWN4HM47ry3bAGucrjQX5f16y9Q7 k7MgSJqkBrLSeItq1txYw2R3TCjA1sMtMhfH3KVIcWmoMNuI2OAf8o14ysZjJWu1 zgcHmOi722zy8d9kAz1wXLTI1EiEOAM6V8iTedpLKnh/C+h7LejeLzlOkyw8dZrF Mgokptq+bmboyXKLjcUxisZBnpPlgWVxCpHTIgf6LvLvmJ7/fqQbz90qI7F+jmnU WG7dfTt0TEruDP3s35Y4t4DZi8xf9Nr4l/VpE5zqQmGXIRtVCi3etjeIj3g0nT3N O5w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=qG0wFSjiuDX+xVEQ5bpc5eb/uthBIkMq7NWZMVK0g L0=; b=pQQYjhy1YBlf25LtKBVHSFrIUrxNIdjMGuIOG4OiaxuiMofSh2zyrkGhx EfikXqi7KFHmSs7yD26/fDSiqW1UqGIZl2y2Ajvz6Wl0dwNLqJF6orR0lk4gH2SZ VsTWwuMwXC2Z3HTEaroDis182TXy5o6LKgM6tUWndm3qaQx+pLc68P1liaZBghhI aC7iJ2/C66F4I/TJBMVOmcbNeCLt/tklgJmpY8Z85Z5IoXo6846/Xbrz1HGdjLpC EdfiLBSUmmaSFd7b3jXcFxy+4LgwXAKHKe2KZjYNOeCIwqe1rIYbhusAcrC6lJmd h/uw6gkRmDFi3TGWWfhZxNvupd3Qg==
X-ME-Sender: <xms:ms5kXEVhkfWx7qbU_iAgTTl4bNoyR1ZdakxXIq_VBODkIB84HRpLzw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledruddtgedggedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef tddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefkhffvggfgtg fofhfujgffsehtqhertdertdejnecuhfhrohhmpeforghrthhinhcuvfhhohhmshhonhcu oehmtheslhhofigvnhhtrhhophihrdhnvghtqeenucfrrghrrghmpehmrghilhhfrhhomh epmhhtsehlohifvghnthhrohhphidrnhgvthenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:ms5kXDcdIWBCNyQqd_EpKI0o0epyVxZ9-N9n3k3BVAbp7UqEK021OQ> <xmx:ms5kXLT28HB-LbJoCzsNFRczbzWJBBmKyO6wO6LU17XenjTAgzc3WQ> <xmx:ms5kXNB30OQD0nlMpQMUtaOHyffj4fxCPgwJJAC6NRZybK6vwz7JQA> <xmx:ms5kXO66LMzqMk1obz80WAKUwFMziqG6ZWG6cJyAaHLsIwRI00TPWw>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 17CDF9E54B; Wed, 13 Feb 2019 21:12:42 -0500 (EST)
Message-Id: <1550110362.3709205.1657632872.1AF4106B@webmail.messagingengine.com>
From: Martin Thomson <mt@lowentropy.net>
To: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>, Kazuho Oku <kazuhooku@gmail.com>
Cc: IETF QUIC WG <quic@ietf.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-e97eb308
References: <1550022355.557617.1656828112.4DD1CEE6@webmail.messagingengine.com> <CANatvzy_juza_meGR_-KuBV9FA=F754mv54aawxMb8hYWxb1gA@mail.gmail.com> <CAN1APdcVYKWuapZ3XHxXa_nVACwkRD-xeF3ub-5ROttE7QVrmQ@mail.gmail.com>
Subject: Re: KEYS_READY
In-Reply-To: <CAN1APdcVYKWuapZ3XHxXa_nVACwkRD-xeF3ub-5ROttE7QVrmQ@mail.gmail.com>
Date: Thu, 14 Feb 2019 13:12:42 +1100
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/agw7sDeu32GwYFTIZwYKVhN49h0>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 02:12:45 -0000

On Wed, Feb 13, 2019, at 19:36, Mikkel Fahnøe Jørgensen wrote:
> I think the first option with anonymous KEY_READY has a problem with
> idempotency as well as tying state to retransmission logic. This means that
> naive retransmission of packet content in a new packet number is no longer
> valid, and likewise, naive processing of a frame that passes authentication
> is also no longer possible. That is a strong principle break and I don’t
> think the minor simplicity of a label-less KEY_READY frame can justify that
> (even if one ought no do such naive transmission).

I don't see this is a strong break with principle.  Like ACKs, KEYS_ACTIVE/KEYS_READY is tightly bound to the associated logic.  With ACK, it's packet receipt, here it's the keys you use for protecting/un-protecting packets.  In processing a KEYS_ACTIVE frame, you check what the most recent keys you have for reading and writing.  If they are the same, then you set the "can key update" flag on.  If the read keys are ahead of the write keys, then you have an error.  It doesn't require an active connection to the packet protection logic other than that.

> The text mentions that the updated key depends on the current traffic key
> with reference to TLS 1.3. From reading this naively, it sounds like
> forward secrecy is lost, which I am sure it is not.

This isn't relevant to this discussion, but I encourage you to read draft-irtf-cfrg-re-keying which goes through the various trade-offs of rekeying designs.  TLS 1.3 has text on this also, and QUIC shares that design.
 
> Finally, this is just a high level view. I find the overall text hard to
> understand, notably because it is not crystal clear whether the two
> endpoints update their transmission keys in sync with the ready keys, or if
> the (currently implicity) key phase counters can count independently.

If you have more specific comments (the one about read keys is a good one), I'll take those on the PR.
 
> That said, I like the idea of an explicit READY frame, and i probably would
> also like and explicit handshake ready frame, if it isn’t effectively the
> same thing, and if it is, perhaps formalise that.

We're working on that as the next step.

v2.23.0 | Report a Bug | By Email