Fwd: Crypto review?
Martin Duke <martin.h.duke@gmail.com> Tue, 14 December 2021 18:52 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63EF93A02BB for <quic@ietfa.amsl.com>; Tue, 14 Dec 2021 10:52:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2uG1nHFXHfLO for <quic@ietfa.amsl.com>; Tue, 14 Dec 2021 10:52:17 -0800 (PST)
Received: from mail-vk1-xa2c.google.com (mail-vk1-xa2c.google.com [IPv6:2607:f8b0:4864:20::a2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE8B63A0147 for <quic@ietf.org>; Tue, 14 Dec 2021 10:52:17 -0800 (PST)
Received: by mail-vk1-xa2c.google.com with SMTP id s17so13118369vka.5 for <quic@ietf.org>; Tue, 14 Dec 2021 10:52:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=rnE5n9T/CsLvbMZiWr8sgBXkIuv7uT/V9zJsO3o+a/4=; b=poQqle46RYkoxzxw9OZb9YzvoS+f609yH9hN0K6G9AZlOhFJeQlox45ccB92pyXTw4 kDpXgQM9IewUPstCc4Z7qnNVMqOPMNjr0vQbrypE9rOvjo0q2inUfcIT6Gyl9x03QeR/ SF5/7/xNDMj9GTuRAc7vxmBYtgrI2dDoFJ8lEeJsPAff+b8X1EWWamdm21XH6RLAzPyb ly4XVu8gXR766WQj393XjIGOaRo9OChPzN7TpDdwrGq+eb4npr2IaUsmGbULYh1nKX8B abXA0WMJRAHdJVLKzy+J6Q8OvY8uN52WoeFT4ktnD/k5cqJh1oQkfGix44jpYqRklKLI 8nEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=rnE5n9T/CsLvbMZiWr8sgBXkIuv7uT/V9zJsO3o+a/4=; b=HMfd1Jrkf11AMyqvxa+nFXU59pQZBWxDTvQsfuGQZPyGsE9kPvk0fx7B3823EzykEs /jZjXYHDiRF5xQJCPTmOMLxAR+eo4Vpej/wFv/I9HWEAVYNxoklQxqW7oSnnlj4wbbd5 rAYZQKzDaLICqcCmhn6GfjQ4VWbyOyJNfOqaOkpT/1eSgJ/qN6xKQ9mzNH/3ALoPqqEA VaUiLRQGks/h0kOKE4TePJB5taQQ3DfxhpOS9ghrfQQ4lOA+XwDEbKU0TF+sCdfChFDn 4tT+TN9mD5VhUvXh3wZgJQd6+lQQiLvvALwEPUY531M/hmnNtsVziI7DXMne46lR2d2p 5CLw==
X-Gm-Message-State: AOAM532IzzQHIa/OwiVnq0AOpK1BKzU9xW027ov5bhYyV//UDizzjFIP aIz68HqvOIAV0jgWsuFaV2vYS7kfd1t34CQOZgXj9bws
X-Google-Smtp-Source: ABdhPJzpToHEvzoop1IsjF61eiN8YK/HlBhmh1CvT8Y1kkI/vUK5xgaHbAT9Twpa9g0pca+2AI9AKhz0hPEZDXL6dm4=
X-Received: by 2002:a05:6122:2005:: with SMTP id l5mr1095714vkd.4.1639507935306; Tue, 14 Dec 2021 10:52:15 -0800 (PST)
MIME-Version: 1.0
References: <CAM4esxTYgyFHyz7LhHTQc=1mUUNpR9OnJqiFS0b+bQeEkpVL4A@mail.gmail.com> <YYpqIlhRv4UsH1i9@LK-Perkele-VII2.locald> <52dcf571-1dd3-87eb-5fba-818bde552a00@huitema.net>
In-Reply-To: <52dcf571-1dd3-87eb-5fba-818bde552a00@huitema.net>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Tue, 14 Dec 2021 10:52:04 -0800
Message-ID: <CAM4esxTnXb=9KX1114Eaw6FWoR2ZX5-W8WhzkVUe1gXp-TVHLA@mail.gmail.com>
Subject: Fwd: Crypto review?
To: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000172c3b05d31fb07a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/c-ZSK-E7nAnKAt1Ijhd839mWSc8>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2021 18:52:23 -0000
Hello all, it occurred to me that I did not CC the group about the QUIC-LB crypto review. I'll forward a handful of messages so that others can reconstruct the thread. ---------- Forwarded message --------- From: Christian Huitema <huitema@huitema.net> Date: Tue, Nov 9, 2021 at 8:40 AM Subject: Re: Crypto review? To: Ilari Liusvaara <ilariliusvaara@welho.com>, Martin Duke < martin.h.duke@gmail.com> Cc: Benjamin Kaduk <kaduk@mit.edu>, Roman Danyliw <rdd@cert.org> Thanks, Ilari. Comments in line. On 11/9/2021 4:31 AM, Ilari Liusvaara wrote: > On Mon, Nov 08, 2021 at 01:08:16PM -0800, Martin Duke wrote: >> Christian and I have been working on a crypto design in the QUIC WG that >> could use some expert review. Ben Kaduk suggested I ask you two directly. >> Specifically, section 5.2 here: >> >> https://quicwg.org/load-balancers/draft-ietf-quic-load-balancers.html#name-stream-cipher-cid-algorithm >> >> Briefly, this draft encodes a server ID for load balancing purposes inside >> a QUIC connection ID. The encryption is meant to conceal this mapping to >> observers. >> >> Christian proposed the algorithm in Section 5.2 to allow shorter connection >> IDs than the very straightforward block cipher CID in Section 5.3. It's >> three-pass algorithm with some similarities to FFX. >> >> We are moving in the direction of WGLC for this draft. So beyond the >> general suitability of the design in question, if it provides equivalent >> levels of confidentiality to the block cipher design, we're inclined to get >> rid of the latter to simplify things. > > I have some concerns (might be me misunderstanding things) about this > (both cryptographic and other): > > - There are no round constants, so slide attacks might apply (at least I > think symmetric ciphers have round constants due to slide attacks). > Looking at FFX, it does have round constants (using FFX-A2 directly > would not work, because it has 128-bit limit, and cid can be 152). How would you go about adding that? > - This uses three rounds even with non-even split. That might not be > enough. Firstly, non-even split might increase the rounds needed, and > even with even split, fourth round seems to be needed in order to > withstand some attacks (those attacks might not be relevant here > however). FFX-A2 seems to use a lot more rounds. I do not know why, > it does even split and AES should be pretty close to ideal (tho AES > is already known not to be quite indistinguishable from ideal, e.g., > one can not use usual cipher-to-hash constructs with it), so I would > think four rounds would suffice. There is a discussion in one of the FFX appendices. From what I understand, the 12 rounds recommendation in FFX is based on entropy considerations, and I am not sure I understand that correctly. Each round merges entropy from input and key into the rather short target of the round -- say 24 bits for example. Thus, although there might be 64 + 128 bits of input, only 24 buts of entropy are injected, and one would need about (64+128)/24 = 8 rounds to fully inject the entropy. Add the minimum number 3, rounded to 4, and you get 12. As I said, I am not sure I understand that correctly, and I am sure that if we did request 12 rounds developers will just not use this scheme. That said, yes, 4 rounds might well provide more margin than the bare minimum of 3. I am actually concerned of one misuse pattern in which servers use a counter for the nonce, and reset the counter at the beginning of an epoch. The epoch rollover is visible in clear text. Adversaries could collect CIDs generated just after a rollover, and use the knowledge that the nonces will be very small numbers to mount an attack. Same sort of abuse might happen if the server identifiers are taken from a small range of integers. I think that the extra round might provide protection against that. Another protection might be to add some entropy to the nonce. For example, if implementations use a counter, ask them to construct the nonce by xoring the counter with a per-epoch and per-server random number. > - Does this need sharing a key between load balancer and all backend > servers? While sharing keys between LB and an individual backend is > not a big problem, sharing a key with all of them is whole another > thing. Yes, that's an obvious issue, but it is not specific to this scheme -- the straightforward use of AES in 17 bytes CID has the same issue. > - How does reverse routing work? QUICv1 does not support server > migration (due to attacks), so presumably the server part of five- > tuple has to match (unless preferred address is used, but that has > its own serious deployability issues). That part is held by the LB, > so servers would somehow need to send on behalf of the LB. The CID are created by the server, and then passed to the clients. The clients put them in their packets. The LB reads the CID from the incoming packet, decrypts it to retrieve the server-id, and routes the packet to that server ID. LB might cache the CID that have been seen recently to reduce decryption load. We are worried that adversaries find a way to retrieve the server ID associated with a CID, and use that knowledge to attack individual servers in the pool. > - If LB routes on SNI (I expect this to be pretty common), any > connection with unknown version is unrouteable. It seems the only > way to handle that without causing hard failures is for LB to enage > in version negotiation on behalf of sever. This presumably requires > knowledge of all QUIC versions enabled on the server, and support for > all of those. The CID encryption scheme is not used in that scenario. The encrypted CID will only be used in later packets, after the initial handshake and the selection of a server. -- Christian Huitema
- Fwd: Crypto review? Martin Duke
- Fwd: Crypto review? Martin Duke
- Re: Crypto review? Martin Duke
- Re: Crypto review? Ilari Liusvaara
- Re: Crypto review? Martin Duke