Re: quic and compatibility with cryptographic implementations
Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk> Sun, 26 April 2026 22:26 UTC
Return-Path: <dimitri.ledkov@surgut.co.uk>
X-Original-To: quic@mail2.ietf.org
Delivered-To: quic@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 94FA6E38EB38 for <quic@mail2.ietf.org>; Sun, 26 Apr 2026 15:26:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777242378; bh=xipVVTZgUORjy5uG+o/AWJRK1dUfE4K+l5hq8mQUWTU=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=cRpNYGddwHtsTHQhw1a0lPOwMheFATtQzLO06CYm4qCd/00nV+VgV8tt6duxaea/K 0r9mKLyMD6X6gYDCHF6NmTZmIE5Ousa/m8uTVrZGJ6DyhSwpbiDhLXDQfXim2EsCMm J2UF0Jg9Q8Eok8CuojQQOHOIB9TaRdA5tqO8xhug=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=surgut.co.uk
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJpKyo_C8LCS for <quic@mail2.ietf.org>; Sun, 26 Apr 2026 15:26:17 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id EEEFEE38EB33 for <quic@ietf.org>; Sun, 26 Apr 2026 15:26:17 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-671ae79e617so12301921a12.3 for <quic@ietf.org>; Sun, 26 Apr 2026 15:26:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1777242377; cv=none; d=google.com; s=arc-20240605; b=TE1x5IK0MWaKA2dqE4QLwdHwT3Pcbd9buqUKiTgbyijwabkLRn5dTson8lZ/qBb6Tr LqJTlfD9USF6lO/SNKhf3XwotN7J4xE1MEKRwqd4L4RXgYV52bGBLVAqINSGUDQfKqca brcj6VkbC6f3drISi8XMRcXic+MxJhqpvjo75ez55TgNQsK/DpDYmje9azyViwMj9mMB k5XeiNeCTRXD5m6RJtAeyp0x9QonfBaflkwKMnme21gWdWLlYrp6tFt3vesMY1r35yOI VH/P9kcIwA+iz+lVIDzon4yaEF3hyVjOGNGChFb2oC53qnEAnd49SvIRSjiNHVL7Eurb oq0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=00voDLSLWCl0q0UyvlnuSeyehF5TTTOMGKBMNo9OncA=; fh=RYT71AC9KNNq3qS9XFnAkQreRjfa6jl8+4vFbrfj67k=; b=HzodfAFeGotoTBxTl8+gZ26f3y/XytR8FweNWZXSwoWDoyqQYm26cn4WnUZAkcBph2 GkYtBuV6MUFCddJds70npwnvAMkz93OlLsKXu2yTzEUgfGaAKpOWm1RobEPvru4QcEv0 sZBkvOhFst5BMooOsklGXwDio9wWFZHDUUD2rFkNAtPqMqtBaPQPYSDw6o4HXqXZHQTx lSv4L4Ig6ViZWDwrjZxiICy1JY9wzrgK8QmfqpRDB0ZplLlqFl+c3A7SdjSBp8+KeVPF pA0JCJz6tGer1bGBWySf3WuQr8KMTdgN8YWB4k9DAh+L4pdM8m5J8Z1vcORZk9fqoS5j T03A==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=surgut.co.uk; s=google; t=1777242377; x=1777847177; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=00voDLSLWCl0q0UyvlnuSeyehF5TTTOMGKBMNo9OncA=; b=LWjl/2QV+eqfDYhH5fBkhZ0SrH+O5+r0kENPrt4vYkIhFC+pUtIImwyaX6LgnqMZg+ ROUkPcsHI/ojBPQYfex8ID8UiPUM1r7x/xWOsIZyxG0TXqCBwwwPTWVbfPLGUm/Nl5k1 p4HA3r7Z/rG9Qy6/Ut1dcRCQCluMjOofiwHH0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777242377; x=1777847177; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=00voDLSLWCl0q0UyvlnuSeyehF5TTTOMGKBMNo9OncA=; b=SQdy/h71ib1SeldbN9jEHYmWEjPreNBGV6zIXV4Iy7oDf51+82ePAK1jRyV+SmLLSP PVUEjSRKvtvqpQ1ehrYHlSBcRPFOuQibPmDtTWytpKFECKWPzmaMZOCuTH7FA0CvbELL fJvn6qhXe9F+HYlD16BEpV+6HrRAr4/vAmehhp56CkClP32EQ+PrTIyASltikc6bW+eh dnqhJyh4biT9vNNf1/MmWlipkb9f8A4hbEDaYL3K0APo75UCPSb/tbBL9vn49Lq+5056 1xy1o07qpTHeB+5oYXwu6AquTrPcv4qHQLzqucX4nATkZ95zpdDp5VC1nQONAMzoxyZj vY2A==
X-Gm-Message-State: AOJu0YyRIBoUeew+42pFCpiDBA8QOkCClsZwgAVwpkchJVsxRFUpn3Mj LdfSHQtXzZ7jPxMTlygla0Yzt/Gep9oF9tjZhGtNPIFXTW0Q9ipl0Z+7fS/Uf2hMhExh0Qt47ku hLK1Ahp35Bz92hCp9N4TEAth05mwifPHU951auS25EAhGlm8qjzKQ1NaneQ==
X-Gm-Gg: AeBDiesQnWiiaqsJmozSs+h5yIr63RNluQ28SHs12IFBomavzFn2nhX5K0B192GtgBO Bex3TxGz7cqx5UfMbF0KH29w3HVvlGjwCh5LeXBBBoeBM/mkUmdZ0/WGKoNEGe5lXA2AMyBR/ce nTxS4yCDa5X0TjVuj8YVtosQ40x2w4P3RIcStWX4FR9t8yjj2OYpGsZ8ZV2VbV4ZIdAecCfknxR pB8OyPlYY76c/i+EXqJ2wwvrAltj+bHIIE4ZpgNolqY/S+F29MNnvHr0vZejeUWsiALqOQL6ZMZ dAKVsRhebFQ00j95Le1codT0Ga6dqJiKelw7m8ZR0yYqPvREbp/lYHuohywq0W4xJUF+U9/LIQ= =
X-Received: by 2002:a17:907:c30a:b0:b9b:7bf8:800b with SMTP id a640c23a62f3a-ba41afe998emr1913816866b.40.1777242376477; Sun, 26 Apr 2026 15:26:16 -0700 (PDT)
MIME-Version: 1.0
References: <CANBHLUhansrJ62U3_YGXeVa3n-hr7H00-bdNXB7D2gaRAGvTHg@mail.gmail.com> <a931377f-7c14-4cc5-a373-70cd96c7bfe3@betaapp.fastmail.com>
In-Reply-To: <a931377f-7c14-4cc5-a373-70cd96c7bfe3@betaapp.fastmail.com>
From: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Date: Sun, 26 Apr 2026 23:26:04 +0100
X-Gm-Features: AQROBzCPbf-lkUeG0hptQGAmcmqV4y_Djzpg1mC1mFzmXrp8MJ1W7N-HGi9kjuU
Message-ID: <CANBHLUgThA4OC_4LAiM8oSPxXJyBWRvSS28SsaWb7upYTSKPkw@mail.gmail.com>
Subject: Re: quic and compatibility with cryptographic implementations
To: Martin Thomson <mt@lowentropy.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: QJMDAYUNG2SVWWGBLT4MLE34HBIEOKYI
X-Message-ID-Hash: QJMDAYUNG2SVWWGBLT4MLE34HBIEOKYI
X-MailFrom: dimitri.ledkov@surgut.co.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-quic.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: quic@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/cyy_dByhiuuNvVfnledr3yaUDaE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Owner: <mailto:quic-owner@ietf.org>
List-Post: <mailto:quic@ietf.org>
List-Subscribe: <mailto:quic-join@ietf.org>
List-Unsubscribe: <mailto:quic-leave@ietf.org>
On Sun, 26 Apr 2026 at 10:02, Martin Thomson <mt@lowentropy.net> wrote: > > On Sun, Apr 26, 2026, at 11:01, Dimitri John Ledkov wrote: > > Would it help with > > interoperability with such strict cryptographic libraries if the > > destination connection ID had a recommended minimum length of 112 > > bits? Note doing so is compatible with the current RFC wording as is, > > without needing a new version and a new salt value. > > While you can ask people to make a value longer than 112 bits, the RFC only requires 64 bits, so those that are not updated might not meet your expectations. So you can ask, but you will likely never cause every deployed implementation to choose 14 byte connection IDs to make your NIST FIPS requirements happy. > > To be clear, this is a use of the algorithms that does not need FIPS certification. We send the keys along with the ciphertext. Though we can't expect every FIPS audit to appreciate this not-so-fine point, the point will remain. Right, thanks. To have cryptographic protection of the initial packets something like the expired "Protected QUIC Initial Packets" draft https://datatracker.ietf.org/doc/html/draft-duke-quic-protected-initial-04 is needed. Without that, the initial packets use cryptography for "good measure" but not as part of approved cryptographic protection. The QUIC cryptographic security relies on the TLSv1.3 handshake that happens after the initial packets. This means initial packet encryption falls under FIPS 140-3 Implementation Guidance 2.4.A which allows these non-approved algorithms (short connection id as IKM in HKDF-Extract and AEAD_AES_128_GCM with externally set IV) as they are either not security relevant or redundant. Similar to how MD5 in TLSv1.0/v1.1 was allowed by the very same implementation guidance. I will ask them to update that guidance to call out QUIC initial packets as allowed in approved mode. Coding wise for OpenSSL it means setting key-check OSSL_KDF_PARAM_FIPS_KEY_CHECK param to zero https://docs.openssl.org/3.6/man7/EVP_KDF-HKDF/#supported-parameters; for Golang it will mean wrapping relevant code computing initial secrets in fips140.WithoutEnforcement https://pkg.go.dev/crypto/fips140#WithoutEnforcement. > > > Has it been considered to upgrade this to AEAD_AES_256_GCM by default? > > No. For the same reason as above, this would not interoperate with existing clients. > Ack. This will remain true, until / if we have something like the expired "Protected QUIC Initial Packets" draft https://datatracker.ietf.org/doc/html/draft-duke-quic-protected-initial-04 published and widely deployed which seems to allow selecting encryption type and keys for the initial packets. -- Regards, Dimitri.
- quic and compatibility with cryptographic impleme… Dimitri John Ledkov
- Re: quic and compatibility with cryptographic imp… Martin Thomson
- Re: quic and compatibility with cryptographic imp… Dimitri John Ledkov
- Re: quic and compatibility with cryptographic imp… Christian Huitema