Re: Security of alternative handshakes

Martin Thomson <mt@lowentropy.net> Thu, 22 April 2021 04:38 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 429683A0CFC for <quic@ietfa.amsl.com>; Wed, 21 Apr 2021 21:38:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.82
X-Spam-Level:
X-Spam-Status: No, score=-2.82 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=HWmGGwWT; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Y7fp579b
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hxOy14dkw8A9 for <quic@ietfa.amsl.com>; Wed, 21 Apr 2021 21:38:46 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6CBE3A0CF5 for <quic@ietf.org>; Wed, 21 Apr 2021 21:38:46 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id B36B5FE6 for <quic@ietf.org>; Thu, 22 Apr 2021 00:38:42 -0400 (EDT)
Received: from imap10 ([10.202.2.60]) by compute1.internal (MEProxy); Thu, 22 Apr 2021 00:38:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=+I4evQjyn3UBlRTXWJ3w6CpHNRvPbkV SrX5ly0l9TnU=; b=HWmGGwWTunyDwM+lneZ+n903dTDUkudPsvEdCxZhGJvq76Z tS2VYSvo+8f0KpOZ4mk44lGQdn9oro2bvRcHBwEohAjbiZpIMm8CHorhqBhH81d+ yJDHy31n3dnuWgxJdkuJlvhHeOSq8sB3H+KI9s+ixLx6AkiSsF/wXWpBa2zxIVHD qVg853XFBUnANiO8NHK0O/rvdgh+qqeGooflbInY7esz7x/7Ai1otHuc1fggfQ5r +Xiftw+gVt/v+9ZwwAhuv8Xt/udZs7FIK9mopnJadHwSWY0nNrYGgrTnaZywZ79/ GidwA+yV9jHHxqF/qhh2F3cD9HlObxMmmITwAJg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=+I4evQ jyn3UBlRTXWJ3w6CpHNRvPbkVSrX5ly0l9TnU=; b=Y7fp579bNdxXk2dCjjMp5A 5TX2aGTUnFLVBg8cQe6z2aqFOf6yLzMdbrlNiWj8vHdUJOX3An7kJhng2rBh77z0 4Og6LKl/MS280GHKvrAo3wtv6mjYRCSSU6r4aC7UKaD8qCZPOfHT0ZApX7RwqoN/ 6tbCXvcxPwhn+0UMwlB986o6Q74fZ8QFnPJQt6OtwC8S9n1eJYhwiIKLevdgw8pW pZ4wxH9/kmN3hP9TjZZ0fWL9acFWGP5F1Y3qHXJgln/SxtGcA5Mgy9JyG1F9iqMG C2WABl6K12Bguo+oMsARALT8G0SOS1nU/PzWQgsKt+gvf04ZwueQFwSUeQuhDCNw ==
X-ME-Sender: <xms:0f2AYP-VnHmN-C_ZQmWbpjlv1wXFedbnS87iY6b3l8lVDLf492HjPQ> <xme:0f2AYLsTeSezgRAQ-qX17fR3mfuGwWsOtBjs8m9har3jH5tVeDiT70GPttAJRZUvw 2IaGnoAYcgVw87cB98>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddtledgkeehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeelhfevgfevveevkeehte dttefgleevjedtffefudeuvddvgeeuffekveffueegteenucffohhmrghinhepghhithhh uhgsrdgtohhmpdhquhhitgifghdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurf grrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:0v2AYNDAC-gZ6FveAQuG4X7kWHNZBFZDq5KaPoq_3YYnby-zA-Ok6Q> <xmx:0v2AYLdk38BBfbIcigSTjUeynf3gSju_G9eBxUd544EoGxsS9c5f2g> <xmx:0v2AYEMQkppKrBWs30fOXKfuSRB9e4Vs7yskiMnBqj62F_Vso3iQ4w> <xmx:0v2AYKYhhIlS1JA31vckoF-eL-llEZB4IJoePp923sGpAQIAaqBfHA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id EBBA84E00A5; Thu, 22 Apr 2021 00:38:41 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-403-gbc3c488b23-fm-20210419.005-gbc3c488b
Mime-Version: 1.0
Message-Id: <4b4b300a-49aa-4c33-b1b2-ad0bdbc7a692@www.fastmail.com>
In-Reply-To: <CACsn0cnNk=pVsgc2MjFoHct3qbSVT7MVWRLOMA_YPoSbJTVoCg@mail.gmail.com>
References: <CACsn0cnNk=pVsgc2MjFoHct3qbSVT7MVWRLOMA_YPoSbJTVoCg@mail.gmail.com>
Date: Thu, 22 Apr 2021 14:38:22 +1000
From: "Martin Thomson" <mt@lowentropy.net>
To: quic@ietf.org
Subject: Re: Security of alternative handshakes
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/jHkAO8Yldvz2EjQ_Si6Sp88qcb4>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2021 04:38:51 -0000

On Thu, Apr 22, 2021, at 14:11, Watson Ladd wrote:
> With TLS 1.3 we finally added domain
> separation to what is signed, but one hopes protocol X does the same
> but different.

Good catch Watson.  This is an important assumption to state.

Opened: https://github.com/quicwg/version-negotiation/issues/36

 > The other wrinkle is that so far with TLS we've had a pretty uniform
> idea of how transport parameters feed into the handshake, and thus
> assurance that they are actually implicitly authenticated by the
> finished messages and agreed upon. With an alternate handshake that
> goes away.

I think that we have this one covered at least.  We require that the cryptographic handshake authenticate the transport parameters: https://quicwg.org/base-drafts/draft-ietf-quic-transport.html#section-7-3.2