IETF Logo Mail Archive

RE: Packet number encryption

Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Sat, 10 February 2018 19:44 UTC

Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E0B012DA22 for <quic@ietfa.amsl.com>; Sat, 10 Feb 2018 11:44:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.697
X-Spam-Level:
X-Spam-Status: No, score=-2.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fivLuN1tgfxG for <quic@ietfa.amsl.com>; Sat, 10 Feb 2018 11:44:40 -0800 (PST)
Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AC6812D77B for <quic@ietf.org>; Sat, 10 Feb 2018 11:44:40 -0800 (PST)
Received: by mail-it0-x233.google.com with SMTP id j21so2423955ita.1 for <quic@ietf.org>; Sat, 10 Feb 2018 11:44:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=hef7Zex8XoMMTXklLqNJ6GVQjXzZsAY6sK/T6cXzHeQ=; b=TMRLiS2ukwxOmVWnZ7LU54UyLZi9vIjNS2RMIaeqZmcrPINjh0KZaSyz+ihqf5bqmt SJHY35Rz8CFHGwg2AUAQ/oHrful2IMSH8KFwi2BgaICcbahqr+1zULmrdEWWwbhwWwvR CPP3kVUxw7XRpeE8b60poGIJu8rWVCv6R7PAEttPYZSQwxBCVUTsKwusbgN6JsuXYMjl WzkssjUexbte5IDstUDK0dWFpg24NTRpcmLjuxiJFWDg6jfW/UQdRrTHVafx5eyYgMsy xYJ1LPMzUY01UDHRvkLI0kZ8zGEjcRUjofvvCmIFUJvwvU/PtffbYnbtWkp1Vf1UT5aX Y7lQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=hef7Zex8XoMMTXklLqNJ6GVQjXzZsAY6sK/T6cXzHeQ=; b=HqnurqAb6RxKH19YPSrTM+AA5+VnOKSDmc5aDCEA69QIY8BWlOoGjOlmvS47JWEGup HHoAZ3h7jLDsHys3vrMA6YfbMF2i3772EdzcdCasvAYsfoPtoU981EFNUWl8QNAlRJcu a5l2iUQssLajHXsowULnMdWA+11AddSm042rHt1+eB1nsk9SX0nSjgV8YvjoeRU1Hc0Z 7KlbzHaiGAty4BxD46dGO6LM4qWuRamNDqJw1obQ0PSGIQTSDjnJwY1fx2F8Do1HYCdl eYf83EmfM/KZYATtMGWqDLf22lgxuvS0fArn79ZVIIi2LeD0jyavCSABB/rcKDbSD14v XbVw==
X-Gm-Message-State: APf1xPCgdEpWZTZOC9r7WDHB2MaGVVbp7ZtqxrrmyYKFtkF8tdCviq4P vl+W1gx0sWzwC/zqwY4U6rEgKsqtKvxJU/dXU/0=
X-Google-Smtp-Source: AH8x225FLyiWtwsoZq4KO3q81CsKydrrO/6PpScBSjybd6g8B+ZBCN+f7BF5GtJVEvZK+TNpHpaYMauyCnG4O6aJk2c=
X-Received: by 10.36.10.207 with SMTP id 198mr8264271itw.42.1518291879828; Sat, 10 Feb 2018 11:44:39 -0800 (PST)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Sat, 10 Feb 2018 13:44:38 -0600
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <CY4PR21MB0133C5FB4961311E4C1523B5B6F10@CY4PR21MB0133.namprd21.prod.outlook.com>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <CAGD1bZauKbucs_5n7RQbK8H2HiyfiqpGVEcKreGA6umhMBSFgg@mail.gmail.com> <CABcZeBPNrc-9vANSH02r++p53s6gN4pVB8DMd80nUxOhKTp3dA@mail.gmail.com> <CAKcm_gMvHSBhpUvsQCCkV2_o+d_wchF3R3L6H8mp6nKNaaRmSw@mail.gmail.com> <CY4PR21MB0133CCAA6807469BA983D00BB6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <CABkgnnW4xr_YzpsvCxaJJgcQdBTuX=Yv735_sdd4VoMfji8mbA@mail.gmail.com> <CY4PR21MB0133C759D4A08A4988B641B2B6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <bdf88936-8edc-d56e-ee59-c9d597058edd@huitema.net> <CY4PR21MB01337C8A700E58B49D90B712B6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <119b3276-5799-1cc3-8982-7479171bbf27@huitema.net> <CAOYVs2pi8-NVuS+crNMfjsP-n5upK3=5tPeQ8OSGpOvL6RTrjA@mail.gmail.com> <CY4PR21MB0133A1117B2733BBCF049C5FB6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <MWHPR08MB24327A7BB5AE1AE70FE5CDB1DAF30@MWHPR08MB2432.namprd08.prod.outlook.com> <533a0a2e-3a87-b55f-84ce-c52bc03cd81c@huitema.net> <MWHPR21MB0144C68102972A668611E1FCB6F20@MWHPR21MB0144.namprd21.prod.outlook.com> <CY4PR21MB01332141C3563ABBA240C566B6F20@CY4PR21MB0133.namprd21.prod.outlook.com> <CABcZeBNeTT79nd+d7h-KFPpFYxpr5wt1KgwPY=M0_UQpCkKq1w@mail.gmail.com> <CY4PR21MB01337A5E81D8A8A1D7518D97B6F20@CY4PR21MB0133.namprd21.prod.outlook.com> <D3800B30-E1F5-4955-8F85-6FEF36AD2E23@akamai.com> <CY4PR21MB0133427E65B3587C7577A454B6F20@CY4PR21MB0133.namprd21.prod.outlook.com> <E002EFE4-5288-45B2-BAF4-D9CE0A9DBCC5@akamai.com> <CY4PR21MB0133C5FB4961311E4C1523B5B6F10@CY4PR21MB0133.namprd21.prod.outlook.com>
X-Mailer: Airmail (420)
MIME-Version: 1.0
Date: Sat, 10 Feb 2018 13:44:38 -0600
Message-ID: <CAN1APdemirdLAk9v1itSoQp7AmSwKd64OVKb=v1Q3dCkQKtg0w@mail.gmail.com>
Subject: RE: Packet number encryption
To: "Salz, Rich" <rsalz@akamai.com>, Praveen Balasubramanian <pravb@microsoft.com>
Cc: "quic@ietf.org" <quic@ietf.org>
Content-Type: multipart/alternative; boundary="001a1144b82829a12d0564e0e09f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/jPWqEeNcEPA_Tt0wPwSJb0V4nqg>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Feb 2018 19:44:42 -0000

I wrote up my previous suggestion to use segmented packet numbers with
clear text nonce in an issue, and I added a comment where I propose a
variation that encrypts the nonce, but this encryption is 16 times faster
than the current packet number encryption scheme. In both cases there is no
duplication of nonce and packet numbers because they are the same modulo
path.

https://github.com/quicwg/base-drafts/issues/1105



On 10 February 2018 at 19.22.50, Praveen Balasubramanian (
pravb@microsoft.com) wrote:

>> a packet number **exactly** meets the requirements of an authenticated
encrypted nonce. Not using it for that purpose is being wasteful for
absolutely no good reason.

For better or worse we have chosen to tie the transport very tightly with
TLS. This means extra work will be needed for unencrypted QUIC or QUIC over
IPsec for example. Case in point transport parameters not being in the
transport header but rather in the TLS header. In HTTPS over TCP, TLS will
use its own sequence number for nonce and TCP will have its own sequence
number. This is a clear separation of concerns. From what I can tell, since
QUIC uses its own packet framing and the PN doesn’t repeat we have tried to
optimize this by overloading it with the nonce.



That said nothing prevents an implementation from using the packet number
as the nonce. By separating concerns one can pick whatever one wants for
the nonce, the receiver doesn’t care about the nonce value other than for
decryption i.e. no impact on transport logic. We can use a VLE field or
other methods to reduce the extra space needed for the PN.



>> and then encrypting the nonce

You don’t have to but you can . The only *functional* requirement for the
nonce is non-repeatability. Encryption is only being considered for
ossification and unlinkability concerns. For connections that don’t care
about unlinkability (no migration, no multi path) the overhead is not worth
it. Ossification can be avoided by a random initial value and jumps in
between since this is a form of greasing.



>> Do you have a non-authenticated crypto mechanism we should consider?

I am not a crypto expert. I don’t know what future crypto will look like.
Making the nonce field optional or larger size when needed (but not
variable for given connection) allows the transport protocol to be more
future proof. Forcing the PN to be the nonce makes things more inflexible.
I care much less about the nonce getting ossified compared to the PN.



*From:* Salz, Rich [mailto:rsalz@akamai.com]
*Sent:* Friday, February 9, 2018 3:37 PM
*To:* Praveen Balasubramanian <pravb@microsoft.com>
*Cc:* quic@ietf.org
*Subject:* Re: Packet number encryption



> Clear separation of concerns results if we don’t overload the packet
number as the nonce. Connection migration and multi-path are optional
features and we pay no extra compute cost for most connections that are not
impacted by unlnkability. Nonce field becomes optional for crypto that
doesn’t need it and can grow to larger size as needed for bulk transfers to
prevent frequent key rollovers (say in datacenter scenarios).



David already replied pretty definitively, but for those not on his level …



It seems highly unlikely that we will want to use non-authenticated crypto
– ie., AEAD or similar.  TLS 1.3 is all and only authenticated encryption.
The difference in cost is a few extra bytes of encryption, as opposed to
bigger packets for plaintext and then encrypting the nonce, right?  That
difference should be hard to notice.



If we assume it’s all authenticated crypto, and therefore we need a nonce,
then separation of concerns becomes a non-issue. In fact, as David pointed
out, a packet number **exactly** meets the requirements of an authenticated
encrypted nonce. Not using it for that purpose is being wasteful for
absolutely no good reason.



Do you have a non-authenticated crypto mechanism we should consider?

v2.23.0 | Report a Bug | By Email