Re: Packet Number Encryption outside of AEAD
Kazuho Oku <kazuhooku@gmail.com> Fri, 27 July 2018 04:14 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85177130EA6 for <quic@ietfa.amsl.com>; Thu, 26 Jul 2018 21:14:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id btOF5y0NrSMw for <quic@ietfa.amsl.com>; Thu, 26 Jul 2018 21:14:17 -0700 (PDT)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BEE1130EF4 for <quic@ietf.org>; Thu, 26 Jul 2018 21:14:17 -0700 (PDT)
Received: by mail-lf1-x130.google.com with SMTP id n96-v6so2636475lfi.1 for <quic@ietf.org>; Thu, 26 Jul 2018 21:14:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=0Tz9p9oDrAR9prjM7I5yrENUV0rsbpVWeUGLWjQikJI=; b=Prz1Rnrbc8gOOXbuVegC5A808nDoW74xYy6MYiutoCqrKD+EV+udXpy+RCO+x2D+vE 273Dsa6jv+NgdkYSa8pGsDI1BkOUbgODOsBFnGO70zPquqg48LbQLRsrG4BgHxPWt2i0 a2BYCZ59ilU+iIZTPT20GY32kkS97T9u2TXCvPuI+/y9YTUe2YmTVPcBffk/Pj0j3BYb 09YWPYLV7GOxBKpwMm67ctiGTjsDV4ZIQrVKrKC6oTYU65hMbvrqubKQbutQDfyiPwQ5 WS3Au14RLpFtsqxsXVRGQqSESUi6wSOX/KalCcBg2ub+6RG2L/Xv49WmQTTuuWaXvuG8 ooaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=0Tz9p9oDrAR9prjM7I5yrENUV0rsbpVWeUGLWjQikJI=; b=Ol2X24C5fevmjeptwMHk6z7KXO1PeF19nc/SCkZhZG39aWG8hoa6IXtAMbQBbg4AXu QQOn8FKq3Z6xijyqkUDEuWB5kkJT916zeg2WjLrKZiF5TmyXYInfBlj/7MuRwTc2ukPR Jo7F+nV5MTOlzFkEhfB77CJHVy6Te/gLkE7nBKmQ6R2Kbq0De1fqBYgyo+tLDg5W/k29 QRP55HcfitOtimB+lVgChlQnGKPtqXHNjE+EEWFrDg4fLeBlRRRyRz6kRDf3Nthzw/Hx I1lzeK6bic7go04r66zHv++sq28k7NfmEimbZcY5AeJgn4xJImknrUZu8DfkwIhCx2/N tEQg==
X-Gm-Message-State: AOUpUlF/D2iR9m7fKnsgxqrVfxtbS4k/2Yi8ifk/gyLVsHRxswvQhV+L DJH5Id07VUbyjv/NGfE9t6k1wIAQV/ZLBYSqzYU=
X-Google-Smtp-Source: AAOMgpc91DkZHczr1TqEMq4LxdaSx//1NOnvCcPd+gQIBrw3gNWWVlKoaLU3vlBKzVM0c3vY/8T29XYrDHOlKili4Kc=
X-Received: by 2002:a19:6b03:: with SMTP id d3-v6mr2741093lfa.81.1532664855402; Thu, 26 Jul 2018 21:14:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a2e:8996:0:0:0:0:0 with HTTP; Thu, 26 Jul 2018 21:14:14 -0700 (PDT)
In-Reply-To: <CAN1APdcCdPGVEHJh4FiQBirunHUxY7HV_idYPtyQT09Fe-fSUw@mail.gmail.com>
References: <CAN1APdcCdPGVEHJh4FiQBirunHUxY7HV_idYPtyQT09Fe-fSUw@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Fri, 27 Jul 2018 13:14:14 +0900
Message-ID: <CANatvzzMhYowiCCCz+_q+zT6LYRjDa9ru33G-tcs44G8r8cBjg@mail.gmail.com>
Subject: Re: Packet Number Encryption outside of AEAD
To: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
Cc: IETF QUIC WG <quic@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/k2H_0ReSSZnDG8-i7KNfNsZqEBk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 04:14:29 -0000
2018-07-26 15:21 GMT+09:00 Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>: > I created the following issue a while ago but go no response, so perhaps it > should have been discussed on this list: > > https://github.com/quicwg/base-drafts/issues/1578 > > The issues covers the point, but in summary: > > If the packet format is kept as it is today, but the packet number is not > included in the authenticated data when computing the AEAD tag, then the > decoder need not modify the received packet buffer when decoding the packet > number. This can lead to more efficient hardware implementations and make > multi-processor buffer sharing more effective. I am not sure if this is a safe change. What makes me worried is the fact that we will now have at most three ways of representing a packet. My understanding is that having indeterministic encoding is considered dangerous in crypto. Consider the case where a sender encodes a packet number using 4 octets even when just using 1 octet is enough. An on-path attacker rewrites the packet by applying XOR 0x80 to the first octet of the encrypted PN, and trimming the latter three octets of the encrypted PN. Then, the attacker can observe if the packet is successfully consumed by the receiver, and use the fact to infer if the upper 6 bits of the 30-bit PN was equal to the least 6 bits. I am not sure if this attack is interesting, but allowing multiple representation does create these kind of attack vectors. > > Mikkel -- Kazuho Oku
- Packet Number Encryption outside of AEAD Mikkel Fahnøe Jørgensen
- Re: Packet Number Encryption outside of AEAD Ian Swett
- Re: Packet Number Encryption outside of AEAD Christian Huitema
- Re: Packet Number Encryption outside of AEAD Kazuho Oku
- Re: Packet Number Encryption outside of AEAD Mikkel Fahnøe Jørgensen
- Re: Packet Number Encryption outside of AEAD Christian Huitema
- RE: Packet Number Encryption outside of AEAD Deval, Manasi
- Re: Packet Number Encryption outside of AEAD Kazuho Oku
- Re: Packet Number Encryption outside of AEAD Kazuho Oku
- Re: Packet Number Encryption outside of AEAD Mikkel Fahnøe Jørgensen
- Re: Packet Number Encryption outside of AEAD Kazuho Oku
- Re: Packet Number Encryption outside of AEAD Christian Huitema
- Re: Packet Number Encryption outside of AEAD Mikkel Fahnøe Jørgensen
- Re: Packet Number Encryption outside of AEAD Kazuho Oku