Re: Packet number encryption

Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Fri, 09 February 2018 14:05 UTC

Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCC81124235 for <quic@ietfa.amsl.com>; Fri, 9 Feb 2018 06:05:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8zAPA1ys4jN9 for <quic@ietfa.amsl.com>; Fri, 9 Feb 2018 06:05:38 -0800 (PST)
Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB9781241FC for <quic@ietf.org>; Fri, 9 Feb 2018 06:05:37 -0800 (PST)
Received: by mail-io0-x22b.google.com with SMTP id f34so9722178ioi.13 for <quic@ietf.org>; Fri, 09 Feb 2018 06:05:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=nNm45szi2uVPfS6vC9Zi1T4/VGeTcjX13HwQTKoUyYM=; b=JDMRd/P1eVGOePOENTbA3jW58VarmFE/GNzuIPQ0rDbCnquEQwWWJ8sDbrk4Dc+IHt t5fVpdoy7PF9DCQ0H7btfESIpM46Q5EEdqVaNbfo2KVEoJ7sidJBZDtbrfDF3RxSPPHH twDc8GBKsbcNSjMv2p4A8zTMufiKeP+IC1ocfL2FBXkNvXFa6f/Pr+K09+y9oYQzbPud /VTv2mqN8DxGLsnsTzh+V5sl9MzEvILgsuWqLefsopJe/gCQJLF3gxvr6SvadHCOZOL5 bMZc/Pvw+vNaciLsw4dtbok1fm9QmDleYf1VkSfk/cKIO9P3lGzEL2BywppbuXIPcqmb EFNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=nNm45szi2uVPfS6vC9Zi1T4/VGeTcjX13HwQTKoUyYM=; b=P+EOpg5yoYJMy5w8NABCLB0HJM/O4V75yaNjbdQBXuMNg3hcfTRfC7L5DIGfMttpvP qM+nr3M5EZ0B3ACUC/ELv1tBrqchhPJmIjajy01WnhxvmhvGKz9KqV7H6KK4JCW4/4dz hVmj08ArtyipTEwUtsKc/LltA3UI13/qd6wAL0Va9c2cbSfouVWO/1RVXqq5csCbHfwE CaPYaEHsBkC2RSjgh0wmZtI7QQYx0F/RrvYSV/bIZ+j9jfI3r4ydFCP2eTBUtM2bqxnR b8PveXMc+pIbXNBKX37+IwrI/LTUzgDfFL39lHJgHH22m+CKBMziMfQFFxnduc28KT1u n04g==
X-Gm-Message-State: APf1xPAM5N/zD2YcgZh4pcYI13I02VCFX6Ae/itcUhrDJE1wN1ggh+1R B5G6zJWGuz4swd/+Jme5uRB/8E6jtu0Nzt2G/OM=
X-Google-Smtp-Source: AH8x227ZgytR5Dp6drjooDg5iPP/rC9mrjLeNrIwASvRw9oCwn+ycsbkE18oVH81cqJiqWmpYUml114xpJgNXjo8Azc=
X-Received: by 10.107.148.139 with SMTP id w133mr2178890iod.175.1518185137415; Fri, 09 Feb 2018 06:05:37 -0800 (PST)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Fri, 9 Feb 2018 09:05:36 -0500
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <CABcZeBNx4r5kCF8=CUUwmj=SWmTsAEHcMx_RLnKJ0JZ+ZCjnVw@mail.gmail.com>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <CAGD1bZauKbucs_5n7RQbK8H2HiyfiqpGVEcKreGA6umhMBSFgg@mail.gmail.com> <CABcZeBPNrc-9vANSH02r++p53s6gN4pVB8DMd80nUxOhKTp3dA@mail.gmail.com> <CAKcm_gMvHSBhpUvsQCCkV2_o+d_wchF3R3L6H8mp6nKNaaRmSw@mail.gmail.com> <CY4PR21MB0133CCAA6807469BA983D00BB6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <CABkgnnW4xr_YzpsvCxaJJgcQdBTuX=Yv735_sdd4VoMfji8mbA@mail.gmail.com> <CY4PR21MB0133C759D4A08A4988B641B2B6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <bdf88936-8edc-d56e-ee59-c9d597058edd@huitema.net> <CY4PR21MB01337C8A700E58B49D90B712B6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <119b3276-5799-1cc3-8982-7479171bbf27@huitema.net> <CAOYVs2pi8-NVuS+crNMfjsP-n5upK3=5tPeQ8OSGpOvL6RTrjA@mail.gmail.com> <CY4PR21MB0133A1117B2733BBCF049C5FB6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <MWHPR08MB24327A7BB5AE1AE70FE5CDB1DAF30@MWHPR08MB2432.namprd08.prod.outlook.com> <533a0a2e-3a87-b55f-84ce-c52bc03cd81c@huitema.net> <MWHPR21MB0144C68102972A668611E1FCB6F20@MWHPR21MB0144.namprd21.prod.outlook.com> <CY4PR21MB01332141C3563ABBA240C566B6F20@CY4PR21MB0133.namprd21.prod.outlook.com> <MWHPR08MB2432EAF7D176BBFCA28DF3FFDAF20@MWHPR08MB2432.namprd08.prod.outlook.com> <CAN1APdeUzoxMaA-U6Ls4q_hw1b4BXZzwOCvo2dGm=s8YTokWAQ@mail.gmail.com> <CABcZeBNx4r5kCF8=CUUwmj=SWmTsAEHcMx_RLnKJ0JZ+ZCjnVw@mail.gmail.com>
X-Mailer: Airmail (420)
MIME-Version: 1.0
Date: Fri, 09 Feb 2018 09:05:36 -0500
Message-ID: <CAN1APdf6YkiKzPmR04_9M4L807iZ0Ph=k9Cd8+2Q9rhfnMgORA@mail.gmail.com>
Subject: Re: Packet number encryption
To: Eric Rescorla <ekr@rtfm.com>
Cc: Praveen Balasubramanian <pravb@microsoft.com>, Mike Bishop <mbishop@evequefou.be>, "quic@ietf.org" <quic@ietf.org>, huitema <huitema@huitema.net>
Content-Type: multipart/alternative; boundary="001a113fa926d1abbe0564c805dd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/meBIU_HYCnZ7EfgQpFyrVEnLgTU>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Feb 2018 14:05:40 -0000

On 9 February 2018 at 14.34.17, Eric Rescorla (ekr@rtfm.com) wrote:


I'm not sure where you are getting this from. Any nonce reuse at all with
AES-GCM is catastrophic:
http://csrc.nist.gov/groups/ ST/toolkit/BCM/documents/comments/800-38_
Series-Drafts/GCM/Joux_comments.pdf


I read it in a NIST paper I also linked to in other mail here, but it
appears they have gone back on that based on the Ferguson paper. It nows
says Legacy in url, but still shows up prominently in a google search.

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf