Re: Key update review request
Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Fri, 27 September 2019 06:53 UTC
Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AD4C1200BA for <quic@ietfa.amsl.com>; Thu, 26 Sep 2019 23:53:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l4HqnOYTr9A5 for <quic@ietfa.amsl.com>; Thu, 26 Sep 2019 23:53:28 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED3B412003F for <quic@ietf.org>; Thu, 26 Sep 2019 23:53:27 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id v8so1389492eds.2 for <quic@ietf.org>; Thu, 26 Sep 2019 23:53:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to; bh=dU4hxrP2SMN1A9wN6Sr44CgXPHAcwtHvqxckvDvmCG8=; b=PI/Lk16r7Ro4m9Ac1Nll42P0wU6xnXKNE5ETa7l6gGUUrzcCt2BvPlOinB9n99nYPU A60oQKWhSSti9e3iihFGxIZpvE8vCgaPBx14Otzo8FIr5fxPsgus+8fYwVQMWUKU6LAq nX9A2FgzhlV6MOaE4uO9G8uQOnRW9BWpEGxishqm1DNLwH3Ja9iloLrdjwTxeSftkhfZ r1qLIrlKcMJr7qvu3dInlWkXAL847lG7JdTKFA0dy8aeJi8mdeb71WleZ3DaHCNoUX9l gEtiQoX8jNUDwl5enTmGAccXaNZCtMwiCj+8MymTRsTlKNEAFli2K5sofyOwz3xNkBKQ mosA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to; bh=dU4hxrP2SMN1A9wN6Sr44CgXPHAcwtHvqxckvDvmCG8=; b=M8GJDymyf628E0KHU8ZjI0gGeTNpG193t4ZHcxgnQcR2Gaqks+9gq8QiOO4SWA3/mX 4zmWGUY0WL+7NGFVAEIz5Hfc2dSkOa6sXLk1UfgtW/nBf/lb6tB38lZWtNv2kX3T++pr 0/eq2BuuFsBtJ9vTDXDeousPQF4Ik3hjt28msLcSBRal0H524WZnRoeYkyOTDV8RF93q /gWjkgYeuqRHQhQ4PH0a9ANryi5Hz9mqZv4yIKJT4PrGMT/72vZCSxIstM4hU1J61L62 V3UVTyQ4l+Y9g0rwNOHXS2uf6tH9shvemmvV2F0eJiRJISFmRvoLxtHb5j0C1T6Eaghu cl1Q==
X-Gm-Message-State: APjAAAUloMAVb04BvFdKGAi09qRaW1rLCGBt1TBFIAPW79VJ7n0/VK5s wRZO+H/b08GN25gOJadYeXvOkZY1sjmA10Apv8+5HnKn
X-Google-Smtp-Source: APXvYqwb3jO49Ko5LZv142/NMRAK/HTNal5ZQ/MBpi1RIAG9eM3nzhPtw4BFiuy20hayz4R3u4ii7sSagta3Zkj7ggg=
X-Received: by 2002:a17:906:1c5b:: with SMTP id l27mr6537999ejg.27.1569567206418; Thu, 26 Sep 2019 23:53:26 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Thu, 26 Sep 2019 23:53:24 -0700
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <9e445649-07ab-482e-b334-c9d4532d7e0f@www.fastmail.com>
References: <9e445649-07ab-482e-b334-c9d4532d7e0f@www.fastmail.com>
X-Mailer: Airmail (420)
MIME-Version: 1.0
Date: Thu, 26 Sep 2019 23:53:24 -0700
Message-ID: <CAN1APdf2U_Q=_95xp03OUV9J8R39jVxtoon-Hj69Ep9JRuNihw@mail.gmail.com>
Subject: Re: Key update review request
To: Martin Thomson <mt@lowentropy.net>, quic@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ca2e8c0593835745"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/mnQ-3b25m7QmUmVOUiybbWvRX5o>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2019 06:53:31 -0000
As a general comment to the principle of hiding key updates: I believe this is very useful because if a weakness is found in crypto, the more data you can sample the more plausible the attack. If observed data can be from multiple keys such attacks presumably become harder. We already know there is an easily reachable data limit on AES-GCM beyond which certain attacks become feasible. On 27 September 2019 at 08.32.09, Martin Thomson (mt@lowentropy.net) wrote: Hi All, https://github.com/quicwg/base-drafts/pull/3050 rewrites most of the key update section of the TLS draft. Preview: https://quicwg.org/base-drafts/rework-key-update-2/draft-ietf-quic-tls.html#key-update There is one technical change in here to address the issue (#2792) raised by Marten Seemann where our packet processing is not constant time. The problem is that generating new keys was part of the logic for packet protection removal, and key generation would be very visible as a timing side channel. This isn't that serious a problem in my opinion, because you could model key generation as application-layer activity, which we don't attempt to protect in this way. However, it does leak a bit of data that we were hoping to protect (the Key Phase), so I figure that it's worth at least documenting the exposure. The proposed change doesn't prohibit inline key generation, but it encourages an asynchronous method of key generation that should be harder to observe the effects of. Specifically, implementations are told that they ought to [RFC6919] generate new keys 1PTO after performing a key update. To go along with the recommendation to use a timer, it more strongly discourages key updates within 3PTO of each other. The substance of the warning is that if you update too fast, you could experience "loss". I'd like some more review of this PR. Basically, I don't want to get to the interim to find that people "need more time to review this". I've already gotten good feedback (thanks Kazuho, David), and I think that it's good to merge, but I want more eyeballs. Cheers, Martin
- Key update review request Martin Thomson
- Re: Key update review request Mikkel Fahnøe Jørgensen
- Re: Key update review request Martin Thomson