Re: KEYS_READY
Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Wed, 13 February 2019 08:36 UTC
Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0F0612D4E6 for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 00:36:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.997
X-Spam-Level:
X-Spam-Status: No, score=-0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g4DLdpPr1THj for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 00:36:13 -0800 (PST)
Received: from mail-it1-x134.google.com (mail-it1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A28A7128CB7 for <quic@ietf.org>; Wed, 13 Feb 2019 00:36:13 -0800 (PST)
Received: by mail-it1-x134.google.com with SMTP id l131so3735626ita.2 for <quic@ietf.org>; Wed, 13 Feb 2019 00:36:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=Do3NR88y6B2ZEm0OWkGt9W9lLhOzBFwJqyoveHYigUc=; b=UvcyMlGG4LTLQhTNJfsw35XGF5ZgIJdin4pAVuIc7I39FUPdZwVGcT6cU2mAHLuEgL yREEU/B0mEgQQBrbTOyoqY1miugceFlRbKFHmCtFim17QVVFv1Iy+teAQZrD35Ma7en7 0EI1U885a612ts2BBRCgPjoLv3Ce8b+v2H4XP8lb5zb+heBNLymP333PBlHEHFyJUWEv ht7/xSg3XGZuZ0W6eRqVL84x4p0ygzPwDCEu49mEKomaCreF3llylNBkUQKdx/gQ8f0p PTUOWm4v3Q6wr3k1sB6zdLkXYRgFP3qyFJGwTC5Nktws6lto5LZHCo3yfJmg1Xdv8IfK xtNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=Do3NR88y6B2ZEm0OWkGt9W9lLhOzBFwJqyoveHYigUc=; b=J0JyTHu428nzG9DBMkPvZzhq27zTDxCjIX0Dpv5mpEHK7fStEslwp/3MUIUynGfe2z 1THlvozNv4wcGAyrSbgYGj2SReypBnofIVa0SiebyOapHIltJMg1AUhrp8d5L84lOCSN ABmgxNIrLlFlmMmA0SoWhdgWXJPPnkXlYaEFCJ3CM3FyniY+N9aE/0f01KMB0yPZzhw1 pN3NQdCS56ppxFCKLRVQmV66kUT7PxnNXj1IavJSs+ibXxYd2/YFD+Ot8gACXviSSMpt HrQPCMqUX9I6ju7e2rKqluch98+JOyfVk3Wi47zc1v/sj0izi8qWKTre7Ck54UvN7B1I CxMA==
X-Gm-Message-State: AHQUAub7uQ1IEViwaZUkfCPQ/H44vi3z4bUfuvdHU8baOiqQ/Drms6f2 jkpmXSUtkMbYJu80hGoFCodFLDfVoMtrb57Y14o=
X-Google-Smtp-Source: AHgI3Ibs7Iek36plyDu970VoWHCCL8tX7/wvj4lRHaRDGKx8xFB+KB2C7nWLBefg+REx0QbXoGqPORazwdIqXKa/qQY=
X-Received: by 2002:a6b:5b01:: with SMTP id v1mr4041718ioh.12.1550046972830; Wed, 13 Feb 2019 00:36:12 -0800 (PST)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Wed, 13 Feb 2019 00:36:11 -0800
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <CANatvzy_juza_meGR_-KuBV9FA=F754mv54aawxMb8hYWxb1gA@mail.gmail.com>
References: <1550022355.557617.1656828112.4DD1CEE6@webmail.messagingengine.com> <CANatvzy_juza_meGR_-KuBV9FA=F754mv54aawxMb8hYWxb1gA@mail.gmail.com>
X-Mailer: Airmail (420)
MIME-Version: 1.0
Date: Wed, 13 Feb 2019 00:36:11 -0800
Message-ID: <CAN1APdcVYKWuapZ3XHxXa_nVACwkRD-xeF3ub-5ROttE7QVrmQ@mail.gmail.com>
Subject: Re: KEYS_READY
To: Martin Thomson <mt@lowentropy.net>, Kazuho Oku <kazuhooku@gmail.com>
Cc: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003369d30581c26f67"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/nav_v5dgIu0o_NVudIVn-aBcMQg>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2019 08:36:16 -0000
Thanks for pointing out the second alternative, although reluctantly. I think the first option with anonymous KEY_READY has a problem with idempotency as well as tying state to retransmission logic. This means that naive retransmission of packet content in a new packet number is no longer valid, and likewise, naive processing of a frame that passes authentication is also no longer possible. That is a strong principle break and I don’t think the minor simplicity of a label-less KEY_READY frame can justify that (even if one ought no do such naive transmission). You could state that the KEY_PHASE bit is the lower bit the key counter which increments by one on each key update, starting at 0 or 1. Then, a KEY_READY with a future count is a PROTOCOL_VIOLATION and an old count is ignored. The key phase or the packet protection of the packet containing the KEY_READY frame is of no significance. I also suspect that the alternatively two-bit proposal might have a problem with idempotency, but I think it sorts itself by failing packet protection. The text mentions that the updated key depends on the current traffic key with reference to TLS 1.3. From reading this naively, it sounds like forward secrecy is lost, which I am sure it is not. Finally, this is just a high level view. I find the overall text hard to understand, notably because it is not crystal clear whether the two endpoints update their transmission keys in sync with the ready keys, or if the (currently implicity) key phase counters can count independently. That said, I like the idea of an explicit READY frame, and i probably would also like and explicit handshake ready frame, if it isn’t effectively the same thing, and if it is, perhaps formalise that. Mikkel On 13 February 2019 at 06.55.57, Kazuho Oku (kazuhooku@gmail.com) wrote: Hi, Martin Thank you for writing the PR. My comments inline. 2019年2月13日(水) 10:46 Martin Thomson <mt@lowentropy.net>: > > https://github.com/quicwg/base-drafts/pull/2237 has been updated to include the discussed new frame. > > This allows us to remove the implicit-ish acknowledgment of Initial packets, fix the problem Marten identified with discarding Handshake keys, and the problem Kazuho found with multiple and simultaneous key updates. > > There were two designs that were valid here, and I want to ensure that people think about the choice: > > The one I chose to write up uses a design like ACK. The keys used to protect the packet determine how the frame is interpreted. That is, KEYS_READY in a packet implies that the corresponding keys are in use. The cost here is that you have to purge any potential retransmissions of KEYS_READY when you update keys or you risk creating a false signal. > > The alternative involves more explicit signaling, and requires us to label each set of keys unambiguously. My weak preference goes to burning a bit in the first byte (we have reserved bits in all the necessary packet types) due to the exceptional retransmission rule that we would have for the frame, but I'm not sure how much I care. > For that we could borrow the DTLS epoch convention, though that is inconveniently out of phase with the Key Phase we use; not a major issue, but a little hard to reason about. This doesn't have a retransmission problem, but in addition to the need to document the counting system, we would need to decide whether a mismatch between frame and packet is OK, or something that can produce a connection error. > > Obviously, I have a preference for the former, but if people feel differently, this is a good place to register your reasons. > > Editorial concerns should be directed toward the pull request. > -- Kazuho Oku
- KEYS_READY Martin Thomson
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY Marten Seemann
- Re: KEYS_READY Ian Swett
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY Christian Huitema
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY Christian Huitema
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Jana Iyengar
- Re: KEYS_READY Jana Iyengar
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY Marten Seemann
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Ryan Hamilton
- RE: KEYS_READY Mike Bishop
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY Nick Harper
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY David Schinazi