Define an anti-forgery limit

This defines a limit on the number of packets that can fail authentication before you have to use new keys. There is a big hole here in that AES-CCM (that is, the AEAD based on CBC-MAC) is currently permitted, but we have no analysis to support either the confidentiality limits in TLS 1.3 or the integrity limits in this document. It is probably OK, but that is not the standard we apply here. So this might have to remain open until we get some sort of resolution on that issue. My initial opinion is to cut CCM from the draft until/unless an analysis is produced. Closes #3619.
quicwg · Apr 29, 2020 · 2417e9d · 2417e9d
1 parent 68f81c2
commit 2417e9d
Showing 1 changed file with 31 additions and 1 deletion.
diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md
@@ -70,6 +70,15 @@ informative:
     date: 2016-03-08
     target: "http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf"
 
+  ROBUST:
+    title: "Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS"
+    author:
+      - ins: M. Fischlin
+      - ins: F. Günther
+      - ins: C. Janson
+    date: 2020-02-21
+    target: "https://felixguenther.info/Q20_RC.pdf"
+
   IMC:
     title: "Introduction to Modern Cryptography, Second Edition"
     author:
@@ -1519,13 +1528,33 @@ After this period, old read keys and their corresponding secrets SHOULD be
 discarded.
 
 
-## Key Update Frequency
+## Minimum Key Update Frequency
 
 Key updates MUST be initiated before usage limits on packet protection keys are
 exceeded.  For the cipher suites mentioned in this document, the limits in
 Section 5.5 of {{!TLS13}} apply.  Other cipher suites MUST define usage limits
 in order to be used with QUIC.
 
+The usage limits defined in TLS 1.3 exist to provide protection against attacks
+on confidentiality and apply to successful applications of AEAD protection. The
+integrity protections in authenticated encryption also depend on limiting the
+number of attempts to forge packets. TLS achieves this by closing connections
+after any record fails an authentication check. In comparison, QUIC ignores any
+packet that cannot be authenticated, allowing an attacker to make multiple
+attempts to defeat integrity protection.
+
+Packet protection keys MUST NOT be used for removing packet protection after
+authentication fails on more than 2^36 packets. Endpoints MUST initiate a key
+update before the number of packets that fail authentication exceeds 2^36. This
+limit reduces the probability than attacker is able to create a successful
+packet forgery to 2^-57, see {{AEBounds}} and {{ROBUST}}.
+
+This limit of 2^36 unsuccessfully authenticated packets applies only to the
+AEAD algorithms that are defined for use in QUIC (AEAD_AES_128_GCM,
+AEAD_AES_256_GCM, AEAD_AES_128_CCM(?!?! - no analysis to support the inclusion
+of CCM), and AEAD_CHACHA20_POLY1305). Any TLS cipher suite that is specified
+for use with QUIC MUST specify a limit specific to the packet protection AEAD.
+
 
 ## Key Update Error Code {#key-update-error}
 
@@ -2203,6 +2232,7 @@ Christopher Wood,
 David Schinazi,
 Dragana Damjanovic,
 Eric Rescorla,
+Felix Günther,
 Ian Swett,
 Jana Iyengar, <contact
  asciiFullname="Kazuho Oku" fullname="奥 一穂"/>,