The packet number gap specification needs work #1034
Assignees
Labels
-transport
design
An issue that affects the design of the protocol; resolution requires consensus.
has-consensus
An issue that the Chairs have determined has consensus, by canvassing the mailing list.
Comments
huitema
changed the title
martinthomson
added a commit
that referenced
this issue
Jan 9, 2018
This changes the key schedule so that connection ID is part of the key derivation. Secrets are generally unchanged, except that the handshake secret is now fixed (we integrate the connection ID via key derivation). Packet numbers now start from zero, with an additive masking value that is derived in the same way that packet protection keys are. Closes #1034, #850.
martinthomson
added
design
martinthomson
added a commit
that referenced
this issue
Jan 15, 2018
|
This would be closed by Stream ID encryption #1079 |
mnot
added
the
has-consensus
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I spent some time reading the spec of the "packet gap", the random offset applied to a packet number after migrating to a new connection ID. The gap is specified in 7.7.1.1 as:
The formula relies on a "packet number secret" derived from the master secret. At first, this seems a bit complicated -- why not just a packet number? The answer of course is that often only the lower 32 bits of the packet sequence number will be transmitted in the header, the higher 32 bits have to be guessed, and if it was just a 32 bit random offset the higher 32 bits would be guessed wrong half the time. And even if the spec mandated only a 31 bit random offset, the guessing would still be wrong half the time if the client migrated twice in a row. OK. So the complexity is justified. But then there are still three valid criticisms: spec is unclear; algorithm does not actually achieve privacy; and all that would not be necessary if the packet sequence number was encrypted.
The current text is hard to follow, due to the use of "sequence number" for both the packet sequence number and the "number of the chosen connection ID in the sequence of new connection ID". I had to read it multiple times to decipher what was actually requested. I would suggest using a more precise moniker than "sequence" to designate the sequence of the connection ID. Maybe "migration sequence".
Then, the algorithm does not achieve privacy. It is unclear from the text if the server also applies the gap, or not. But if it does apply the gap, it will be the same gap as the client, and adversaries can find that to link the old and the new context. And if it does not apply the gap, then adversaries can also link the old and new context. I would suggest that the spec specifies a different computation method for the server side gap, maybe something like:
Finally, let's observe that all this shifting and offsetting of the packet sequence number would not be necessary if that number was encrypted. Encryption would allow use of a single sequence number on multiple paths without compromising privacy, and that would make the transition to multipath easier.
The text was updated successfully, but these errors were encountered: