New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reconsider the use of FNV-1a for "cleartext" integrity #554
Comments
Is this just a more complicated way of providing proof of receipt? |
I don't think so.... It's rather a way of avoiding injection of bogus handshake packets by off-path attackers. |
While we're reconsidering this, @martinduke and I were talking again about the idea of encrypting using AES-GCM with a version specific key. That re-convinced me it was a good idea.
Given recent deployment issues with TLS 1.3, I think point 2 is more valuable than I previously believed. |
Furthermore, as I brought up in Chicago, this greatly simplifies the code
path as well if you do crypto offload. Currently, iincoming encrypted
packets are decrypted asynchronously while handshake packets are handled
immediately. So it's a little complicated to think through when it's OK to
free the packet, enough that I very well might of messed it up in a way
that will emerge as a memory leak someday.
There has to be similar logic when sending the packet.
It would greatly simplify the permutations if packets were always
encrypted, and it was just a matter of switching from an insecure key to a
secure one.
…On Thu, Jun 8, 2017 at 11:55 PM, ianswett ***@***.***> wrote:
While we're reconsidering this, @martinduke
<https://github.com/martinduke> and I were talking again about the idea
of encrypting using AES-GCM with a version specific key. That re-convinced
me it was a good idea.
1. AES-GCM hardware offload is a common feature, and being able to use
it as much as possible is nice.
2. Forces middleboxes that want to do TLS inspection to stay up to
date with the latest versions, otherwise they won't be able in inspect SNI.
This makes future changes to TLS less likely to ossify, since middleboxes
that aren't frequently updated won't be able to see the new version of TLS.
Given recent deployment issues with TLS 1.3, I think point 2 is more
valuable than I previously believed.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#554 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AXRMEUo8YKHQXnbvoZ-TXzdewZNus0dCks5sCG3rgaJpZM4NjENJ>
.
|
While not against the idea,
does not hold when encryption is not necssarily AES-GCM after handshake or in a new version. Further, some low-end IoT devices do not have AES accelleration, and will not have, and may want to use ChaCha20 instead. Such devices could use a generic implementation since it is only for handshake, but it does kill the simplicity argument. I have previously in a private mail to some authors suggested signing the cleartext headers using a CMAC algorithm with a version specific key. This is much simpler than AES-GCM and better suited for non-version specific implementation. CMAC will not encrypt, but AES can still be used for that, if the concern is ossification. Regarding ossification - isn't there a risk that middleboxes will only work if they understand the protocol, and thus will reject newer QUIC versions with a key they don't have? This could make the problem worse. I'm just speculating as I have no experience with these issues. EDIT: since a significant part of cleartext packets has to do with version negotiation, I also wonder how well a version specific key. Regarding my earlier CMAC propososal, the motivation was to filter out packets that are not QUIC before expending semi-expensive crypto hash algorithms - but others argued that crypto is generally fast enough to be a non-concern (and I would add that IoT devices can also live with some crypto delay / power drain for handshake). |
For reference here is the CMAC proposal from March 15 I sent:
|
To be replaced with #693 |
We had consensus to use FNV-1a to provide integrity for packets in non-adversarial settings. However as observed in #522, we still have to potentially worry about packet injection from off-path attackers. A natural design is to have the pre-handshake integrity check be somehow keyed by information in the ClientHello (e.g., the conn id). In this case, we would probably want to use something more like HMAC, though it's not necessarily required.
The text was updated successfully, but these errors were encountered: