From a265516ae6e760f7585f52f05a1c4dd2b1d41849 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 21 Nov 2018 15:12:05 +1100 Subject: [PATCH 1/3] Don't allow use of AEAD_AES_128_CCM_8 Closes #2019. --- draft-ietf-quic-tls.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index e7b653c87f..9de3aeb163 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -780,7 +780,10 @@ connection ID in the client's first Initial packet (see {{initial-secrets}}). This provides protection against off-path attackers and robustness against QUIC version unaware middleboxes, but not against on-path attackers. -All ciphersuites currently defined for TLS 1.3 - and therefore QUIC - have a +QUIC can use any of the ciphersuites defined in {{!TLS13}} with the exception of +those based on AEAD_AES_128_CCM_8 {{?CCM=RFC6655}}. AEAD_AES_128_CCM_8 does not +produce a large enough authentication tag for use with header protection +({{header-protect}}). All other ciphersuites defined in {{!TLS13}} have a 16-byte authentication tag and produce an output 16 bytes larger than their input. From 120cfaae6e2be8b68b50d374327775b6cf288184 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 21 Nov 2018 15:15:17 +1100 Subject: [PATCH 2/3] Be clearer --- draft-ietf-quic-tls.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 9de3aeb163..7f3f26b9aa 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -781,11 +781,11 @@ This provides protection against off-path attackers and robustness against QUIC version unaware middleboxes, but not against on-path attackers. QUIC can use any of the ciphersuites defined in {{!TLS13}} with the exception of -those based on AEAD_AES_128_CCM_8 {{?CCM=RFC6655}}. AEAD_AES_128_CCM_8 does not -produce a large enough authentication tag for use with header protection -({{header-protect}}). All other ciphersuites defined in {{!TLS13}} have a -16-byte authentication tag and produce an output 16 bytes larger than their -input. +TLS_AES_128_CCM_8_SHA256. The AEAD for that ciphersuite, AEAD_AES_128_CCM_8 +{{?CCM=RFC6655}}, does not produce a large enough authentication tag for use +with header protection ({{header-protect}}). All other ciphersuites defined in +{{!TLS13}} have a 16-byte authentication tag and produce an output 16 bytes +larger than their input. The key and IV for the packet are computed as described in {{protection-keys}}. The nonce, N, is formed by combining the packet protection IV with the packet From 8529d06bbe155c7839e9a16d8aff34cdbf2866e3 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Mon, 26 Nov 2018 14:24:41 +1100 Subject: [PATCH 3/3] Just these header protection schemes, not more generally --- draft-ietf-quic-tls.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 7f3f26b9aa..2d779199b7 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -783,9 +783,9 @@ version unaware middleboxes, but not against on-path attackers. QUIC can use any of the ciphersuites defined in {{!TLS13}} with the exception of TLS_AES_128_CCM_8_SHA256. The AEAD for that ciphersuite, AEAD_AES_128_CCM_8 {{?CCM=RFC6655}}, does not produce a large enough authentication tag for use -with header protection ({{header-protect}}). All other ciphersuites defined in -{{!TLS13}} have a 16-byte authentication tag and produce an output 16 bytes -larger than their input. +with the header protection designs provided (see {{header-protect}}). All other +ciphersuites defined in {{!TLS13}} have a 16-byte authentication tag and produce +an output 16 bytes larger than their input. The key and IV for the packet are computed as described in {{protection-keys}}. The nonce, N, is formed by combining the packet protection IV with the packet