From 39c57edf6215964673155837dcf97880cac2fb63 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 27 Aug 2019 13:21:14 +1000 Subject: [PATCH 01/10] Perform stateless reset token comparisons in constant time Otherwise information about the token might leak. As @mikkelfj says, there is no strict need to compare across the entire set of values. That could leaks two things: that the inbound packet was dropped and the total number of stateless reset tokens. Both are things that we might care about, but will probably find prohibitive to protect. Closes #2152. --- draft-ietf-quic-transport.md | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 9e09b89050..c2b4323242 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2561,12 +2561,23 @@ the packet other than the last 16 bytes for carrying data. An endpoint detects a potential stateless reset when an incoming packet either cannot be associated with a connection, cannot be decrypted, or is marked as a duplicate packet. The endpoint MUST then compare the last 16 bytes of the -packet with all Stateless Reset Tokens corresponding to active connection IDs -that the endpoint has used for sending packets to the IP address and port on -which the datagram is received. This includes Stateless Reset Tokens from -NEW_CONNECTION_ID frames and the server's transport parameters. An endpoint -MUST NOT check for any Stateless Reset Tokens associated with connection IDs it -has not used or for connection IDs that have been retired. +packet with all Stateless Reset Tokens that are associated with connection IDs +that the endpoint recently used to send packets from the IP address and port on +which the datagram is received. +This includes Stateless Reset Tokens from NEW_CONNECTION_ID frames and the +server's transport parameters but excludes Stateless Reset Tokens associated +with connection IDs that are either unused or retired. + +An endpoint MUST NOT check for any Stateless Reset Tokens associated with +connection IDs it has not used or for connection IDs that have been retired. + +When comparing a packet to Stateless Reset Token values, endpoints MUST perform +the comparison in constant time to avoid leaking information about valid values. +Performing this comparison in constant time only protects the value of +individual Stateless Reset Tokens from information leakage through timing side +channels; it does not protect information about whether a packet was +successfully decrypted, nor does it protect the number of valid Stateless Reset +Tokens. If the last 16 bytes of the packet values are identical to a Stateless Reset Token, the endpoint MUST enter the draining period and not send any further From c42516d7681ebbd61839bf83910dd37fc05465b1 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 4 Sep 2019 08:39:15 +1000 Subject: [PATCH 02/10] Be a little clearer about what is being protected --- draft-ietf-quic-transport.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index c2b4323242..29e57c3bcc 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2572,11 +2572,11 @@ An endpoint MUST NOT check for any Stateless Reset Tokens associated with connection IDs it has not used or for connection IDs that have been retired. When comparing a packet to Stateless Reset Token values, endpoints MUST perform -the comparison in constant time to avoid leaking information about valid values. -Performing this comparison in constant time only protects the value of +the comparison without leaking information about the value of the token. +For example, performing this comparison in constant time protects the value of individual Stateless Reset Tokens from information leakage through timing side -channels; it does not protect information about whether a packet was -successfully decrypted, nor does it protect the number of valid Stateless Reset +channels. An endpoint is not expected to protect information about whether a +packet was successfully decrypted, or the number of valid Stateless Reset Tokens. If the last 16 bytes of the packet values are identical to a Stateless Reset From 3bd85b455bad9d6e6196f6f04454701661d077f8 Mon Sep 17 00:00:00 2001 From: Kazuho Oku Date: Thu, 5 Sep 2019 10:28:09 +0900 Subject: [PATCH 03/10] add example that uses PRF --- draft-ietf-quic-transport.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 29e57c3bcc..75c5430390 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2575,9 +2575,12 @@ When comparing a packet to Stateless Reset Token values, endpoints MUST perform the comparison without leaking information about the value of the token. For example, performing this comparison in constant time protects the value of individual Stateless Reset Tokens from information leakage through timing side -channels. An endpoint is not expected to protect information about whether a -packet was successfully decrypted, or the number of valid Stateless Reset -Tokens. +channels. Another approach would be to store and compare the transformed values +of Stateless Reset Tokens instead of the raw token values, where the +transformation is defined as a cryptographically-secure pseudo-random function +using a secret key (e.g., block cipher, HMAC {{?RFC2104}}). An endpoint is not +expected to protect information about whether a packet was successfully +decrypted, or the number of valid Stateless Reset Tokens. If the last 16 bytes of the packet values are identical to a Stateless Reset Token, the endpoint MUST enter the draining period and not send any further From 03979a0235d6fd3ff79555911c79bc5c10e2b61a Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Thu, 10 Oct 2019 10:43:30 +1100 Subject: [PATCH 04/10] Fix stateless reset ordering; use datagrams This removes the strict requirement on processing order for stateless reset. This allows endpoints to decide whether to process every packet this way or to just treat those that fail to be processed for other reasons. This also switches to detection on a *datagram* basis. Closes #3085. --- draft-ietf-quic-transport.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 75c5430390..6ffab87e61 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2558,21 +2558,25 @@ the packet other than the last 16 bytes for carrying data. ### Detecting a Stateless Reset -An endpoint detects a potential stateless reset when an incoming packet either -cannot be associated with a connection, cannot be decrypted, or is marked as a -duplicate packet. The endpoint MUST then compare the last 16 bytes of the -packet with all Stateless Reset Tokens that are associated with connection IDs -that the endpoint recently used to send packets from the IP address and port on -which the datagram is received. +An endpoint detects a potential stateless reset using the trailing 16 bytes of +the UDP datagram. The endpoint compare the last 16 bytes of the datagram with +all Stateless Reset Tokens that are associated with connection IDs that the +endpoint recently used to send packets from the IP address and port on which the +datagram is received. This includes Stateless Reset Tokens from NEW_CONNECTION_ID frames and the server's transport parameters but excludes Stateless Reset Tokens associated with connection IDs that are either unused or retired. +This comparison can be performed for every inbound datagram, but it MUST be +performed when the first packet in an incoming datagram either cannot be +associated with a connection, cannot be decrypted, or is identified as a +duplicate. + An endpoint MUST NOT check for any Stateless Reset Tokens associated with connection IDs it has not used or for connection IDs that have been retired. -When comparing a packet to Stateless Reset Token values, endpoints MUST perform -the comparison without leaking information about the value of the token. +When comparing a datagram to Stateless Reset Token values, endpoints MUST +perform the comparison without leaking information about the value of the token. For example, performing this comparison in constant time protects the value of individual Stateless Reset Tokens from information leakage through timing side channels. Another approach would be to store and compare the transformed values @@ -2582,10 +2586,9 @@ using a secret key (e.g., block cipher, HMAC {{?RFC2104}}). An endpoint is not expected to protect information about whether a packet was successfully decrypted, or the number of valid Stateless Reset Tokens. -If the last 16 bytes of the packet values are identical to a Stateless Reset +If the last 16 bytes of the datagram are identical in value to a Stateless Reset Token, the endpoint MUST enter the draining period and not send any further -packets on this connection. If the comparison fails, the packet can be -discarded. +packets on this connection. ### Calculating a Stateless Reset Token {#reset-token} From 354183119367ddc2f08ae4604c1323600d5bfe4c Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Thu, 10 Oct 2019 10:53:21 +1100 Subject: [PATCH 05/10] Reword again --- draft-ietf-quic-transport.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 6ffab87e61..2dd4dbcd6c 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2567,10 +2567,11 @@ This includes Stateless Reset Tokens from NEW_CONNECTION_ID frames and the server's transport parameters but excludes Stateless Reset Tokens associated with connection IDs that are either unused or retired. -This comparison can be performed for every inbound datagram, but it MUST be -performed when the first packet in an incoming datagram either cannot be -associated with a connection, cannot be decrypted, or is identified as a -duplicate. +This comparison can be performed for every inbound datagram. Endpoints MAY skip +this check if packets from a datagram are successfully processed. However, the +comparison MUST be performed when the first packet in an incoming datagram +either cannot be associated with a connection, cannot be decrypted, or is +identified as a duplicate. An endpoint MUST NOT check for any Stateless Reset Tokens associated with connection IDs it has not used or for connection IDs that have been retired. From 562ac4e7deaf80d50082f89507e72d9b5b71ecc6 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 15 Oct 2019 10:49:06 -0700 Subject: [PATCH 06/10] duplicates are just duplicate packet numbers Co-Authored-By: Jana Iyengar --- draft-ietf-quic-transport.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 2dd4dbcd6c..064a9f08a8 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2570,8 +2570,8 @@ with connection IDs that are either unused or retired. This comparison can be performed for every inbound datagram. Endpoints MAY skip this check if packets from a datagram are successfully processed. However, the comparison MUST be performed when the first packet in an incoming datagram -either cannot be associated with a connection, cannot be decrypted, or is -identified as a duplicate. +either cannot be associated with a connection, cannot be decrypted, or carries +a duplicate packet number. An endpoint MUST NOT check for any Stateless Reset Tokens associated with connection IDs it has not used or for connection IDs that have been retired. From a5ecd238daf0f59a35460085c8b05a2c6011243a Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 15 Oct 2019 10:49:35 -0700 Subject: [PATCH 07/10] compares Co-Authored-By: Jana Iyengar --- draft-ietf-quic-transport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 064a9f08a8..7769ae7307 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2559,7 +2559,7 @@ the packet other than the last 16 bytes for carrying data. ### Detecting a Stateless Reset An endpoint detects a potential stateless reset using the trailing 16 bytes of -the UDP datagram. The endpoint compare the last 16 bytes of the datagram with +the UDP datagram. The endpoint compares the last 16 bytes of the datagram with all Stateless Reset Tokens that are associated with connection IDs that the endpoint recently used to send packets from the IP address and port on which the datagram is received. From 0b654d69abd679010d3640b7a63d8488bc81f0ff Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 15 Oct 2019 10:50:54 -0700 Subject: [PATCH 08/10] any packet --- draft-ietf-quic-transport.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 7769ae7307..75398314f9 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2568,8 +2568,8 @@ server's transport parameters but excludes Stateless Reset Tokens associated with connection IDs that are either unused or retired. This comparison can be performed for every inbound datagram. Endpoints MAY skip -this check if packets from a datagram are successfully processed. However, the -comparison MUST be performed when the first packet in an incoming datagram +this check if any packet from a datagram is successfully processed. However, +the comparison MUST be performed when the first packet in an incoming datagram either cannot be associated with a connection, cannot be decrypted, or carries a duplicate packet number. From 59a8238dd289a5c7e54a40ca9a791227ae69284d Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 15 Oct 2019 11:06:36 -0700 Subject: [PATCH 09/10] Apply Jana's suggestion --- draft-ietf-quic-transport.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 75398314f9..9ebd1b69d6 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2559,13 +2559,14 @@ the packet other than the last 16 bytes for carrying data. ### Detecting a Stateless Reset An endpoint detects a potential stateless reset using the trailing 16 bytes of -the UDP datagram. The endpoint compares the last 16 bytes of the datagram with -all Stateless Reset Tokens that are associated with connection IDs that the -endpoint recently used to send packets from the IP address and port on which the -datagram is received. +the UDP datagram. An endpoint remembers all Stateless Reset Tokens associated +with the connection IDs and remote addresses for datagrams it has recently sent. This includes Stateless Reset Tokens from NEW_CONNECTION_ID frames and the server's transport parameters but excludes Stateless Reset Tokens associated -with connection IDs that are either unused or retired. +with connection IDs that are either unused or retired. The endpoint identifies +a received datagram as a stateless reset by comparing the last 16 bytes of the +datagram with all Stateless Reset Tokens associated with the remote address on +which the datagram was received. This comparison can be performed for every inbound datagram. Endpoints MAY skip this check if any packet from a datagram is successfully processed. However, From 963d9161da75d43f9500818c8f012a84100d38ac Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 16 Oct 2019 14:21:48 -0700 Subject: [PATCH 10/10] Remove duplicate requirement as being bad/nonsensical --- draft-ietf-quic-transport.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 9ebd1b69d6..823ec23162 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2571,8 +2571,7 @@ which the datagram was received. This comparison can be performed for every inbound datagram. Endpoints MAY skip this check if any packet from a datagram is successfully processed. However, the comparison MUST be performed when the first packet in an incoming datagram -either cannot be associated with a connection, cannot be decrypted, or carries -a duplicate packet number. +either cannot be associated with a connection, or cannot be decrypted. An endpoint MUST NOT check for any Stateless Reset Tokens associated with connection IDs it has not used or for connection IDs that have been retired.