From f220d9994308b4c348aa9ec79954c4256797da36 Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Thu, 17 Oct 2019 16:07:17 -0700 Subject: [PATCH 01/12] Add retry integrity tag --- draft-ietf-quic-tls.md | 58 ++++++++++++++++++++++++++++++++++++ draft-ietf-quic-transport.md | 44 +++++++++++---------------- 2 files changed, 75 insertions(+), 27 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index d93f1702f0..d47372f318 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -1197,6 +1197,64 @@ TLS ClientHello. The server MAY retain these packets for later decryption in anticipation of receiving a ClientHello. +## Retry Packet Integrity {#retry-integrity} + +Retry packets (see the Retry Packet section of {{QUIC-TRANSPORT}}) carry a +Retry Integrity Tag that provides two properties: it allows discarding +packets that have accidentally been corrupted by the network, and it ensures +that valid Retry packets cannot be sent by off-path attackers. + +The Retry Integrity Tag is a 128-bit field that is computed as the output of +AEAD_AES_128_GCM used with the following inputs: + +- The key is 128 bits all set to zero. +- The nonce is 96 bits all set to zero. +- The plaintext is empty. +- The associated data is the contents of the Retry Pseudo-Packet, as described + in {{retry-pseudo}}: + +~~~ + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ++-+-+-+-+-+-+-+-+ +|1|1| 3 | Unused| ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| Version (32) | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| DCID Len (8) | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| Destination Connection ID (0..160) ... ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| SCID Len (8) | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| Source Connection ID (0..160) ... ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| Retry Token (*) ... ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| ODCID Len (8) | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| Original Destination Connection ID (0..160) ... ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +~~~ +{: #retry-pseudo title="Retry Pseudo-Packet"} + +The Retry Pseudo-Packet is not sent over the wire. It is computed by taking +the transmitted Retry packet and replacing the Retry Integrity Tag with the two +following fields: + +ODCID Len: + +: The ODCID Len contains the length in bytes of the Original Destination + Connection ID field that follows it, encoded as an 8-bit unsigned integer. + +Original Destination Connection ID: + +: The Original Destination Connection ID contains the value of the Destination + Connection ID from the Initial packet that this Retry is in response to. The + length of this field is given in ODCID Len. The presence of this field + prevents an off-path attacker from injecting a Retry packet. + + # Key Update Once the handshake is confirmed, it is possible to update the keys. The diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 9e09b89050..7fb8057ea4 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2736,7 +2736,7 @@ available. ## Protected Packets {#packet-protected} -All QUIC packets except Version Negotiation and Retry packets use authenticated +All QUIC packets except Version Negotiation packets use authenticated encryption with additional data (AEAD) {{!RFC5116}} to provide confidentiality and integrity protection. Details of packet protection are found in {{QUIC-TLS}}; this section includes an overview of the process. @@ -4111,12 +4111,16 @@ wishes to perform a retry (see {{validate-handshake}}). +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Connection ID (0..160) ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| ODCID Len (8) | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| Original Destination Connection ID (0..160) ... -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Retry Token (*) ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| | ++ + +| | ++ Retry Integrity Tag (128) + +| | ++ + +| | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~~~ {: #retry-format title="Retry Packet"} @@ -4124,24 +4128,14 @@ A Retry packet (shown in {{retry-format}}) does not contain any protected fields. The value in the Unused field is selected randomly by the server. In addition to the long header, it contains these additional fields: -ODCID Len: - -: The ODCID Len contains the length in bytes of the Original Destination - Connection ID field that follows it. This length is encoded as a 8-bit - unsigned integer. In QUIC version 1, this value MUST NOT exceed 20 bytes. - Clients that receive a version 1 Retry Packet with a value larger than 20 MUST - drop the packet. - -Original Destination Connection ID: - -: The Original Destination Connection ID contains the value of the Destination - Connection ID from the Initial packet that this Retry is in response to. The - length of this field is given in ODCID Len. - Retry Token: : An opaque token that the server can use to validate the client's address. +Retry Integrity Tag: + +: See the Retry Packet Integrity section of {{QUIC-TLS}}. + @@ -4163,10 +4157,9 @@ A client MUST accept and process at most one Retry packet for each connection attempt. After the client has received and processed an Initial or Retry packet from the server, it MUST discard any subsequent Retry packets that it receives. -Clients MUST discard Retry packets that contain an Original Destination -Connection ID field that does not match the Destination Connection ID from its -Initial packet. This prevents an off-path attacker from injecting a Retry -packet. +Clients MUST discard Retry packets whose Retry Integrity Tag cannot be +validated, see the Retry Packet Integrity section of {{QUIC-TLS}}. This prevents +an off-path attacker from injecting a Retry packet. The client responds to a Retry packet with an Initial packet that includes the provided Retry Token to continue connection establishment. @@ -4196,10 +4189,7 @@ processing a Retry packet; {{packet-0rtt}} contains more information on this. A server acknowledges the use of a Retry packet for a connection using the original_connection_id transport parameter (see -{{transport-parameter-definitions}}). If the server sends a Retry packet, it -MUST include the value of the Original Destination Connection ID field of the -Retry packet (that is, the Destination Connection ID field from the client's -first Initial packet) in the transport parameter. +{{transport-parameter-definitions}}). If the client received and processed a Retry packet, it MUST validate that the original_connection_id transport parameter is present and correct; otherwise, it From 3e9418312ad9c224063fce42da0be441acd9a7ab Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Fri, 18 Oct 2019 10:08:18 -0700 Subject: [PATCH 02/12] fix retry tp --- draft-ietf-quic-transport.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 7fb8057ea4..6994ad0a1b 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -4189,7 +4189,9 @@ processing a Retry packet; {{packet-0rtt}} contains more information on this. A server acknowledges the use of a Retry packet for a connection using the original_connection_id transport parameter (see -{{transport-parameter-definitions}}). +{{transport-parameter-definitions}}). If the server sends a Retry packet, it +MUST include the Destination Connection ID field from the client's first +Initial packet in the transport parameter. If the client received and processed a Retry packet, it MUST validate that the original_connection_id transport parameter is present and correct; otherwise, it From a7fa53b81c09e2031051f3dbe9e120c52f3174eb Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Fri, 18 Oct 2019 10:11:44 -0700 Subject: [PATCH 03/12] fix retry tp --- draft-ietf-quic-tls.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index d47372f318..2109c1c86c 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -1216,7 +1216,11 @@ AEAD_AES_128_GCM used with the following inputs: ~~~ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 -+-+-+-+-+-+-+-+-+ ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| ODCID Len (8) | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| Original Destination Connection ID (0..160) ... ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1|1| 3 | Unused| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version (32) | @@ -1231,16 +1235,12 @@ AEAD_AES_128_GCM used with the following inputs: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Retry Token (*) ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| ODCID Len (8) | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| Original Destination Connection ID (0..160) ... -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~~~ {: #retry-pseudo title="Retry Pseudo-Packet"} The Retry Pseudo-Packet is not sent over the wire. It is computed by taking -the transmitted Retry packet and replacing the Retry Integrity Tag with the two -following fields: +the transmitted Retry packet, removing the Retry Integrity Tag and prepending +the two following fields: ODCID Len: From 4aae5f258dfc27ca950b64481a433da39c3c8893 Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Fri, 18 Oct 2019 15:06:22 -0700 Subject: [PATCH 04/12] cawood's review --- draft-ietf-quic-tls.md | 6 +++--- draft-ietf-quic-transport.md | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 2109c1c86c..0a1341d389 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -1201,8 +1201,8 @@ anticipation of receiving a ClientHello. Retry packets (see the Retry Packet section of {{QUIC-TRANSPORT}}) carry a Retry Integrity Tag that provides two properties: it allows discarding -packets that have accidentally been corrupted by the network, and it ensures -that valid Retry packets cannot be sent by off-path attackers. +packets that have accidentally been corrupted by the network, and it mitigates +off-path attackers' ability to send valid Retry packets. The Retry Integrity Tag is a 128-bit field that is computed as the output of AEAD_AES_128_GCM used with the following inputs: @@ -1252,7 +1252,7 @@ Original Destination Connection ID: : The Original Destination Connection ID contains the value of the Destination Connection ID from the Initial packet that this Retry is in response to. The length of this field is given in ODCID Len. The presence of this field - prevents an off-path attacker from injecting a Retry packet. + mitigates an off-path attacker's ability to inject a Retry packet. # Key Update diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 6994ad0a1b..5a17a61e5d 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -4158,8 +4158,8 @@ attempt. After the client has received and processed an Initial or Retry packet from the server, it MUST discard any subsequent Retry packets that it receives. Clients MUST discard Retry packets whose Retry Integrity Tag cannot be -validated, see the Retry Packet Integrity section of {{QUIC-TLS}}. This prevents -an off-path attacker from injecting a Retry packet. +validated, see the Retry Packet Integrity section of {{QUIC-TLS}}. This +mitigates an off-path attacker's ability to inject a Retry packet. The client responds to a Retry packet with an Initial packet that includes the provided Retry Token to continue connection establishment. From eeb4ce37462c90023a0edfc45df9442e37f49732 Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Mon, 21 Oct 2019 18:51:44 -0700 Subject: [PATCH 05/12] MT editorial changes Co-Authored-By: Martin Thomson --- draft-ietf-quic-tls.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 0a1341d389..99ee9aad98 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -1205,10 +1205,10 @@ packets that have accidentally been corrupted by the network, and it mitigates off-path attackers' ability to send valid Retry packets. The Retry Integrity Tag is a 128-bit field that is computed as the output of -AEAD_AES_128_GCM used with the following inputs: +AEAD_AES_128_GCM {{!AEAD=RFC5116}} used with the following inputs: -- The key is 128 bits all set to zero. -- The nonce is 96 bits all set to zero. +- The secret key, K, is 128 bits all set to zero. +- The nonce, N, is 96 bits all set to zero. - The plaintext is empty. - The associated data is the contents of the Retry Pseudo-Packet, as described in {{retry-pseudo}}: From 467e31ed2e742ae6d3aff6e472fb7987d284929f Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Mon, 21 Oct 2019 19:00:21 -0700 Subject: [PATCH 06/12] Review suggestion from MT --- draft-ietf-quic-transport.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 5a17a61e5d..96eee166fa 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -4159,7 +4159,8 @@ from the server, it MUST discard any subsequent Retry packets that it receives. Clients MUST discard Retry packets whose Retry Integrity Tag cannot be validated, see the Retry Packet Integrity section of {{QUIC-TLS}}. This -mitigates an off-path attacker's ability to inject a Retry packet. +mitigates an off-path attacker's ability to inject a Retry packet, and protects +against accidental corruption of Retry packets. The client responds to a Retry packet with an Initial packet that includes the provided Retry Token to continue connection establishment. From 8c45cc9e37ff1689497e844e3bf6b867138f1f95 Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Wed, 23 Oct 2019 13:34:24 -0700 Subject: [PATCH 07/12] Editorial fix from MikeBishop Co-Authored-By: Mike Bishop --- draft-ietf-quic-transport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 96eee166fa..fd276aad81 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -4159,7 +4159,7 @@ from the server, it MUST discard any subsequent Retry packets that it receives. Clients MUST discard Retry packets whose Retry Integrity Tag cannot be validated, see the Retry Packet Integrity section of {{QUIC-TLS}}. This -mitigates an off-path attacker's ability to inject a Retry packet, and protects +mitigates an off-path attacker's ability to inject a Retry packet and protects against accidental corruption of Retry packets. The client responds to a Retry packet with an Initial packet that includes the From c056d3063fe3ddf5ba3c31778ec4a721c15a49f3 Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Thu, 24 Oct 2019 19:31:02 -0700 Subject: [PATCH 08/12] MT suggestions Co-Authored-By: Martin Thomson --- draft-ietf-quic-tls.md | 4 ++-- draft-ietf-quic-transport.md | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 99ee9aad98..fc82327a67 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -1209,8 +1209,8 @@ AEAD_AES_128_GCM {{!AEAD=RFC5116}} used with the following inputs: - The secret key, K, is 128 bits all set to zero. - The nonce, N, is 96 bits all set to zero. -- The plaintext is empty. -- The associated data is the contents of the Retry Pseudo-Packet, as described +- The plaintext, P, is empty. +- The associated data, A, is the contents of the Retry Pseudo-Packet, as illustrated in {{retry-pseudo}}: ~~~ diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index fd276aad81..e2789f527c 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2738,7 +2738,8 @@ available. All QUIC packets except Version Negotiation packets use authenticated encryption with additional data (AEAD) {{!RFC5116}} to provide confidentiality -and integrity protection. Details of packet protection are found in + and integrity protection. Retry packets use an AEAD to provide integrity + protection. Details of packet protection are found in {{QUIC-TLS}}; this section includes an overview of the process. Initial packets are protected using keys that are statically derived. This @@ -4157,7 +4158,7 @@ A client MUST accept and process at most one Retry packet for each connection attempt. After the client has received and processed an Initial or Retry packet from the server, it MUST discard any subsequent Retry packets that it receives. -Clients MUST discard Retry packets whose Retry Integrity Tag cannot be +Clients MUST discard Retry packets that have a Retry Integrity Tag that cannot be validated, see the Retry Packet Integrity section of {{QUIC-TLS}}. This mitigates an off-path attacker's ability to inject a Retry packet and protects against accidental corruption of Retry packets. From 739d272564a791476b75cff0a6ea258f0e4d17a8 Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Thu, 24 Oct 2019 19:35:45 -0700 Subject: [PATCH 09/12] fixup line length --- draft-ietf-quic-tls.md | 4 ++-- draft-ietf-quic-transport.md | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index fc82327a67..4de7914073 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -1210,8 +1210,8 @@ AEAD_AES_128_GCM {{!AEAD=RFC5116}} used with the following inputs: - The secret key, K, is 128 bits all set to zero. - The nonce, N, is 96 bits all set to zero. - The plaintext, P, is empty. -- The associated data, A, is the contents of the Retry Pseudo-Packet, as illustrated - in {{retry-pseudo}}: +- The associated data, A, is the contents of the Retry Pseudo-Packet, as + illustrated in {{retry-pseudo}}: ~~~ 0 1 2 3 diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index e2789f527c..960808ff6b 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2738,9 +2738,9 @@ available. All QUIC packets except Version Negotiation packets use authenticated encryption with additional data (AEAD) {{!RFC5116}} to provide confidentiality - and integrity protection. Retry packets use an AEAD to provide integrity - protection. Details of packet protection are found in -{{QUIC-TLS}}; this section includes an overview of the process. +and integrity protection. Retry packets use an AEAD to provide integrity +protection. Details of packet protection are found in {{QUIC-TLS}}; this +section includes an overview of the process. Initial packets are protected using keys that are statically derived. This packet protection is not effective confidentiality protection. Initial @@ -4158,8 +4158,8 @@ A client MUST accept and process at most one Retry packet for each connection attempt. After the client has received and processed an Initial or Retry packet from the server, it MUST discard any subsequent Retry packets that it receives. -Clients MUST discard Retry packets that have a Retry Integrity Tag that cannot be -validated, see the Retry Packet Integrity section of {{QUIC-TLS}}. This +Clients MUST discard Retry packets that have a Retry Integrity Tag that cannot +be validated, see the Retry Packet Integrity section of {{QUIC-TLS}}. This mitigates an off-path attacker's ability to inject a Retry packet and protects against accidental corruption of Retry packets. From a61c2b36de62fc10694951fcaf47dcf01633f2ae Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Fri, 15 Nov 2019 15:19:19 +0800 Subject: [PATCH 10/12] Comment from Christian Huitema --- draft-ietf-quic-tls.md | 2 +- draft-ietf-quic-transport.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 1387fcef06..c04a51d628 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -1209,7 +1209,7 @@ anticipation of receiving a ClientHello. Retry packets (see the Retry Packet section of {{QUIC-TRANSPORT}}) carry a Retry Integrity Tag that provides two properties: it allows discarding -packets that have accidentally been corrupted by the network, and it mitigates +packets that have accidentally been corrupted by the network, and it diminishes off-path attackers' ability to send valid Retry packets. The Retry Integrity Tag is a 128-bit field that is computed as the output of diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 7e19ab5aff..175caaf420 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -4181,7 +4181,7 @@ from the server, it MUST discard any subsequent Retry packets that it receives. Clients MUST discard Retry packets that have a Retry Integrity Tag that cannot be validated, see the Retry Packet Integrity section of {{QUIC-TLS}}. This -mitigates an off-path attacker's ability to inject a Retry packet and protects +diminishes an off-path attacker's ability to inject a Retry packet and protects against accidental corruption of Retry packets. The client responds to a Retry packet with an Initial packet that includes the From 98c7e87650c7e4934dbe667334335233e3f8a415 Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Mon, 18 Nov 2019 19:16:29 +0800 Subject: [PATCH 11/12] Use initial_salt instead of zero key --- draft-ietf-quic-tls.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index c04a51d628..c4d1b7ec55 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -1215,7 +1215,8 @@ off-path attackers' ability to send valid Retry packets. The Retry Integrity Tag is a 128-bit field that is computed as the output of AEAD_AES_128_GCM {{!AEAD=RFC5116}} used with the following inputs: -- The secret key, K, is 128 bits all set to zero. +- The secret key, K, is 128 bits equal to the initial_salt defined in + {{initial-secrets}}. - The nonce, N, is 96 bits all set to zero. - The plaintext, P, is empty. - The associated data, A, is the contents of the Retry Pseudo-Packet, as From bdde08d8ac2d62954dc3fb0b49322b339e5a4a5c Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Wed, 20 Nov 2019 11:14:05 +0800 Subject: [PATCH 12/12] make new key --- draft-ietf-quic-tls.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index c4d1b7ec55..2857977952 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -1215,8 +1215,7 @@ off-path attackers' ability to send valid Retry packets. The Retry Integrity Tag is a 128-bit field that is computed as the output of AEAD_AES_128_GCM {{!AEAD=RFC5116}} used with the following inputs: -- The secret key, K, is 128 bits equal to the initial_salt defined in - {{initial-secrets}}. +- The secret key, K, is 128 bits equal to 0xf5ed4642e0e4c8d878bbbc8a828821c9. - The nonce, N, is 96 bits all set to zero. - The plaintext, P, is empty. - The associated data, A, is the contents of the Retry Pseudo-Packet, as