token-based greasing / initial packet protection #3166
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2789,6 +2789,23 @@ following steps: | |
| decrypts the embedded token and recovers the alternative initial salt, uses | ||
| that to decrypt the payload of the Initial packet. | ||
|
|
||
| * When sending a Retry in response to an Initial packet carrying an alternative | ||
| version number, the server embeds the NEW_TOKEN token found in the Initial | ||
| packet within the retry token it issues. Once the server receives a response | ||
| from the client carrying that retry token and the path is validated, it | ||
| decrypts the NEW_TOKEN token embedded in the retry token to recover the | ||
kazuho marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| alternative initial salt that is to be used for unprotecting the packet | ||
| payload. | ||
|
|
||
| Instead of associating a new alternative initial salt to every NEW_TOKEN token, | ||
kazuho marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| a server might map a fixed salt to each of the alternative version numbers it | ||
| issues. Such design is not recommended, as an active attacker might build a | ||
| list of known alternative version numbers and their initial salts and use that | ||
| list to decrypt the payload of Initial packets using those alternative version | ||
| numbers. But still, having a set of version numbers and initial salts used | ||
| concurrently is considered better than just using the default values of QUIC in | ||
| terms of preventing ossification. | ||
|
There was a problem hiding this comment. I am not comfortable with the slack given here. While it does improve things when salt is reused, it also gives the client a false sense of security. It would be better if the client could be certain that it does indeed sent private information on the wire. For example it might create an initial connection to bootstrap safety, similar to if it connected to a secure DNS with crypto keys (TBD), and then reconnects to send confidential informational information. Taking this one further, it would be advantageous if a token could be used across different server certificates so the initial certificate could be "harmless" in order to enhance privacy. There was a problem hiding this comment.
At the moment, we never provide that certainty. The only way to provide that is to send a public key in the NEW_TOKEN frame and do a DH to determine the initial salt. We can do that, but that's essentially about porting ESNI to QUIC. My assumption has so far been that such an effort would require time, and it would be better to do that as a separet draft (e.g., https://datatracker.ietf.org/doc/draft-kazuho-quic-authenticated-handshake/). |
||
|
|
||
| A server MUST NOT send a Version Negotitation packet in response to a long | ||
| header packet with an alternative version number it has advertised. | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an important design point that is hidden: the aliased version applies to all Initial packets that are sent. That means that the alternative salt is used when the server provides an updated connection ID. Do the Handshake and 0-RTT packets also use the aliased version? That needs to be right up front.