New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
token-based greasing / initial packet protection #3166
Changes from 1 commit
048788c
5067498
58468c5
42a7387
81dc3d9
2553793
d16700d
06bd108
6158bd9
7eded0a
0720ef3
14469be
4e95ee6
bacab50
d9ec324
3f4e7cc
69d9969
373257b
94a5a1b
5f853ad
75735e0
44c2b1d
d557fb7
7d0fa47
3caa73e
ead19c0
bd45b37
0a45df1
d683da8
febd899
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2789,6 +2789,23 @@ following steps: | |
decrypts the embedded token and recovers the alternative initial salt, uses | ||
that to decrypt the payload of the Initial packet. | ||
|
||
* When sending a Retry in response to an Initial packet carrying an alternative | ||
version number, the server embeds the NEW_TOKEN token found in the Initial | ||
packet within the retry token it issues. Once the server receives a response | ||
from the client carrying that retry token and the path is validated, it | ||
decrypts the NEW_TOKEN token embedded in the retry token to recover the | ||
kazuho marked this conversation as resolved.
Show resolved
Hide resolved
|
||
alternative initial salt that is to be used for unprotecting the packet | ||
payload. | ||
|
||
Instead of associating a new alternative initial salt to every NEW_TOKEN token, | ||
kazuho marked this conversation as resolved.
Show resolved
Hide resolved
|
||
a server might map a fixed salt to each of the alternative version numbers it | ||
issues. Such design is not recommended, as an active attacker might build a | ||
list of known alternative version numbers and their initial salts and use that | ||
list to decrypt the payload of Initial packets using those alternative version | ||
numbers. But still, having a set of version numbers and initial salts used | ||
concurrently is considered better than just using the default values of QUIC in | ||
terms of preventing ossification. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I am not comfortable with the slack given here. While it does improve things when salt is reused, it also gives the client a false sense of security. It would be better if the client could be certain that it does indeed sent private information on the wire. For example it might create an initial connection to bootstrap safety, similar to if it connected to a secure DNS with crypto keys (TBD), and then reconnects to send confidential informational information. Taking this one further, it would be advantageous if a token could be used across different server certificates so the initial certificate could be "harmless" in order to enhance privacy. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
At the moment, we never provide that certainty. The only way to provide that is to send a public key in the NEW_TOKEN frame and do a DH to determine the initial salt. We can do that, but that's essentially about porting ESNI to QUIC. My assumption has so far been that such an effort would require time, and it would be better to do that as a separet draft (e.g., https://datatracker.ietf.org/doc/draft-kazuho-quic-authenticated-handshake/). |
||
|
||
A server MUST NOT send a Version Negotitation packet in response to a long | ||
header packet with an alternative version number it has advertised. | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an important design point that is hidden: the aliased version applies to all Initial packets that are sent. That means that the alternative salt is used when the server provides an updated connection ID. Do the Handshake and 0-RTT packets also use the aliased version? That needs to be right up front.