From ba518850a0ac8ad821051ead735a100450055433 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 10 May 2017 15:31:52 +1000 Subject: [PATCH 1/2] Switch to 64-bit FNV-1a This should simplify implementation further. Closes #481. --- draft-ietf-quic-tls.md | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index a7ea4cde15..6d5e436c6e 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -840,9 +840,9 @@ exists for added resilience against data corruption and to provided added assurance that the sender intends to use QUIC. Unprotected packets all use the long form of the QUIC header and so will include -a version number. For this version of QUIC, the integrity check uses the -128-bit FNV-1a hash (see {{fnv1a}}). The output of this hash is appended to the -payload of the packet. +a version number. For this version of QUIC, the integrity check uses the 64-bit +FNV-1a hash (see {{fnv1a}}). The output of this hash is appended to the payload +of the packet. The integrity check algorithm MAY change for other versions of the protocol. @@ -858,14 +858,14 @@ The sender then calculates the integrity check over the entire packet, starting from the type field. The output of the hash is appended to the packet. A receiver that receives an unprotected packet first checks that the version is -correct, then removes the trailing 16 octets. It calculates the integrity check +correct, then removes the trailing 8 octets. It calculates the integrity check over the remainder of the packet. Unprotected packets that do not contain a valid integrity check MUST be discarded. -## The 128-bit FNV-1a Algorithm {#fnv1a} +## The 64-bit FNV-1a Algorithm {#fnv1a} -QUIC uses the 128-bit version of the alternative Fowler/Noll/Vo hash (FNV-1a) +QUIC uses the 64-bit version of the alternative Fowler/Noll/Vo hash (FNV-1a) {{?FNV=I-D.eastlake-fnv}}. FNV-1a can be expressed in pseudocode as: @@ -877,17 +877,16 @@ for each input octet: hash := hash * prime ``` -That is, a 128-bit unsigned integer is initialized with an offset basis. Then, +That is, a 64-bit unsigned integer is initialized with an offset basis. Then, for each octet of the input, the exclusive binary OR of the value is taken, then multiplied by a prime. Any overflow from multiplication is discarded. -The offset basis for the 128-bit FNV-1a is the decimal value -144066263297769815596495629667062367629 (in hex, -0x6c62272e07bb014262b821756295c58d). The prime is 309485009821345068724781371 -(in hex, 0x1000000000000000000013b; or as an expression 2^88 + 2^8 + 0x3b). +The offset basis for the 64-bit FNV-1a is the decimal value 14695981039346656037 +(in hex, 0xcbf29ce484222325). The prime is 1099511628211 (in hex, +0x100000001b3; or as an expression 2^40 + 2^8 + 0xb3). Once all octets have been processed in this fashion, the final integer value is -encoded as 16 octets in network byte order. +encoded as 8 octets in network byte order. # Key Phases From e133238d9d034a607cbc00d8b3f8eb93674c0bc0 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Thu, 11 May 2017 08:16:35 +1000 Subject: [PATCH 2/2] an --- draft-ietf-quic-tls.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 6d5e436c6e..af5a83220d 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -834,7 +834,7 @@ number gaps on connection ID transitions. That secret is computed as: # Unprotected Packets QUIC adds an integrity check to all unprotected packets. Any packet that is not -protected by the negotiated AEAD (see {{packet-protection}}), includes a +protected by the negotiated AEAD (see {{packet-protection}}), includes an integrity check. This check does not prevent the packet from being altered, it exists for added resilience against data corruption and to provided added assurance that the sender intends to use QUIC.