Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make the packet number encryption sampling clearer #1389

Merged
merged 5 commits into from
May 29, 2018
Merged

Make the packet number encryption sampling clearer #1389

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
edff824
Make the packet number encryption sampling clearer
martinthomson May 25, 2018
5b81241
Include packet number in the length field for long headers
martinthomson May 25, 2018
c408ba4
Missed version
martinthomson May 25, 2018
10df2ab
Rephrase the description of sampled ciphertext
martinthomson May 25, 2018
0cdfe02
Remove either
martinthomson May 29, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 23 additions & 6 deletions draft-ietf-quic-tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -941,17 +941,34 @@ Packet number protection is applied after packet protection is applied (see
{{aead}}). The ciphertext of the packet is sampled and used as input to an
encryption algorithm.

In sampling the packet ciphertext, the packet number length is assumed to be the
smaller of the maximum possible packet number encoding (4 octets), or the size
of the protected packet minus the minimum expansion for the AEAD. For example,
the sampled ciphertext for a packet with a short header can be determined by:
In sampling the packet ciphertext, the packet number length is assumed to be
either 4 octets (its maximum possible encoded length), unless there is
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Either implies two options. I'd just drop it.

insufficient space in the packet for sampling. The sampled ciphertext starts
after allowing for a 4 octet packet number unless this would cause the sample to
extend past the end of the packet. If the sample would extend past the end of
the packet, the end of the packet is sampled.

For example, the sampled ciphertext for a packet with a short header can be
determined by:

~~~
sample_offset = min(1 + connection_id_length + 4,
packet_length - aead_expansion)
sample_offset = 1 + len(connection_id) + 4

if sample_offset + sample_length > packet_length then
sample_offset = packet_length - sample_length
sample = packet[sample_offset..sample_offset+sample_length]
~~~

A packet with a long header is sampled in the same way, noting that multiple
QUIC packets might be included in the same UDP datagram and that each one is
handled separately.

~~~
sample_offset = 6 + len(destination_connection_id) +
len(source_connection_id) +
len(payload_length) + 4
~~~

To ensure that this process does not sample the packet number, packet number
protection algorithms MUST NOT sample more ciphertext than the minimum
expansion of the corresponding AEAD.
Expand Down
21 changes: 12 additions & 9 deletions draft-ietf-quic-transport.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,7 @@ keys are established.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Connection ID (0/32..144) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Payload Length (i) ...
| Length (i) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Packet Number (8/16/32) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Expand Down Expand Up @@ -337,10 +337,11 @@ Source Connection ID:
either 0 octets in length or between 4 and 18 octets. {{connection-id}}
describes the use of this field in more detail.

Payload Length:
Length:

: The length of the Payload field in octets, encoded as a variable-length
integer ({{integer-encoding}}).
: The length of the remainder of the packet (that is, the Packet Number and
Payload fields) in octets, encoded as a variable-length integer
({{integer-encoding}}).

Packet Number:

Expand Down Expand Up @@ -373,10 +374,13 @@ The interpretation of the fields and the payload are specific to a version and
packet type. Type-specific semantics for this version are described in the
following sections.

The end of the Payload field (which is also the end of the long header
packet) is determined by the value of the Payload Length field.
Senders can sometimes coalesce multiple packets into one UDP datagram.
See {{packet-coalesce}} for more details.
The end of the packet is determined by the Length field. The Length field
covers the both the Packet Number and Payload fields, both of which are
confidentiality protected and initially of unknown length. The size of the
Payload field is learned once the packet number protection is removed.

Senders can sometimes coalesce multiple packets into one UDP datagram. See
{{packet-coalesce}} for more details.


## Short Header
Expand Down Expand Up @@ -4568,4 +4572,3 @@ Hamilton, Jana Iyengar, Fedor Kouranov, Charles Krasic, Jo Kulik, Adam Langley,
Jim Roskind, Robbie Shade, Satyam Shekhar, Cherie Shi, Ian Swett, Raman Tenneti,
Victor Vasiliev, Antonio Vicente, Patrik Westin, Alyssa Wilk, Dale Worley, Fan
Yang, Dan Zhang, Daniel Ziegler.