search

ietf-wg-ohai / draft-ohai-chunked-ohttp

Other
0 stars 2 forks source link

response_nonce is set twice #12

Closed chris-wood closed 1 year ago

chris-wood commented 1 year ago

The draft reads:

For responses, the first piece of data sent back is the response nonce, as in the non-chunked variant.[¶](https://tfpauly.github.io/draft-ohai-chunked-ohttp/draft-ohai-chunked-ohttp.html#section-6.2-1)

entropy = max(Nn, Nk)
response_nonce = random(entropy)

And then:

Each chunk is sealed using the same AEAD key and AEAD nonce that are derived for the non-chunked variant, which are calculated as follows:[¶](https://tfpauly.github.io/draft-ohai-chunked-ohttp/draft-ohai-chunked-ohttp.html#section-6.2-3)

secret = context.Export("message/bhttp chunked response", entropy)
response_nonce = random(entropy)
salt = concat(enc, response_nonce)
prk = Extract(salt, secret)
aead_key = Expand(prk, "key", Nk)
aead_nonce = Expand(prk, "nonce", Nn)

I don't think the intended effect is to have response_nonce be different in the header and in the key derivation step. The current text seems to imply that the header first carries a randomly generated response_nonce, and then each subsequent response chunk is encrypted using a different response_nonce.

Probably the simple thing to do here is just drop the second response_nonce derivation, like so:

 secret = context.Export("message/bhttp chunked response", entropy)
-response_nonce = random(entropy)
 salt = concat(enc, response_nonce)
 prk = Extract(salt, secret)
 aead_key = Expand(prk, "key", Nk)
martinthomson commented 1 year ago

So there are two nonces involved here:

  1. The nonce used to diversify keying material for responses. This exists as defense in depth against the use of a two-time pad in the event that a request is replayed.
  2. The AEAD (base) nonce, which is used by the AEAD in the usual way. Unlike regular OHTTP, this is overlaid with a counter using the same method as in TLS.

This is deliberate and I think that we need both.

chris-wood commented 1 year ago

Right, there are two nonces, but as the diff above suggests, response_nonce (the one used for diversifying key material) is currently confusingly specified. Is it computed once or twice? I'm not suggesting to remove the aead_nonce.

martinthomson commented 1 year ago

Oh, I see. I need more sleep. Yes.