pquic icon indicating copy to clipboard operation
pquic copied to clipboard

Published 20 hours ago verified publisher icon p-quic

Retention of the unused encryption keys

Open QUICTester opened this issue 1 year ago • 2 comments

Hi,

During testing commit 841c8228, we discovered that the PQUIC server does not discard the unused encryption keys after moving to a new encryption level.

The unused encryption keys, such as the Initial key, should be discarded once QUIC has moved to the Handshake encryption level (https://www.rfc-editor.org/rfc/rfc9001#name-discarding-unused-keys), same as the Handshake key after moving to the 1-RTT encryption level. An attacker can obtain the Initial key by capturing the Initial packets sent between the client and server during the connection establishment. If the server/client still accepts and processes Initial packets at any encryption level, an attacker can disrupt the connection by sending a CONNECTION_CLOSE frame in an Initial packet to the server/client, causing a connection close that is not initiated by either the client or the server.

QUICTester avatar Jul 18 '23 04:07 QUICTester

Could you test #39 as a potential fix ?

mpiraux avatar Oct 04 '23 06:10 mpiraux

Yes, the server is not retaining any unused keys in the fix.

QUICTester avatar Oct 28 '23 13:10 QUICTester