target = "https://www.rfc-editor.org/rfc/rfc9001#section-6.6" # 6.6. Limits on AEAD Usage # # This document sets usage limits for AEAD algorithms to ensure that # overuse does not give an adversary a disproportionate advantage in # attacking the confidentiality and integrity of communications when # using QUIC. # # The usage limits defined in TLS 1.3 exist for protection against # attacks on confidentiality and apply to successful applications of # AEAD protection. The integrity protections in authenticated # encryption also depend on limiting the number of attempts to forge # packets. TLS achieves this by closing connections after any record # fails an authentication check. In comparison, QUIC ignores any # packet that cannot be authenticated, allowing multiple forgery # attempts. # # QUIC accounts for AEAD confidentiality and integrity limits # separately. The confidentiality limit applies to the number of # packets encrypted with a given key. The integrity limit applies to # the number of packets decrypted within a given connection. Details # on enforcing these limits for each AEAD algorithm follow below. # # Endpoints MUST count the number of encrypted packets for each set of # keys. If the total number of encrypted packets with the same key # exceeds the confidentiality limit for the selected AEAD, the endpoint # MUST stop using those keys. Endpoints MUST initiate a key update # before sending more protected packets than the confidentiality limit # for the selected AEAD permits. If a key update is not possible or # integrity limits are reached, the endpoint MUST stop using the # connection and only send stateless resets in response to receiving # packets. It is RECOMMENDED that endpoints immediately close the # connection with a connection error of type AEAD_LIMIT_REACHED before # reaching a state where key updates are not possible. # # For AEAD_AES_128_GCM and AEAD_AES_256_GCM, the confidentiality limit # is 2^23 encrypted packets; see Appendix B.1. For # AEAD_CHACHA20_POLY1305, the confidentiality limit is greater than the # number of possible packets (2^62) and so can be disregarded. For # AEAD_AES_128_CCM, the confidentiality limit is 2^21.5 encrypted # packets; see Appendix B.2. Applying a limit reduces the probability # that an attacker can distinguish the AEAD in use from a random # permutation; see [AEBounds], [ROBUST], and [GCM-MU]. # # In addition to counting packets sent, endpoints MUST count the number # of received packets that fail authentication during the lifetime of a # connection. If the total number of received packets that fail # authentication within the connection, across all keys, exceeds the # integrity limit for the selected AEAD, the endpoint MUST immediately # close the connection with a connection error of type # AEAD_LIMIT_REACHED and not process any more packets. # # For AEAD_AES_128_GCM and AEAD_AES_256_GCM, the integrity limit is # 2^52 invalid packets; see Appendix B.1. For AEAD_CHACHA20_POLY1305, # the integrity limit is 2^36 invalid packets; see [AEBounds]. For # AEAD_AES_128_CCM, the integrity limit is 2^21.5 invalid packets; see # Appendix B.2. Applying this limit reduces the probability that an # attacker can successfully forge a packet; see [AEBounds], [ROBUST], # and [GCM-MU]. # # Endpoints that limit the size of packets MAY use higher # confidentiality and integrity limits; see Appendix B for details. # # Future analyses and specifications MAY relax confidentiality or # integrity limits for an AEAD. # # Any TLS cipher suite that is specified for use with QUIC MUST define # limits on the use of the associated AEAD function that preserves # margins for confidentiality and integrity. That is, limits MUST be # specified for the number of packets that can be authenticated and for # the number of packets that can fail authentication. Providing a # reference to any analysis upon which values are based -- and any # assumptions used in that analysis -- allows limits to be adapted to # varying usage conditions. [[spec]] level = "MUST" quote = ''' Endpoints MUST count the number of encrypted packets for each set of keys. ''' [[spec]] level = "MUST" quote = ''' If the total number of encrypted packets with the same key exceeds the confidentiality limit for the selected AEAD, the endpoint MUST stop using those keys. ''' [[spec]] level = "MUST" quote = ''' Endpoints MUST initiate a key update before sending more protected packets than the confidentiality limit for the selected AEAD permits. ''' [[spec]] level = "MUST" quote = ''' If a key update is not possible or integrity limits are reached, the endpoint MUST stop using the connection and only send stateless resets in response to receiving packets. ''' [[spec]] level = "SHOULD" quote = ''' It is RECOMMENDED that endpoints immediately close the connection with a connection error of type AEAD_LIMIT_REACHED before reaching a state where key updates are not possible. ''' [[spec]] level = "MUST" quote = ''' In addition to counting packets sent, endpoints MUST count the number of received packets that fail authentication during the lifetime of a connection. ''' [[spec]] level = "MUST" quote = ''' If the total number of received packets that fail authentication within the connection, across all keys, exceeds the integrity limit for the selected AEAD, the endpoint MUST immediately close the connection with a connection error of type AEAD_LIMIT_REACHED and not process any more packets. ''' [[spec]] level = "MAY" quote = ''' Endpoints that limit the size of packets MAY use higher confidentiality and integrity limits; see Appendix B for details. ''' [[spec]] level = "MAY" quote = ''' Future analyses and specifications MAY relax confidentiality or integrity limits for an AEAD. ''' [[spec]] level = "MUST" quote = ''' Any TLS cipher suite that is specified for use with QUIC MUST define limits on the use of the associated AEAD function that preserves margins for confidentiality and integrity. ''' [[spec]] level = "MUST" quote = ''' That is, limits MUST be specified for the number of packets that can be authenticated and for the number of packets that can fail authentication. '''