Retention of the unused encryption keys #35
Comments
Merged
|
Could you test #39 as a potential fix ? |
|
Yes, the server is not retaining any unused keys in the fix. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
During testing commit 841c822, we discovered that the PQUIC server does not discard the unused encryption keys after moving to a new encryption level.
The unused encryption keys, such as the Initial key, should be discarded once QUIC has moved to the Handshake encryption level (https://www.rfc-editor.org/rfc/rfc9001#name-discarding-unused-keys), same as the Handshake key after moving to the 1-RTT encryption level. An attacker can obtain the Initial key by capturing the Initial packets sent between the client and server during the connection establishment. If the server/client still accepts and processes Initial packets at any encryption level, an attacker can disrupt the connection by sending a CONNECTION_CLOSE frame in an Initial packet to the server/client, causing a connection close that is not initiated by either the client or the server.
The text was updated successfully, but these errors were encountered: