You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An attacker that has access and capability to modify packets part of an end-to-end QUIC connection prior to QUIC aware forwarding with SCRAMBLE transform can enable defeating the scramble transform. This is done by manipulating the part of the QUIC packet that will be used as IV. The attack modify some packets prior to reaching either the MASQUE client or the MASQUE proxy so this set of packets all have the same bit-value in the parts that will be used as IV. This will result in the E2E packet will be dropped at arrival at the endpoint.
By setting the same IV two effects will be achieved:
The scrambled IV after AES-ECB application will have the same value in all the packets, enabling an attacker that captures all packets after the Masque tunnel ingress's forwarding and transformation to look for the packet with the same but unknown bit-pattern in a given location within the packet
Due to the use of the same IV in AES-CTR mode between the multiple packet that actual scrambling can be defeated. Although I think this in most cases would have limited value as it would only allow recovering the End-to-End packet that this attacker already have access to. I think 1) is sufficient to enable the important linking of input and output 5-tuples and CIDs.
The weakness here is that the attacker can chose the IV, which is not true in the QUIC header protection application of using part of the packet as IV. But, in this case the MASQUE proxy or client can't verify the end-to-end forwarded packets integrity before choosing to use it as IV.
I don't know if this attack is serious enough for scramble to change its solution, but at a minimal the potential attack and the weakness it creates needs to be documented. But likely a bit of thought should be put into if another solution can be found to avoid this attack.
The text was updated successfully, but these errors were encountered:
An attacker that has access and capability to modify packets part of an end-to-end QUIC connection prior to QUIC aware forwarding with SCRAMBLE transform can enable defeating the scramble transform. This is done by manipulating the part of the QUIC packet that will be used as IV. The attack modify some packets prior to reaching either the MASQUE client or the MASQUE proxy so this set of packets all have the same bit-value in the parts that will be used as IV. This will result in the E2E packet will be dropped at arrival at the endpoint.
By setting the same IV two effects will be achieved:
The weakness here is that the attacker can chose the IV, which is not true in the QUIC header protection application of using part of the packet as IV. But, in this case the MASQUE proxy or client can't verify the end-to-end forwarded packets integrity before choosing to use it as IV.
I don't know if this attack is serious enough for scramble to change its solution, but at a minimal the potential attack and the weakness it creates needs to be documented. But likely a bit of thought should be put into if another solution can be found to avoid this attack.
The text was updated successfully, but these errors were encountered: