Mastodawn

Wow, QUIC Retry Packets use AES-GCM with a fixed key/nonce, empty plaintext, and associated data prefixed with a secret as a sort of MAC. That's... terrifying?

They essentially do MAC(K, v) = AES-GCM(key=const, nonce=const, plaintext=empty, aad=K||v). Does that actually hold?

https://quicwg.org/base-drafts/rfc9001.html#section-5.8

RFC 9001: Using TLS to Secure QUIC

This document describes how Transport Layer Security (TLS) is used to secure QUIC.

Show thread

asante

@filippo I think it is reversible and thus, the retry pseudo packet can be reconstructed (or at least a linear combination of the aad blocks, b/c as I understand the RFC, the retry pseudo packet would be longer than one AES block).
But what I don't get is: what is the actual secret in the retry pseudo packet?