[Cfrg] tcpinc: session ID unlinkability
Kyle Rose <krose@krose.org> Tue, 25 October 2016 15:00 UTC
Return-Path: <krose@krose.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2842F1296B1 for <cfrg@ietfa.amsl.com>; Tue, 25 Oct 2016 08:00:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hoqTRfmRNH1z for <cfrg@ietfa.amsl.com>; Tue, 25 Oct 2016 08:00:03 -0700 (PDT)
Received: from mail-qt0-x234.google.com (mail-qt0-x234.google.com [IPv6:2607:f8b0:400d:c0d::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2EEF129591 for <cfrg@irtf.org>; Tue, 25 Oct 2016 08:00:02 -0700 (PDT)
Received: by mail-qt0-x234.google.com with SMTP id p53so4499219qtp.7 for <cfrg@irtf.org>; Tue, 25 Oct 2016 08:00:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:from:date:message-id:subject:to:cc; bh=m2Mut3BXpgufqbKP2CGPvtit1PMheBGSbtivQWg2Uqk=; b=ntqtB9FUWMT6S3VDNnt6AESNDc+ahy3AD38mb7KKImsnj+Ysrp7RLn45vnso/ejvTO mekA68IBHLXJUjbB8FbiVmV0DHDYIQfz00qZFWoX4ZH+f5wiyqCiACFYh4L6bC0LppvH tKF/oTDjsJ/cDZ7KrqAlT1CaYVP8kmAhXybeI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=m2Mut3BXpgufqbKP2CGPvtit1PMheBGSbtivQWg2Uqk=; b=VDgWPTPzS3TJsPvVnIBX51h11M9OLeZ+QEeqn/ioc9rggdR0oY5tJFqPuGu2+dFsql 6vP0VQk/zP3bJ+yFdMKL/Zn2KcEE5H9CB8BKRDu6t7yOtDQ2bZhlZ9oKg/1RNeBNFUVE IXGsTd4iG1FbakASFX9x1Rhmxhj9ghIvR6KQMq+9JT7T1+DAqqposFVXL+7cU1oEExqf YcleNGAajpRQBmH6+ExQf7yEQYWQB9HlqdKwfKxCLzdzU9Wn/yQ6Ve59KrJWc/ycZHaq IrDsd4TR4OXXBUXD+XITthJdIvicUx/zy/f5Y3F2WnVmTkBYxhaRFaq8r0eBU88molRx G6kw==
X-Gm-Message-State: ABUngvc59FvGQu8TdUYUrKr+cKyb5uuseP6+zeTJvIBtPhXHb1sGn/EC7zByPpalzSQkVSatZ6tn+bcMaLQ+Sw==
X-Received: by 10.200.46.77 with SMTP id s13mr20378578qta.29.1477407601748; Tue, 25 Oct 2016 08:00:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.45.68 with HTTP; Tue, 25 Oct 2016 08:00:01 -0700 (PDT)
X-Originating-IP: [72.246.0.14]
From: Kyle Rose <krose@krose.org>
Date: Tue, 25 Oct 2016 11:00:01 -0400
Message-ID: <CAJU8_nX=xoQ8TVpGYOikLRwwopqN=9F4POinELE0r_vaUx3q9Q@mail.gmail.com>
To: cfrg@irtf.org, tcpinc-chairs@ietf.org
Content-Type: multipart/alternative; boundary="001a1144e02c4ab6b5053fb1c343"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/j9r8yg6NMEr1eCCtgngQjB-kif8>
Subject: [Cfrg] tcpinc: session ID unlinkability
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2016 15:00:07 -0000
I got some great feedback from the last question. Thanks to everyone, and especially to Natanael, who helpfully provided a convincing argument that uniqueness of the session ID even against adversary-as-endpoint is sufficient for endpoint authentication (i.e., that secrecy and even unpredictability of the session ID are not required). Now for the second inquiry... The TCP-ENO draft (https://tools.ietf.org/html/draft-ietf-tcpinc-tcpeno-04) says: "Unless and until applications disclose information about the session ID, all but the first byte MUST be computationally indistinguishable from random bytes to a network eavesdropper." I don't think this is actually the property we want. It's really okay, for instance, if the first K>=1 bytes (for some constant K) are predictable as long as they do not impact the security of the system (see my previous question in the "endpoint authentication and session ID privacy" thread), and as long as they cannot be used to violate privacy, e.g., by enabling tracking of clients or interesting classes of clients. (In the case of tcpcrypt, the first byte of the session ID is the ENO suboption representing the negotiated key exchange mechanism, to ensure that cross-protocol session ID attacks are not possible by putting session IDs for different KEX mechanisms into disjoint spaces.) Conversely, it's not okay for the first byte to be used to encode something interesting about the user in the clear (e.g., user agent), because that could be used by a passive observer to track clients. Furthermore, as discussed in the previous question, we really do need these session IDs to be unique even when one endpoint is an adversary. I'm struggling with how to phrase this whole thing. So my first question is: what property/properties do we actually want here? Daniel Franke's draft for the NTS project has a very similar requirement, as I noted on this thread: q( Section 6.1.6 should list required properties of cookies; in particular, something like "To prevent tracking of clients, a cookie issued by a server will be repeated at most once by the client in plaintext; therefore, all cookies issued by a server must be constructed in such a way that, even in large numbers, they cannot be correlated to specific clients by an observer not in possession of the keying material used to create them." Basically, to a third-party, the cookies must be cryptographically indistinguishable from each other with respect to the input data they represent. A cryptographer might be able to come up with some precise language to describe this. ) http://lists.ntp.org/pipermail/ntpwg/2016-August/003014.html An answer here might be generally useful, maybe even to the point of a BCP for these kinds of cookies. (Heck, there might even be one that I don't know about.) Furthermore, some protocols may require most of the bits to be unpredictable, but even that's not quite right: what's really needed is enough entropy (say, >= 256 bits) over the totality of the session ID. If you take a 512-bit session ID and bias each bit slightly toward 0, I imagine you've still got more than enough entropy. So my second question is: do we need to capture this, or should we simplify and say that each session ID should have at least 256 bits that are computationally indistinguishable from random? Kyle
- [Cfrg] tcpinc: session ID unlinkability Kyle Rose