Re: [saag] [Cfrg] Re: TCP-AO MAC algorithms

[Joe Touch <touch@ISI.EDU>]

Sean Shuo Shen wrote:
> Hi Joe,
> 
>> Please indicate the proof for this. First, it requires that the rest of
>> the system enforce the "no reuse of keys during seqno rollover"; second,
>> it requires that TCP implementations not allow the socket data to change
>> between initial transmission and retransmission.
 >
> First, I remember somewhere it is said that the MAC key should be renewed
> when sequence number rollover, in your first email you also mentioned that
> "This is why we probably need to explicitly require that the connection key
> change whenever the sequence number rolls over (through the ISN)." I believe
> you are giving a reasonable and achievable requirement (hash key renewing
> during rollover). If hash key renewing during rollover is doable, nonce key
> renewing during rollover is also doable and it's not an extra requirement.
> The way to renew keys is out of the scope of our discussion. I don't think
> we have to give a key management scheme before talking about MAC algorithms.

It all depends on whether key reuse during rollover is prohibited 
outright or just recommended against. If the former, I agree it's 
sufficient to roll over the nonce key at the same time. It's the latter 
case that's the issue, and whether to make this something FIPS 
certification relies upon.

> Second, maybe there is a misunderstanding here. What I mean is: the nonce
> generation algorithm can guarantee that nonce is different when the MAC
> protected data are different (because some mac algorithms require different
> nonce when hashing different messages). If the MAC protected data (I assume
> this is what you mean by "socket data") are same between transmission and
> retransmission, it is totally fine for nonce to be same.

That depends on whether the nonce is used to provide replay protection. 
If it is, then it can't be the same if the entire segment is the same.

Joe