Re: [secdir] SECDIR review of draft-ietf-tcpinc-tcpcrypt-07
"Black, David" <David.Black@dell.com> Sat, 21 October 2017 17:18 UTC
Return-Path: <David.Black@dell.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0F4A126E64 for <secdir@ietfa.amsl.com>; Sat, 21 Oct 2017 10:18:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.821
X-Spam-Level:
X-Spam-Status: No, score=-0.821 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dell.com header.b=kksDjdSQ; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=emc.com header.b=t0h7Kq4/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id luf76y-tnfAR for <secdir@ietfa.amsl.com>; Sat, 21 Oct 2017 10:18:13 -0700 (PDT)
Received: from esa4.dell-outbound.iphmx.com (esa4.dell-outbound.iphmx.com [68.232.149.214]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 372111241F3 for <secdir@ietf.org>; Sat, 21 Oct 2017 10:18:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1508606293; x=1540142293; h=from:cc:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=Uur7eHBo4sRqKuCTexbhJozIrTxM6l1wLwjtPFrDcUA=; b=kksDjdSQogEzZh/mWl4pbR2mi1bspjOQvuZKFhxPAfL/5F3KtwOtPxHy NYbMmlyywN1T38oZW8NzYOZSZYUZh5ndJ/T6AixzE6L82VijNoreY6Unb LBn/3VdfFmSKUkEjgFynfYFRDRPJ1ChCQYPpAF5zYibIOPiuDCjw9ep3D o=;
Received: from esa4.dell-outbound2.iphmx.com ([68.232.154.98]) by esa4.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Oct 2017 12:18:11 -0500
From: "Black, David" <David.Black@dell.com>
Cc: "secdir@ietf.org" <secdir@ietf.org>, "krose@krose.org" <krose@krose.org>, "ietf@kuehlewind.net" <ietf@kuehlewind.net>, "M.Handley@cs.ucl.ac.uk" <M.Handley@cs.ucl.ac.uk>, "dm@uun.org" <dm@uun.org>, "eric.smith@kestrel.edu" <eric.smith@kestrel.edu>, "sqs@sourcegraph.com" <sqs@sourcegraph.com>, "Black, David" <David.Black@dell.com>
Received: from mailuogwdur.emc.com ([128.221.224.79]) by esa4.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Oct 2017 23:18:10 +0600
Received: from maildlpprd53.lss.emc.com (maildlpprd53.lss.emc.com [10.106.48.157]) by mailuogwprd53.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id v9LHI7hg023033 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 21 Oct 2017 13:18:08 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd53.lss.emc.com v9LHI7hg023033
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1508606290; bh=1+OS/f5pChASKihGJOWTjkejcTM=; h=From:To:CC:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=t0h7Kq4/XNqbfzs0+hj7NrnibOreNfRTJpRu0REAh3F/0ABGMZplAjxbQ6Adm87Ve yF2c+ROtoNdIQumPj+mQSvwVHlZp/SvSOgE36MDBvBCHMnFPeu1VdBQNc5jEFICOgb iKioHXq4ESgpwCNEZfTlC1J/Yf2VZHIw6yXS1ewA=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd53.lss.emc.com v9LHI7hg023033
Received: from mailusrhubprd02.lss.emc.com (mailusrhubprd02.lss.emc.com [10.253.24.20]) by maildlpprd53.lss.emc.com (RSA Interceptor); Sat, 21 Oct 2017 13:17:46 -0400
Received: from MXHUB306.corp.emc.com (MXHUB306.corp.emc.com [10.146.3.32]) by mailusrhubprd02.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id v9LHHtOR017069 (version=TLSv1.2 cipher=AES128-SHA256 bits=128 verify=FAIL); Sat, 21 Oct 2017 13:17:55 -0400
Received: from MX307CL04.corp.emc.com ([fe80::849f:5da2:11b:4385]) by MXHUB306.corp.emc.com ([10.146.3.32]) with mapi id 14.03.0352.000; Sat, 21 Oct 2017 13:17:54 -0400
To: Daniel B Giffin <dbg@scs.stanford.edu>, Stephen Kent <stkent@verizon.net>
Thread-Topic: SECDIR review of draft-ietf-tcpinc-tcpcrypt-07
Thread-Index: AdNKkIZnLjxOcXUhQbGBU5YCP/B/qw==
Date: Sat, 21 Oct 2017 17:17:54 +0000
Message-ID: <CE03DB3D7B45C245BCA0D243277949362FCF989D@MX307CL04.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.97.27.122]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd02.lss.emc.com
X-RSA-Classifications: public
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/md3GRn5NlD30MtGoAAUcenoHk4U>
Subject: Re: [secdir] SECDIR review of draft-ietf-tcpinc-tcpcrypt-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Oct 2017 17:18:16 -0000
Quick follow-up on this item: > Regarding interfaces: Although applications can benefit from > tcpcrypt without knowledge of it (and thus without having to > configure it), this document nevertheless requires > implementations of tcpcrypt to provide an interface for > configuring some aspects of its operation; this permits > tcpcrypt-aware applications the control they need to build > even-more-secure arrangements. > > The working group has an Informational draft suggesting how > best to extend OS interfaces to include the configuration of > TCP-ENO and tcpcrypt, using mechanisms (socket options and > sysctls) present in most popular operating systems: > > https://datatracker.ietf.org/doc/draft-ietf-tcpinc-api/ > > I can see that reading the tcpcrypt document alone leaves > questions about how to meet the API requirements; but of > course we aren't in a position to cite the not-yet-published > API draft. I don't know enough about how related RFCs could > be brought to the attention of readers, so suggestions to > address this are welcome. It's fine to cite that draft as an informative reference - the resulting reference in the tcpcrypt RFC will (correctly) indicate that the API is work in progress. Adding that reference would be a good thing to do. OTOH, that draft should not be cited as a normative reference, for reasons that include the inappropriateness of mandating that API for all implementations. Thanks, --David > -----Original Message----- > From: Daniel B Giffin [mailto:dbg@scs.stanford.edu] > Sent: Friday, October 20, 2017 9:37 PM > To: Stephen Kent <stkent@verizon.net> > Cc: secdir@ietf.org; Black, David <david.black@emc.com>; krose@krose.org; > ietf@kuehlewind.net; M.Handley@cs.ucl.ac.uk; dm@uun.org; > eric.smith@kestrel.edu; sqs@sourcegraph.com > Subject: Re: SECDIR review of draft-ietf-t cpinc-tcpcrypt-07 > > Hi Stephen, > > Thanks very much for your detailed review! > > So that others can see how your notes will be incorporated > into the next draft, I'll respond to them below. > > (Where I take an interactive tone below, I don't mean that > you need to respond. Although more discussion is welcome, I > will go ahead with the changes I propose.) > > > I have reviewed this document as part of the security directorate's ongoing > > effort to review all IETF documents being processed by the IESG.These > > comments were written with the intent of improving security > requirements and > > considerations in IETF drafts.Comments not addressed in last call may be > > included in AD reviews during the IESG review.Document editors and WG > chairs > > should treat these comments just like any other last call comments. > > > > This document is the specification for tcpcrypt, which is targeted to be an > > Experimental RFC. It is generally very well written, but it could benefit > > from a few edits, as noted below. > > > > The introduction (section 2) is brief and well written, stating the goals > > for the design. > > > > Section 3 is much longer, providing a detailed description of the protocol. > > (Although the description is characterized as “abstract” it is very > > detailed, with only format details deferred to Section 4.) This section also > > is generally well-written. > > > > In 3.2 I suggest including a forward pointer to the IANA Considerations > > section, since that section describes how future TEPs may be added to the > > list in Table 2. > > Well, although this document provides (in the IANA > Considerations section) a policy for assignment of > identifiers to the "tcpcrypt AEAD Algorithm" registry", the > policy for assignment of TEP identifiers lives in TCP-ENO. > > How about changing the last sentence of the first paragraph > of 3.2 from: > > Future standards may associate additional identifiers with > tcpcrypt. > > to instead: > > Future standards may associate additional TEP identifiers > with tcpcrypt, following the assignment policy specified > by TCP-ENO. > > > > > In 3.5 the text says: > > > > When two hosts have previously negotiated a tcpcrypt session, > > > > either host may initiate session resumption regardless of which > > > > host was the active opener or played the "A" role in the > > > > previous session. > > > > It’s not clear to me in what time frame this comment is meant to apply, > > e.g., if two hosts established a tcpcrypt session a week ago, is this > > comment still supposed to be applicable? Some clarification here would be > > useful. The end of this section establishes a requirement for an interface > > to enable an application to control session caching. Are interfaces of this > > sort commonly provided to applications by an OS? If so, an example would > be > > useful; if not, the authors should acknowledge that this requirement may > be > > problematic, i.e., applications may require modification to make use of the > > mandated interface. > > Regarding the timeframe for resumption: I see how our > language is confusing. I'll replace the first sentence of > the first paragraph of this section with: > > If two hosts have previously negotiated a tcpcrypt session secret > "ss[i-1]", and have cached the derived session secret "ss[i]", they > may later establish a new connection without public-key operations > using "ss[i]". > > ... and then also replace the paragraph you mention with: > > If two hosts have previously negotiated a tcpcrypt session, either > host may later initiate session resumption regardless of which host > was the active opener or played the "A" role in the previous session. > > These changes are subtle, but I hope they better convey > (together with the rest of the section) that resumption with > a particular session secret may be performed once, at any > time later, provided that both hosts have cached the secret. > > Regarding interfaces: Although applications can benefit from > tcpcrypt without knowledge of it (and thus without having to > configure it), this document nevertheless requires > implementations of tcpcrypt to provide an interface for > configuring some aspects of its operation; this permits > tcpcrypt-aware applications the control they need to build > even-more-secure arrangements. > > The working group has an Informational draft suggesting how > best to extend OS interfaces to include the configuration of > TCP-ENO and tcpcrypt, using mechanisms (socket options and > sysctls) present in most popular operating systems: > > https://datatracker.ietf.org/doc/draft-ietf-tcpinc-api/ > > I can see that reading the tcpcrypt document alone leaves > questions about how to meet the API requirements; but of > course we aren't in a position to cite the not-yet-published > API draft. I don't know enough about how related RFCs could > be brought to the attention of readers, so suggestions to > address this are welcome. > > > > > In 3.6 the mention Table 3 also should refer to IANA Considerations, since > > that section describes how additions algorithms may be added. > > Thanks, I'm changing the relevant paragraph to read: > > This protection is provided via algorithms for Authenticated > Encryption with Associated Data (AEAD). The particular algorithms > that may be used are listed in Table 3, and additional algorithms may > be specified according to the policy in Section 7. One algorithm is > selected during the negotiation described in Section 3.3. > > > > > The last sentence of 3.7 should be broken into several sentences; it is > > currently 7 lines long! > > Ha, indeed ... done! > > > > > Section 3.8 describes a fairly complicated set of constraintsassociated with > > rekeying, some of which are inter-related. It might help to have a table > > here to describe how these constraints interact, e.g., when TCP-mandated > > retransmission takes place in the context of a rekey. > > Certainly that is a delicate section. Although I can't > quite picture the table you're suggesting, I have reworked > the paragraph mentioning TCP retransmission as follows: > > Note that when parts of the datastream are retransmitted, TCP > requires that implementations always send the same data bytes for the > same TCP sequence numbers. Thus, frame data in retransmitted > segments must be encrypted with the same key as when it was first > transmitted, regardless of the current local generation number. > > I'm hoping that makes it more clear that retransmission and > rekeying shouldn't really interact at all: this paragraph > doesn't impose any new constraints, and I've changed to a > lower-case "must" to avoid the appearance of one. It is > merely a note to help implementations avoid offending TCP. > > > > > I suggest the following editorial changes in section 3: > > > > … assigns different roles to -> … assigns the roles to the two hosts > > > > … ephemeral public keys for hosts A and B -> … ephemeral public key > > agreement keys for hosts A and B > > > > … whose length depends -> … the length of which depends > > > > … whose integer value -> … the integer value of which > > > > … security of the AEAD algorithm -> … security of every AEAD algorithm > > Great, I've mostly incorporated these suggestions. > > Although I understand it might not sound quite right to > every ear, I couldn't bring myself to abandon those > applications of "whose" to inanimate objects. I mean hey, > two less words than "the _ of which"! And although I don't > want to argue by authority or precedent, these literary > examples sound elegant and clear to me: > > https://english.stackexchange.com/questions/23541/can-whose-refer-to- > an-inanimate-object > > And as for nonce-reuse in AEAD algorithms, I guess we > shouldn't say it is strictly verboten for *every* algorithm, > as there are new "nonce-misuse resistant" algs coming down > the pipe. So I've gone with: "Because it is strictly > necessary for the security of the AEAD algorithms specified > in this document, ..." > > > > > Section 4 describes the byte-level encoding for the data structures > > described in Section 3, as part of the tcpcrypt specification. In 4.1 found > > the description of the “ignored” data the INIT1_ and INIT2_ messages to be > a > > bit confusing. I had to reread the descriptions to figure out that this was > > the authors’ way of saying that data beyond the end of the message (as > > indicated by the message_len field) is to be ignored upon reception. I don’t > > think the graphics used here are a great way to explain this. > > Yes ... I'll try to find a better way. > > > > > Section 6 defines the initial set of AEAD algorithms supported by tcpcrypt, > > in Table 2. Each algorithm is assigned a value in the 1-255 range, a much > > smaller range of values that used in protocols like TLS. The text in Section > > 7 might need to remind readers that this will argue against the registration > > of “vanity” AEAD algorithms for tcpcrypt. > > Hm yes, I see that TLS 1.3 uses a two-byte identifier for a > similar purpose, although it looks like this specifies both > an AEAD algorithm and an HKDF. > > Well, although the code-space used by tcpcrypt is small, > TCP-ENO is a big escape-hatch in terms of extensibility. > For example, tcpcrypt could be extended with additional TEPs > whose only difference is to map the symmetric-cipher > identifier-bytes to different meanings. Not the prettiest > solution, but perhaps acceptable if one is optimistic that > exhaustion is unlikely anyway? > > > > > Security Considerations are described in Section 8. I found the phrase > “Most > > implementations will rely on system-wide pseudo-random generators…” to > be a > > bit confusing, because the ambiguity of the word “system” here. I presume > > this really refers to a single device in mots cases, e.g., a laptop, > > desktop, smartphone, right? I suggest a reference to RFC 4086 might be a > > good substitute for much of the text at the beginning of this section. > > Right. I'll clarify that, and also consider invoking > RFC 4086 to replace the details of the first three > paragraphs. > > > > > I’d like the authors to provide a rationale for the advice: “…limit the > > lifetime of the private parameters, ideally to no more than two minutes.” > > This seems a bit arbitrary to me. > > Indeed. I've reworked that paragraph as follows: > > Tcpcrypt uses short-lived public keys to provide forward secrecy. > That is, once an implementation removes these keys from memory, a > compromise of the system will not provide any means to derive the > session keys for past connections. All currently specified key > agreement schemes involve ECDHE-based key agreement, meaning a new > keypair can be efficiently computed for each connection. If > implementations reuse these parameters, they SHOULD limit the > lifetime of the private parameters as far as practical in order to > minimize the number of past connections that are vulnerable. > > > > > Suggested editorial changes to Section 8: > > > > … is one on which -> is one for which > > > > … without guessing the content of the resumption identifier, -> without > > successfully guessing the value of the resumption identifier, > > > > Thus, tcpcrypt specifies a way … -> To counter this threat, tcpcrypt > > specifies a way … > > > > Great, I've adopted the first and third suggestions. > > Thanks again for your very thoughtful review! I think this > has significantly improved the draft in quite a few ways. > > daniel
- Re: [secdir] SECDIR review of draft-ietf-tcpinc-t… Black, David