Re: [secdir] SECDIR review of draft-ietf-t cpinc-tcpcrypt-07
Stephen Kent <stkent@verizon.net> Mon, 23 October 2017 15:30 UTC
Return-Path: <stkent@verizon.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79FD3139478 for <secdir@ietfa.amsl.com>; Mon, 23 Oct 2017 08:30:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qsOnK1qEC9jN for <secdir@ietfa.amsl.com>; Mon, 23 Oct 2017 08:30:41 -0700 (PDT)
Received: from omr-a011e.mx.aol.com (omr-a011e.mx.aol.com [204.29.186.59]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C260D139428 for <secdir@ietf.org>; Mon, 23 Oct 2017 08:30:40 -0700 (PDT)
Received: from mtaout-aaa01.mx.aol.com (mtaout-aaa01.mx.aol.com [172.27.1.225]) by omr-a011e.mx.aol.com (Outbound Mail Relay) with ESMTP id C4068380008D; Mon, 23 Oct 2017 11:30:39 -0400 (EDT)
Received: from iMac.fios-router.home (pool-173-48-69-73.bstnma.fios.verizon.net [173.48.69.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mtaout-aaa01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 74F9B38000089; Mon, 23 Oct 2017 11:30:38 -0400 (EDT)
To: Daniel B Giffin <dbg@scs.stanford.edu>
Cc: secdir@ietf.org, david.black@dell.com, krose@krose.org, ietf@kuehlewind.net, M.Handley@cs.ucl.ac.uk, dm@uun.org, eric.smith@kestrel.edu, sqs@sourcegraph.com
References: <a81a01d1-f5b8-ea3b-ebc2-2536aa08fb5f@verizon.net> <20171021013702.GB85636@scs.stanford.edu>
From: Stephen Kent <stkent@verizon.net>
Message-ID: <88e80c7a-0534-5ff0-deeb-c0bc5f3c9a09@verizon.net>
Date: Mon, 23 Oct 2017 11:30:38 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <20171021013702.GB85636@scs.stanford.edu>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
x-aol-global-disposition: G
x-aol-sid: 3039ac1b01e159ee0b1e7a55
X-AOL-IP: 173.48.69.73
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/yqmwzabM_5iYUIkulaCEk6FyKxY>
Subject: Re: [secdir] SECDIR review of draft-ietf-t cpinc-tcpcrypt-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2017 15:30:43 -0000
Daniel, Thanks for the response. > Hi Stephen, > > Thanks very much for your detailed review! > > So that others can see how your notes will be incorporated > into the next draft, I'll respond to them below. > > (Where I take an interactive tone below, I don't mean that > you need to respond. Although more discussion is welcome, I > will go ahead with the changes I propose.) > >> I have reviewed this document as part of the security directorate's ongoing >> effort to review all IETF documents being processed by the IESG.These >> comments were written with the intent of improving security requirements and >> considerations in IETF drafts.Comments not addressed in last call may be >> included in AD reviews during the IESG review.Document editors and WG chairs >> should treat these comments just like any other last call comments. >> >> This document is the specification for tcpcrypt, which is targeted to be an >> Experimental RFC. It is generally very well written, but it could benefit >> from a few edits, as noted below. >> >> The introduction (section 2) is brief and well written, stating the goals >> for the design. >> >> Section 3 is much longer, providing a detailed description of the protocol. >> (Although the description is characterized as “abstract” it is very >> detailed, with only format details deferred to Section 4.) This section also >> is generally well-written. >> >> In 3.2 I suggest including a forward pointer to the IANA Considerations >> section, since that section describes how future TEPs may be added to the >> list in Table 2. > Well, although this document provides (in the IANA > Considerations section) a policy for assignment of > identifiers to the "tcpcrypt AEAD Algorithm" registry", the > policy for assignment of TEP identifiers lives in TCP-ENO. OK. > How about changing the last sentence of the first paragraph > of 3.2 from: > > Future standards may associate additional identifiers with > tcpcrypt. > > to instead: > > Future standards may associate additional TEP identifiers > with tcpcrypt, following the assignment policy specified > by TCP-ENO. Great. > >> In 3.5 the text says: >> >> When two hosts have previously negotiated a tcpcrypt session, >> >> either host may initiate session resumption regardless of which >> >> host was the active opener or played the "A" role in the >> >> previous session. >> >> It’s not clear to me in what time frame this comment is meant to apply, >> e.g., if two hosts established a tcpcrypt session a week ago, is this >> comment still supposed to be applicable? Some clarification here would be >> useful. The end of this section establishes a requirement for an interface >> to enable an application to control session caching. Are interfaces of this >> sort commonly provided to applications by an OS? If so, an example would be >> useful; if not, the authors should acknowledge that this requirement may be >> problematic, i.e., applications may require modification to make use of the >> mandated interface. > Regarding the timeframe for resumption: I see how our > language is confusing. I'll replace the first sentence of > the first paragraph of this section with: > > If two hosts have previously negotiated a tcpcrypt session secret > "ss[i-1]", and have cached the derived session secret "ss[i]", they > may later establish a new connection without public-key operations > using "ss[i]". Good. > > ... and then also replace the paragraph you mention with: > > If two hosts have previously negotiated a tcpcrypt session, either > host may later initiate session resumption regardless of which host > was the active opener or played the "A" role in the previous session. Great. > > These changes are subtle, but I hope they better convey > (together with the rest of the section) that resumption with > a particular session secret may be performed once, at any > time later, provided that both hosts have cached the secret. > > Regarding interfaces: Although applications can benefit from > tcpcrypt without knowledge of it (and thus without having to > configure it), this document nevertheless requires > implementations of tcpcrypt to provide an interface for > configuring some aspects of its operation; this permits > tcpcrypt-aware applications the control they need to build > even-more-secure arrangements. > > The working group has an Informational draft suggesting how > best to extend OS interfaces to include the configuration of > TCP-ENO and tcpcrypt, using mechanisms (socket options and > sysctls) present in most popular operating systems: > > https://datatracker.ietf.org/doc/draft-ietf-tcpinc-api/ > > I can see that reading the tcpcrypt document alone leaves > questions about how to meet the API requirements; but of > course we aren't in a position to cite the not-yet-published > API draft. I don't know enough about how related RFCs could > be brought to the attention of readers, so suggestions to > address this are welcome. David's message explained how to refer to that I-D w/o making it a gating factor for this one. > >> In 3.6 the mention Table 3 also should refer to IANA Considerations, since >> that section describes how additions algorithms may be added. > Thanks, I'm changing the relevant paragraph to read: > > This protection is provided via algorithms for Authenticated > Encryption with Associated Data (AEAD). The particular algorithms > that may be used are listed in Table 3, and additional algorithms may > be specified according to the policy in Section 7. One algorithm is > selected during the negotiation described in Section 3.3. Good. > >> The last sentence of 3.7 should be broken into several sentences; it is >> currently 7 lines long! > Ha, indeed ... done! thanks. > >> Section 3.8 describes a fairly complicated set of constraintsassociated with >> rekeying, some of which are inter-related. It might help to have a table >> here to describe how these constraints interact, e.g., when TCP-mandated >> retransmission takes place in the context of a rekey. > Certainly that is a delicate section. Although I can't > quite picture the table you're suggesting, I have reworked > the paragraph mentioning TCP retransmission as follows: > > Note that when parts of the datastream are retransmitted, TCP > requires that implementations always send the same data bytes for the > same TCP sequence numbers. Thus, frame data in retransmitted > segments must be encrypted with the same key as when it was first > transmitted, regardless of the current local generation number. that's better. > > I'm hoping that makes it more clear that retransmission and > rekeying shouldn't really interact at all: this paragraph > doesn't impose any new constraints, and I've changed to a > lower-case "must" to avoid the appearance of one. It is > merely a note to help implementations avoid offending TCP. good. > >> I suggest the following editorial changes in section 3: >> >> … assigns different roles to -> … assigns the roles to the two hosts >> >> … ephemeral public keys for hosts A and B -> … ephemeral public key >> agreement keys for hosts A and B >> >> … whose length depends -> … the length of which depends >> >> … whose integer value -> … the integer value of which >> >> … security of the AEAD algorithm -> … security of every AEAD algorithm > Great, I've mostly incorporated these suggestions. > > Although I understand it might not sound quite right to > every ear, I couldn't bring myself to abandon those > applications of "whose" to inanimate objects. I mean hey, > two less words than "the _ of which"! And although I don't > want to argue by authority or precedent, these literary > examples sound elegant and clear to me: > > https://english.stackexchange.com/questions/23541/can-whose-refer-to-an-inanimate-object I believe Strunk & White is more restrictive, but then I'm a guy who's picky about using which vs. that, fewer vs. less, ... :-) > > And as for nonce-reuse in AEAD algorithms, I guess we > shouldn't say it is strictly verboten for *every* algorithm, > as there are new "nonce-misuse resistant" algs coming down > the pipe. So I've gone with: "Because it is strictly > necessary for the security of the AEAD algorithms specified > in this document, ..." yes, that's a good clarification. > >> Section 4 describes the byte-level encoding for the data structures >> described in Section 3, as part of the tcpcrypt specification. In 4.1 found >> the description of the “ignored” data the INIT1_ and INIT2_ messages to be a >> bit confusing. I had to reread the descriptions to figure out that this was >> the authors’ way of saying that data beyond the end of the message (as >> indicated by the message_len field) is to be ignored upon reception. I don’t >> think the graphics used here are a great way to explain this. > Yes ... I'll try to find a better way. > >> Section 6 defines the initial set of AEAD algorithms supported by tcpcrypt, >> in Table 2. Each algorithm is assigned a value in the 1-255 range, a much >> smaller range of values that used in protocols like TLS. The text in Section >> 7 might need to remind readers that this will argue against the registration >> of “vanity” AEAD algorithms for tcpcrypt. > Hm yes, I see that TLS 1.3 uses a two-byte identifier for a > similar purpose, although it looks like this specifies both > an AEAD algorithm and an HKDF. > > Well, although the code-space used by tcpcrypt is small, > TCP-ENO is a big escape-hatch in terms of extensibility. > For example, tcpcrypt could be extended with additional TEPs > whose only difference is to map the symmetric-cipher > identifier-bytes to different meanings. Not the prettiest > solution, but perhaps acceptable if one is optimistic that > exhaustion is unlikely anyway? We've seen nation-specific algorithms proposed as optional for use with a number of security protocols, which is why I mention this issue. An allusion to the potential to expand this space, if needed, would be useful here. > >> Security Considerations are described in Section 8. I found the phrase “Most >> implementations will rely on system-wide pseudo-random generators…” to be a >> bit confusing, because the ambiguity of the word “system” here. I presume >> this really refers to a single device in mots cases, e.g., a laptop, >> desktop, smartphone, right? I suggest a reference to RFC 4086 might be a >> good substitute for much of the text at the beginning of this section. > Right. I'll clarify that, and also consider invoking > RFC 4086 to replace the details of the first three > paragraphs. OK. > >> I’d like the authors to provide a rationale for the advice: “…limit the >> lifetime of the private parameters, ideally to no more than two minutes.” >> This seems a bit arbitrary to me. > Indeed. I've reworked that paragraph as follows: > > Tcpcrypt uses short-lived public keys to provide forward secrecy. > That is, once an implementation removes these keys from memory, a > compromise of the system will not provide any means to derive the > session keys for past connections. All currently specified key > agreement schemes involve ECDHE-based key agreement, meaning a new > keypair can be efficiently computed for each connection. If > implementations reuse these parameters, they SHOULD limit the > lifetime of the private parameters as far as practical in order to > minimize the number of past connections that are vulnerable. Much better! Steve
- [secdir] SECDIR review of draft-ietf-t cpinc-tcpc… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-t cpinc-… Daniel B Giffin
- Re: [secdir] SECDIR review of draft-ietf-t cpinc-… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-t cpinc-… Daniel B Giffin
- Re: [secdir] SECDIR review of draft-ietf-t cpinc-… Black, David
- Re: [secdir] SECDIR review of draft-ietf-t cpinc-… Stephen Kent