Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")
Eric Rescorla <ekr@rtfm.com> Sat, 02 December 2017 00:10 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 716721286D6 for <tcpinc@ietfa.amsl.com>; Fri, 1 Dec 2017 16:10:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lYAELqNHCrJI for <tcpinc@ietfa.amsl.com>; Fri, 1 Dec 2017 16:10:18 -0800 (PST)
Received: from mail-yb0-x22f.google.com (mail-yb0-x22f.google.com [IPv6:2607:f8b0:4002:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EBE812711B for <tcpinc@ietf.org>; Fri, 1 Dec 2017 16:10:18 -0800 (PST)
Received: by mail-yb0-x22f.google.com with SMTP id b188so4659061ybg.11 for <tcpinc@ietf.org>; Fri, 01 Dec 2017 16:10:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lBLJHh/Qx3jglbTfo9u9B9GPmjvo/Jvq36D1TmSbMnA=; b=k93EUFME1dYWh2/LJWoNq3KKU7TIwBbLgBbda+PY34nU/McjSfBupQ8c8aQwROeBhG 1I2rZp1k93L3N7GISE9i/eggFlqM6bM015pm68q+a/2WKNNPVk8GgAwNXZSIMuLkz1Xa 8Tg7SOp4/EB1Xux6l1XfU7xxpSqFg8lulNWbtOGutEBfc4CDRuFFi7kTz0B7ce44prPp mv5g2a4oQxmJ4vGAlVDIyY7rQqIfTocZynSkhF9sXFrISSrhd+rShALPKtHkzOoktyeq vdKd2oR8A4wkvSPjESlL1Y2vsoK48/wiu94AfaHo+/zekm4P/aziqMSNW20/SSlqUmfO AfCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lBLJHh/Qx3jglbTfo9u9B9GPmjvo/Jvq36D1TmSbMnA=; b=NH3jCot8LJRVIaYnWq1khyDtPQIxUJ72mf+gGtCjkGVSKmsI/G45vrggt800qXt6U/ gzx+iwyZFxh985ERtHSTq+SjMKNqh84aIBDew39rqKpXuOB+3ShmgqINVjvSyAMmc6Pl 9cEdxT+NZdoEG3Mxc/zbPefgx+FQhC5mFgqkPiIYGr+rVKUCZnD65GcQJsKxiAiPcf+3 e8Wo1SdkDSuL+ThsKkmLhUq21YralwleVpN9YzhC2JVeY1eMM6ZkK+UhXw4Xh6KTzDya Hfp0Om9Pxx+lveVz2TN85ggctd6zugRO8DAEbItUTtL6oOJNAK4Uw31zkkwN2nZ/iEyE xXSQ==
X-Gm-Message-State: AJaThX5lSgkEuw/9NPGhB+46xUG1VSidnNo0YQCk3xfi7XrSAqa+keWA 1G1tm5lyR9/DR76OJuqlRAioPHpyMyxWe4ga3duz+g==
X-Google-Smtp-Source: AGs4zMafv+10gRvstyyeE6eDPc02QYOjcAq/EGq29n13ILW7j3Y3WdUQLHHPtPz/p7iligaWwkIuNGnAfHc+YFZspOg=
X-Received: by 10.37.107.82 with SMTP id o18mr4734133ybm.293.1512173417832; Fri, 01 Dec 2017 16:10:17 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.123.132 with HTTP; Fri, 1 Dec 2017 16:09:37 -0800 (PST)
In-Reply-To: <CAJU8_nWzJ-rZ9SKH+S-BnyzmGR_Q1zjZZz1r89Bi+HbG8t5XBA@mail.gmail.com>
References: <CAJU8_nUUHbmFcPA2obo6q3dLqL1MGE2iKen-0EQ82re=+gtTfw@mail.gmail.com> <CE03DB3D7B45C245BCA0D243277949362FD96B0D@MX307CL04.corp.emc.com> <23072.32691.892725.97892@fireball.acr.fi> <01bc01d36a71$45957db0$d0c07910$@gmail.com> <CE03DB3D7B45C245BCA0D243277949362FDAF297@MX307CL04.corp.emc.com> <CAJU8_nWzJ-rZ9SKH+S-BnyzmGR_Q1zjZZz1r89Bi+HbG8t5XBA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 01 Dec 2017 16:09:37 -0800
Message-ID: <CABcZeBMh6tOi_fNyxX7NaYh57Mhi9CsznkKyF=JkHrLT6XacaA@mail.gmail.com>
To: Kyle Rose <krose@krose.org>
Cc: "Black, David" <David.Black@dell.com>, Valery Smyslov <svanru@gmail.com>, tcpinc <tcpinc@ietf.org>, "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
Content-Type: multipart/alternative; boundary="089e08267d3068c1d7055f504f02"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/07vdl9U8_2TDEUQZc1ivFa_fE_8>
Subject: Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Dec 2017 00:10:20 -0000
On Fri, Dec 1, 2017 at 11:56 AM, Kyle Rose <krose@krose.org> wrote: > On Fri, Dec 1, 2017 at 9:48 AM, Black, David <David.Black@dell.com> wrote: > >> This is not tcpcrypt problem. The same problem applies to any > >> security protocol (IPsec, TLS, etc.) that uses counter based cipher > modes (GCM, CCM, etc.). > >> Switch to nonce-misuse resistant modes. > > > > The actual situation is more subtle than that. The VM is likely to be > stored for long > > enough that TCP connections drop - if not, e.g., the VM is cloned and > the clone > > runs immediately, that new VM likely has to be assigned a new IP address > in order > > to not conflict with the existing VM, and that also drops TCP > connections. > > > > In both cases, the security protocol resumes or restarts with a new TCP > connection, > > providing an opportunity to inject entropy. TLS injects entropy when it > resumes, but > > the current tcpcrypt design does not. If a restart happens, both > protocols (obviously) > > use new entropy. > > I'm not sure what you're trying to argue here. Assuming correct client > behavior, ss[i] will never be used twice, so we are necessarily > dealing with a situation in which the client is acting incorrectly. > Or an on-path attacker captures the sessionid and replays it to the server. -Ekr
- [tcpinc] Resumption safety (was "Eric Rescorla's … Kyle Rose
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Black, David
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Tero Kivinen
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Valery Smyslov
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Black, David
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Kyle Rose
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Eric Rescorla
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Eric Rescorla
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Valery Smyslov
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Black, David
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Kyle Rose
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Kyle Rose
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Valery Smyslov
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Tero Kivinen
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Kyle Rose
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Valery Smyslov
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Valery Smyslov
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Black, David
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Tero Kivinen
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Valery Smyslov
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Tero Kivinen