[tcpinc] tcpcrypt - Session resumption cache collision
"Black, David" <david.black@emc.com> Sat, 06 August 2016 00:37 UTC
Return-Path: <david.black@emc.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DBB512D1B1 for <tcpinc@ietfa.amsl.com>; Fri, 5 Aug 2016 17:37:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.121
X-Spam-Level:
X-Spam-Status: No, score=-0.121 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=emc.com header.b=bwKmKVrM; dkim=pass (1024-bit key) header.d=emc.com header.b=ZT2oRLWb
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gaTtF9fBSQ1s for <tcpinc@ietfa.amsl.com>; Fri, 5 Aug 2016 17:37:37 -0700 (PDT)
Received: from esa2.dell-outbound.iphmx.com (esa2.dell-outbound.iphmx.com [68.232.149.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E66D812D18A for <tcpinc@ietf.org>; Fri, 5 Aug 2016 17:37:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=emc.com; i=@emc.com; q=dns/txt; s=jan2013; t=1470443856; x=1501979856; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=fw0FjRgQwRWfx1hp9OpZN3z9IC9bWifgxTLNp/AQ7Fw=; b=bwKmKVrMowZKQqb9VNfo8VdIXzM7ZURSaBx6So28ALAgScXFoHqRRiBV uHXU7F5RYe6fhcDDQVReolaZC1H/9CahFr/VAV9evJVdMM8jMRj8nXtUH wlLwg5nKQWP+1lYrap9DmspSsOewf3hhZB2QZXr8xvW9FUcy816A8q4rX w=;
Received: from mailuogwhop.emc.com ([168.159.213.141]) by esa2.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Aug 2016 04:30:24 +0500
Received: from maildlpprd04.lss.emc.com (maildlpprd04.lss.emc.com [10.253.24.36]) by mailuogwprd02.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id u75NUN4E000355 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 5 Aug 2016 19:30:23 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd02.lss.emc.com u75NUN4E000355
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1470439823; bh=H7nnfwJ5BYg+IbAPyqxW3zS3X0o=; h=From:To:CC:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=ZT2oRLWbuIGnQRc/mdSjJbkCou7ghYt3GqFfN6NxCz/sEjemjx65iO7GBE6g9DPNe 18Tik7aA4xIsYRdc3qdmoLUlpHt9FO3ptL5Ari8esk0ZbnMX4AIFu2MxblEhtgANh9 cMn244GYYXF74DQRJPNw9+hwyhE+IlRimdpLDtAE=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd02.lss.emc.com u75NUN4E000355
Received: from mailusrhubprd04.lss.emc.com (mailusrhubprd04.lss.emc.com [10.253.24.22]) by maildlpprd04.lss.emc.com (RSA Interceptor); Fri, 5 Aug 2016 19:29:15 -0400
Received: from MXHUB304.corp.emc.com (MXHUB304.corp.emc.com [10.146.3.30]) by mailusrhubprd04.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id u75NUIdW008018 (version=TLSv1.2 cipher=AES128-SHA256 bits=128 verify=FAIL); Fri, 5 Aug 2016 19:30:19 -0400
Received: from MX307CL04.corp.emc.com ([fe80::849f:5da2:11b:4385]) by MXHUB304.corp.emc.com ([10.146.3.30]) with mapi id 14.03.0266.001; Fri, 5 Aug 2016 19:30:18 -0400
From: "Black, David" <david.black@emc.com>
To: Daniel B Giffin <dbg@scs.stanford.edu>, Kyle Rose <krose@krose.org>
Thread-Topic: tcpcrypt - Session resumption cache collision
Thread-Index: AdHvcVMS+jkv5swbTjeRXUT6N5xm3w==
Date: Fri, 05 Aug 2016 23:30:17 +0000
Message-ID: <CE03DB3D7B45C245BCA0D243277949362F62A947@MX307CL04.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.238.44.116]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd04.lss.emc.com
X-RSA-Classifications: public
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/2RnOqBej9aV4Slq9dKHx-yIzcKw>
Cc: tcpinc <tcpinc@ietf.org>
Subject: [tcpinc] tcpcrypt - Session resumption cache collision
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Aug 2016 00:37:39 -0000
Picking up this one comment from earlier discussion: > > 3.4 "If key negotiation is compromised and yields two different > > keys,...": This means collisions in SID[i](0..8) (72 bits) will result > > in failed connections, which will lead to a frequency of something > > like 1 out of every 2^36 connections wherever the session cache on the > > passive opener cannot distinguish between different active openers. Is > > this actually a problem? Not clear: should there be requirements > > around how active and passive openers partition their session caches? > > If naive clients or servers use one big pool, you can expect to see > > this problem quite frequently at internet scale, with billions of > > connections per second. > > Well the frequency of collision depends on the size of your > cache. I guess you're saying that if you manage a cache for > 2^36 active clients, then each new connection has > probability of collision (2^36)/(2^72) = 2^(-36). > Apparently we are supposed to have around 2^33 > internet-connected things this year, so perhaps this is a > reasonable concern. > > The motivation for the nine-byte SID prefix is to yield a > multiple-of-four ENO length in the common case. More > comment on this tradeoff is welcome! The quoted text is now in the security considerations section, but this discussion is about Session ID collision on session resumption. If there's a session ID 9-byte prefix collision resulting in a match to the resumption cache, but the wrong saved keys, so the session can't continue, the host that attempted resumption will need to retry without asking for resumption. This requires that host to realize that the connection failed after what appeared to be a successful resumption - I think a brief discussion of this is in order along with a requirement to not retry resumption of a session that failed after a resumption (never got any traffic from the other side that decrypted correctly). This only occurs on resumptions, not initial connections. Obviously, the size of the session cache affects the collision probability on resumption, but 2^36 is a large cache - I'd expect much smaller sizes of even the largest caches in practice. There is a timeout here; my initial sense is that the collision probability is small enough that this is ok, but this could use some more careful thought. Thanks, --David
- [tcpinc] tcpcrypt - Session resumption cache coll… Black, David