[tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Sat, 11 November 2017 03:12 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tcpinc@ietf.org
Delivered-To: tcpinc@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 216FA1270AE; Fri, 10 Nov 2017 19:12:07 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Eric Rescorla <ekr@rtfm.com>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-tcpinc-tcpcrypt@ietf.org, Kyle Rose <krose@krose.org>, tcpinc-chairs@ietf.org, krose@krose.org, tcpinc@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.65.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <151036992713.398.18032326140786383584.idtracker@ietfa.amsl.com>
Date: Fri, 10 Nov 2017 19:12:07 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/553a4Ul13mVv3G2963zAmWe-DOo>
Subject: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Nov 2017 03:12:07 -0000
Eric Rescorla has entered the following ballot position for draft-ietf-tcpinc-tcpcrypt-09: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-tcpinc-tcpcrypt/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- https://mozphab-ietf.devsvcdev.mozaws.net/D3970 2^64 bytes in the underlying TCP datastream (which would cause the "offset" field to wrap) before re-keying. In TLS and other WGs, we have adopted the practice of salting the nonce with a secret per-connection value to avoid large-scale surveillance attacks. Why did you opt to use a weaker construction. See: https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html#security-record-layer and https://eprint.iacr.org/2016/564. FIN flag set, it MUST immediately send a frame (with empty application data if necessary) with "rekey = 1". I don't think that the algorithm in this section necessarily works properly, because you have to handle rekeys in sequence: Frame 1 [0:999] Frame 2 [1000:1999, rekey=1] Frame 3 [2000:2999, rekey=1] Now what happens if the frames are re-ordered so you get Frame 3 and then Frame 2. You will try to decrypt Frame 3 with generation 2 and Frame 2 with generation 3, neither of which will work (though you might be able to interpret the text loosely to have you try to decrypt Frame 2 with generation 2). Note that if you were to resequence before processing, this wouldn't happen. At minimum I think some clarification is needed here. Given that you are allowing P-256 and point reuse, you should be requiring point validation. See: https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html#rfc.section.4.2.8.2 https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html#elliptic-curve-diffie-hellman You should probably also be requiring Curve25519 output validation. You still seem to need to specify an MTI symmetric algorithm. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- The design of session resumption here essentially precludes doing tcpcrypt resumption across servers (as one does with TLS) because you need extremely tight control of ss[i] or you have catastrophic results. Was this a deliberate choice by the WG? suboption containing the TEP identifier and "v = 0". In order to propose session resumption (described further below) with a particular TEP, a host sends a variable-length suboption containing It would be clearer if you explained resumption here. PRK = Extract(N_A, eno-transcript | Init1 | Init2 | ES) What is the rationale for providing N_A as the salt to HKDF-Extract, given that you also supply N_A in the Init1 message? session resumption such that a given pre-session key "ss[0]" is only used for either passive or active opens at the same host, not both. This seems like it probably needs some more emphasis, as failure to follow this instruction results in GCM compromise. It would probably be useful to explain why you opted for this design rather than having nonces, which would remove the need for such strict ss[i] management. I assume the reason is that you want to save the round trip? connection; but if it aborts, the implementation MUST raise an error condition distinct from the end-of-file condition. Note that this interacts badly with the rekey issue I raise below. format", and MUST accept values encoded in "compressed", "uncompressed" or "hybrid" formats. Why are you allowing multiple formats here? Generally, if you're going to encourage compressed, you want to just require it.
- [tcpinc] Eric Rescorla's Discuss on draft-ietf-tc… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Black, David
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Black, David
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Black, David
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… David Mazieres
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… David Mazieres
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… David Mazieres
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin