Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")
"Valery Smyslov" <svanru@gmail.com> Sun, 03 December 2017 13:42 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 756C31205F1 for <tcpinc@ietfa.amsl.com>; Sun, 3 Dec 2017 05:42:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.261
X-Spam-Level:
X-Spam-Status: No, score=-2.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K5H7LuLrpo3Q for <tcpinc@ietfa.amsl.com>; Sun, 3 Dec 2017 05:42:46 -0800 (PST)
Received: from mail-lf0-x22f.google.com (mail-lf0-x22f.google.com [IPv6:2a00:1450:4010:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 139B3126DFB for <tcpinc@ietf.org>; Sun, 3 Dec 2017 05:42:46 -0800 (PST)
Received: by mail-lf0-x22f.google.com with SMTP id f20so16307253lfe.3 for <tcpinc@ietf.org>; Sun, 03 Dec 2017 05:42:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:from:to:cc:references:in-reply-to:subject:date :mime-version:content-transfer-encoding:importance; bh=T4IeSM8PjWpkZNml7ah7zWjw46JcFXlDxxWNHkY4egs=; b=PnyPJ3A7oDMZLgKV9pjHZ/ihfn45Fqae3ijWF4L3HL3I797OVorBHP2iXlZZapHL/5 243D8jkwlJHDBoBrF5Kx6ayvvCz5MK0OYMWlQ6d/SYP5rTX9CsLQhrur0FErZMGvaIPI +3ZZcX4dLyJzqLNEZO6cXInTb4wYRHycROXoxoyb0j4mQSJTrVNrfgCwNHSe9yJd3n8c 19NLbnFTlqWRyrT2wo04K6pRaPNtw23+bRlhvkJcQxZ2pjaiQ0wC5/o49TimxE4Fglrg LnyaPM3ZwO4HX4k6dflvqoSvoS5F3LkuWwiFS68GR7ROD5I6d/ouRvJeNKPzYkSkSyWg gLEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:from:to:cc:references:in-reply-to :subject:date:mime-version:content-transfer-encoding:importance; bh=T4IeSM8PjWpkZNml7ah7zWjw46JcFXlDxxWNHkY4egs=; b=jmEP1eRsQWjUwuFjHiwgUFgvawFUqP6VN5LODoxgGjUaCQf2r+PFpY3c26iYXFyBOY SJj4lmanjqDCrHQA6/nP5Z+LIe/SLQbqeWrfggQYfRNVvTy8x+NwTGRYx+nJjxVK2+Z4 ZJ/+hxWM0O+uf5dElOy26DBSF7aoWgU2EBAGKu4/LbRbSOMqaRyvLf8PeIvQPjZ+OQAL WWx3N/JLDv2gsK429vXmZsYKTpvhmBuZ/+6NGYO4nZecY89ow0Ek3eZ2b1/Mxc+WqWFv c18/5d40Zb0CHjUrQIozcIUJaOcuaLSwh3RsLf8PZNuDJe/Xnq7k7fd59okcazcRinuM XtMg==
X-Gm-Message-State: AJaThX4WT/EjxlQXZzbRxiBch4EDP354VIw3AAr85s7XIJ3Rup9rqFvH TshzHE0/TcQBSDKKJ+uxFMs=
X-Google-Smtp-Source: AGs4zMbYAmQAuIkeqyLrNI8gzvlLzvo1jHtjMHZVEjrfAryISFMVmyaaTy44dWf+k4hfoitNP8VHXw==
X-Received: by 10.46.32.230 with SMTP id g99mr7401971lji.147.1512308564275; Sun, 03 Dec 2017 05:42:44 -0800 (PST)
Received: from chichi (ppp83-237-174-99.pppoe.mtu-net.ru. [83.237.174.99]) by smtp.gmail.com with ESMTPSA id p73sm1965217lfp.9.2017.12.03.05.42.42 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 03 Dec 2017 05:42:43 -0800 (PST)
Message-ID: <B0FB25D40E23475C9259A4C204B327D2@chichi>
From: Valery Smyslov <svanru@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "Black, David" <David.Black@dell.com>, tcpinc <tcpinc@ietf.org>, Kyle Rose <krose@krose.org>, "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
References: <CAJU8_nUUHbmFcPA2obo6q3dLqL1MGE2iKen-0EQ82re=+gtTfw@mail.gmail.com> <CE03DB3D7B45C245BCA0D243277949362FD96B0D@MX307CL04.corp.emc.com> <23072.32691.892725.97892@fireball.acr.fi> <01bc01d36a71$45957db0$d0c07910$@gmail.com> <CABcZeBPN_XQc8np3CWi_-AtDUafW4ZPc8EnRje8yj57Rv-vxyw@mail.gmail.com>
In-Reply-To: <CABcZeBPN_XQc8np3CWi_-AtDUafW4ZPc8EnRje8yj57Rv-vxyw@mail.gmail.com>
Date: Sun, 03 Dec 2017 16:42:41 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="UTF-8"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/B3qGxtSinW2RIJQLohoLm4DwIC4>
Subject: Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Dec 2017 13:42:48 -0000
Hi Eric, > > This is not tcpcrypt problem. The same problem applies to any > > security protocol (IPsec, TLS, etc.) that uses counter based cipher modes (GCM, CCM, etc.). > > Switch to nonce-misuse resistant modes. > > > Actually, the problem here is unique to tcpcrypt because it doesn't use a nonce during resumption, so > reuse of the resumption key causes failure. That does not happen in TLS or (I believe) IKE. > > -Ekr Thanks for clarification, I can see that tcpcrypt behaves less secure in resumption than TLS or IKE (and you are right, IKE does use a nonce during resumption). But I was reffering to a slightly different situation. If you freeze running VM, clone it, then resume for a while, then stop it and resume the clone, then internal state of your cloned VM will be exactly the same as it was in the first reincarnation of VM. If you implement cipher in software, then all counters, used for couner-based encryption mode will repeat, that will break security regardless of the security protocol in use. Of course, if the event of VM resumption is somehow detected by implementation inside VM, then the implementation can immediately delete old session and create a new one, adding (hopefully) fresh nonces. I'm not sure that software inside VM can always detect that the VM is resumed. Regards, Valery.
- [tcpinc] Resumption safety (was "Eric Rescorla's … Kyle Rose
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Black, David
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Tero Kivinen
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Valery Smyslov
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Black, David
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Kyle Rose
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Eric Rescorla
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Eric Rescorla
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Valery Smyslov
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Black, David
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Kyle Rose
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Kyle Rose
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Valery Smyslov
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Tero Kivinen
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Kyle Rose
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Valery Smyslov
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Valery Smyslov
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Black, David
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Tero Kivinen
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Valery Smyslov
- Re: [tcpinc] Resumption safety (was "Eric Rescorl… Tero Kivinen