Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")

"Valery Smyslov" <svanru@gmail.com> Sun, 03 December 2017 13:42 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 756C31205F1 for <tcpinc@ietfa.amsl.com>; Sun, 3 Dec 2017 05:42:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.261
X-Spam-Level:
X-Spam-Status: No, score=-2.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K5H7LuLrpo3Q for <tcpinc@ietfa.amsl.com>; Sun, 3 Dec 2017 05:42:46 -0800 (PST)
Received: from mail-lf0-x22f.google.com (mail-lf0-x22f.google.com [IPv6:2a00:1450:4010:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 139B3126DFB for <tcpinc@ietf.org>; Sun, 3 Dec 2017 05:42:46 -0800 (PST)
Received: by mail-lf0-x22f.google.com with SMTP id f20so16307253lfe.3 for <tcpinc@ietf.org>; Sun, 03 Dec 2017 05:42:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:from:to:cc:references:in-reply-to:subject:date :mime-version:content-transfer-encoding:importance; bh=T4IeSM8PjWpkZNml7ah7zWjw46JcFXlDxxWNHkY4egs=; b=PnyPJ3A7oDMZLgKV9pjHZ/ihfn45Fqae3ijWF4L3HL3I797OVorBHP2iXlZZapHL/5 243D8jkwlJHDBoBrF5Kx6ayvvCz5MK0OYMWlQ6d/SYP5rTX9CsLQhrur0FErZMGvaIPI +3ZZcX4dLyJzqLNEZO6cXInTb4wYRHycROXoxoyb0j4mQSJTrVNrfgCwNHSe9yJd3n8c 19NLbnFTlqWRyrT2wo04K6pRaPNtw23+bRlhvkJcQxZ2pjaiQ0wC5/o49TimxE4Fglrg LnyaPM3ZwO4HX4k6dflvqoSvoS5F3LkuWwiFS68GR7ROD5I6d/ouRvJeNKPzYkSkSyWg gLEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:from:to:cc:references:in-reply-to :subject:date:mime-version:content-transfer-encoding:importance; bh=T4IeSM8PjWpkZNml7ah7zWjw46JcFXlDxxWNHkY4egs=; b=jmEP1eRsQWjUwuFjHiwgUFgvawFUqP6VN5LODoxgGjUaCQf2r+PFpY3c26iYXFyBOY SJj4lmanjqDCrHQA6/nP5Z+LIe/SLQbqeWrfggQYfRNVvTy8x+NwTGRYx+nJjxVK2+Z4 ZJ/+hxWM0O+uf5dElOy26DBSF7aoWgU2EBAGKu4/LbRbSOMqaRyvLf8PeIvQPjZ+OQAL WWx3N/JLDv2gsK429vXmZsYKTpvhmBuZ/+6NGYO4nZecY89ow0Ek3eZ2b1/Mxc+WqWFv c18/5d40Zb0CHjUrQIozcIUJaOcuaLSwh3RsLf8PZNuDJe/Xnq7k7fd59okcazcRinuM XtMg==
X-Gm-Message-State: AJaThX4WT/EjxlQXZzbRxiBch4EDP354VIw3AAr85s7XIJ3Rup9rqFvH TshzHE0/TcQBSDKKJ+uxFMs=
X-Google-Smtp-Source: AGs4zMbYAmQAuIkeqyLrNI8gzvlLzvo1jHtjMHZVEjrfAryISFMVmyaaTy44dWf+k4hfoitNP8VHXw==
X-Received: by 10.46.32.230 with SMTP id g99mr7401971lji.147.1512308564275; Sun, 03 Dec 2017 05:42:44 -0800 (PST)
Received: from chichi (ppp83-237-174-99.pppoe.mtu-net.ru. [83.237.174.99]) by smtp.gmail.com with ESMTPSA id p73sm1965217lfp.9.2017.12.03.05.42.42 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 03 Dec 2017 05:42:43 -0800 (PST)
Message-ID: <B0FB25D40E23475C9259A4C204B327D2@chichi>
From: "Valery Smyslov" <svanru@gmail.com>
To: "Eric Rescorla" <ekr@rtfm.com>
Cc: "Black, David" <David.Black@dell.com>, "tcpinc" <tcpinc@ietf.org>, "Kyle Rose" <krose@krose.org>, "Mirja Kuehlewind \(IETF\)" <ietf@kuehlewind.net>
References: <CAJU8_nUUHbmFcPA2obo6q3dLqL1MGE2iKen-0EQ82re=+gtTfw@mail.gmail.com> <CE03DB3D7B45C245BCA0D243277949362FD96B0D@MX307CL04.corp.emc.com> <23072.32691.892725.97892@fireball.acr.fi> <01bc01d36a71$45957db0$d0c07910$@gmail.com> <CABcZeBPN_XQc8np3CWi_-AtDUafW4ZPc8EnRje8yj57Rv-vxyw@mail.gmail.com>
In-Reply-To: <CABcZeBPN_XQc8np3CWi_-AtDUafW4ZPc8EnRje8yj57Rv-vxyw@mail.gmail.com>
Date: Sun, 3 Dec 2017 16:42:41 +0300
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="UTF-8"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/B3qGxtSinW2RIJQLohoLm4DwIC4>
Subject: Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Dec 2017 13:42:48 -0000

Hi Eric,

> > This is not tcpcrypt problem. The same problem applies to any
> > security protocol (IPsec, TLS, etc.) that uses counter based cipher modes (GCM, CCM, etc.).
> > Switch to nonce-misuse resistant modes.
> 
> 
> Actually, the problem here is unique to tcpcrypt because it doesn't use a nonce during resumption, so
> reuse of the resumption key causes failure. That does not happen in TLS or (I believe) IKE.
> 
> -Ekr

Thanks for clarification, I can see that tcpcrypt behaves less secure in resumption than TLS
or IKE (and you are right, IKE does use a nonce during resumption). 

But I was reffering to a slightly different situation. If you freeze running VM, clone it, then
resume for a while, then stop it and resume the clone, then internal state of your cloned VM
will be exactly the same as it was in the first reincarnation of VM. If you implement cipher in software,
then all counters, used for couner-based encryption mode will repeat, that will break
security regardless of the security protocol in use. Of course, if the event of VM resumption is somehow 
detected by implementation inside VM, then the implementation can immediately delete old session
and create a new one, adding (hopefully) fresh nonces. I'm not sure that software inside 
VM can always detect that the VM is resumed.

Regards,
Valery.