Re: [tcpinc] new drafts of TCP-ENO and tcpcrypt Sun, 08 October 2017 04:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0D5FF13455C for <>; Sat, 7 Oct 2017 21:56:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7ZUKUm9Ev-Eu for <>; Sat, 7 Oct 2017 21:56:49 -0700 (PDT)
Received: from ( [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3FA641321C7 for <>; Sat, 7 Oct 2017 21:56:49 -0700 (PDT)
Received: from (localhost []) by (8.15.2/8.15.2) with ESMTP id v984umii040312; Sat, 7 Oct 2017 21:56:48 -0700 (PDT)
Received: (from dm@localhost) by (8.15.2/8.15.2/Submit) id v984ulpg060116; Sat, 7 Oct 2017 21:56:47 -0700 (PDT)
To: Gregorio Guidi <>, "Mirja Kuehlewind (IETF)" <>
Cc: Daniel B Giffin <>, tcpinc <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <>
Reply-To: David Mazieres expires 2018-01-05 PST <>
Date: Sat, 07 Oct 2017 21:56:47 -0700
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <>
Subject: Re: [tcpinc] new drafts of TCP-ENO and tcpcrypt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 08 Oct 2017 04:56:50 -0000

Gregorio Guidi <> writes:

> Having followed the standardization of tcpcrypt on the tpcinc mailing
> list (as a passive observer), I wanted to check with you on a point
> that was not heavily discussed as far as I can see: the choice of the
> "mandatory to implement" (MTI) algorithms for key agreement.
> I explain my concern: tcpcrypt defines ECDHE-P256 and ECDHE-P521 as MTI 
> algorithms, however these are based on the NIST elliptic curves that - 
> while widely deployed and offering great security - have been subject to 
> some criticism in the last years. You have probably seen many times the 
> arguments raised against them. The following is a good summary:

You raise a reasonable question.  There are a lot of trade-offs.  On one
hand, it would be nice to have a scheme with longer than 32-byte keys.
But then it's probably easier to find a P521 ECDHE implementation to
cram into the kernel than a curve448.  Should we have Curve25519 and
P521?  But whatever library supports P521 probably also supports P256,
so it's less work to do both of those.  Also, the best reference for the
two Edwards curves is an informational RFC, vs. IEEE and NIST standards
for the other ones.

One good thing is that MTI is almost irrelevant given the way the
different public key algorithms have been assigned their own ENO TEP
Identifiers.  It's almost as if this document is defining four separate
protocols that just happen to be able to share 99% of the code.  But of
course we need to encourage people to implement the same algorithms