Re: [tcpinc] Revised version of TCP-ENO
Martin Thomson <martin.thomson@gmail.com> Fri, 14 August 2015 17:46 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB41E1B2AE3 for <tcpinc@ietfa.amsl.com>; Fri, 14 Aug 2015 10:46:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fGjgDascgSaU for <tcpinc@ietfa.amsl.com>; Fri, 14 Aug 2015 10:46:23 -0700 (PDT)
Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A24EF1B2ADC for <tcpinc@ietf.org>; Fri, 14 Aug 2015 10:46:18 -0700 (PDT)
Received: by ykdt205 with SMTP id t205so75176680ykd.1 for <tcpinc@ietf.org>; Fri, 14 Aug 2015 10:46:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=YEbqoUaE/VKgGLv8LbTX06CShAN1zWNtsozv+4bE5tU=; b=l73LWTKZfvAEOOUOy//oN3naQaBEZsDE7wnWX991am0sds19y7L805Il3sRT8Vw3Ng LC/vgQwnPDVF+syTi+Cdh4BdG5DGJ6G3PJecYX1n3K4Zd1K1Js4Yryvquz6LvgxHxxaI ivVgqvRvHcb/GwgHwgwaiNK8FBdEo1h4PTymnH9IMewzTbxSdammh8anjxTam0yYSb2v lRCgo3Yhb5rYim4tLiV5UCBAMDAXb0feMITWsayfaF4M30v0/BrrSwBl1hk23XgvXmF3 MtasZ0PbbjPMyEKmVU4QZMK4sbzkgC914XrAhdaeVZ2lUPR62CRHGWLRiY2WGvoRwYnb KAyA==
MIME-Version: 1.0
X-Received: by 10.13.234.138 with SMTP id t132mr41538829ywe.89.1439574377920; Fri, 14 Aug 2015 10:46:17 -0700 (PDT)
Received: by 10.129.22.211 with HTTP; Fri, 14 Aug 2015 10:46:17 -0700 (PDT)
In-Reply-To: <87io8hwznh.fsf@ta.scs.stanford.edu>
References: <87pp2vqplu.fsf@ta.scs.stanford.edu> <CAJU8_nXAHhf6dqqs0gUEGz49bG7YUO1qaGwaLm04+vstPTyfWg@mail.gmail.com> <87h9o4rqwz.fsf@ta.scs.stanford.edu> <874mk2kj56.fsf@alice.fifthhorseman.net> <CAJU8_nVcDmCw-0KYviJ5GWZL+-YcCg3wLMJqpkuh=iN8RppA+A@mail.gmail.com> <87y4hej2vf.fsf@alice.fifthhorseman.net> <87egj67sac.fsf@ta.scs.stanford.edu> <87bnea7rr6.fsf@ta.scs.stanford.edu> <CABkgnnUF-byT2MH8mrmZJaMY2PTsspWJ8W3wJmddXdgMqGHCkQ@mail.gmail.com> <87614i7o2l.fsf@ta.scs.stanford.edu> <CABkgnnU8eeX3QV+D_g2XJqWGf9YzUZ1v-eqjg9HsioGJP8-GqQ@mail.gmail.com> <87io8hwznh.fsf@ta.scs.stanford.edu>
Date: Fri, 14 Aug 2015 10:46:17 -0700
Message-ID: <CABkgnnXDomgQJSiCTdxETomPB7H+n2DggZ4VX0Q8hpqvoyq=8A@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/Di_bba4sSgA-a9JshT_5D0mlWRE>
Cc: tcpinc <tcpinc@ietf.org>
Subject: Re: [tcpinc] Revised version of TCP-ENO
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2015 17:46:24 -0000
Again, you are getting bogged down in the details. What are the properties you would expect from a session ID? That it is unique to a session and that it is hard to guess (with high probability). Those are the only properties that you need to require at this level of the design. To up-level a little, I think that TCP-ENO is going too far in terms of specifying extra little bits. This session ID stuff is a good example of that. If the purpose of the draft is to enable selection of an encryption scheme, then it has far too much machinery. I have problem with specifying requirements, which is part of what Section 4 attempts to do. But you'd be better off doing so in a straightforward fashion. On 14 August 2015 at 10:25, David Mazieres <dm-list-tcpcrypt@scs.stanford.edu> wrote: > Martin Thomson <martin.thomson@gmail.com> writes: > >> I didn't suggest that you reduce entropy. My point was that you are >> creating a special carve-out for your current solution. What if you >> decide you want *two* bytes of discriminator? My point is that all >> you need is to have the session ID as a whole be hard to >> guess.synthesize, etc... > > By our current solution, do you mean TCP-ENO? It seems reasonable for > the TCP-ENO specification to include a special carve-out for itself. > Any other spec that needs a discriminator can just include the > discriminator in the collision-resistant hash input. That's fine > because a spec knows what goes into the collision-resistant hash. > > The problem is that TCP-ENO doesn't even know which cryptographic hash > functions specs will employ for the session ID. If someday one of those > hashes turns out to be incredibly insecure, we want to make sure that if > *either* end of the connection disables the bad spec, the security > problem goes away. The minimum you need for that is to > sign/MAC/etc. not just some hash but also something specifying how that > hash was computed, to avoid cross-spec collisions. Given the way the > TCP-ENO spec is written, one byte is sufficient for that purpose. > > There is another solution, which is to hard-code the hash function in > TCP-ENO. It's not entirely elegant, either, but you could say all > 32-byte session IDs are SHA-256 starting with the negotiation > transcript, and IANA can specify other lengths and hash functions down > the line. So that's more elegant in that the whole session ID can be > made indistinguishable from random, but less elegant in that spec > authors might have to rely on two different hash functions. > > So I can see arguments for 0 or 1 bytes not being indistinguishable from > random, but I can't see arguments for a two-byte discriminator, unless > you are also advocating more fundamental changes to ENO's negotiation > mechanism (which is of course still on the table at this point). > > David
- [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Kyle Rose
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Daniel Kahn Gillmor
- Re: [tcpinc] Revised version of TCP-ENO Daniel Kahn Gillmor
- Re: [tcpinc] Revised version of TCP-ENO Kyle Rose
- Re: [tcpinc] Revised version of TCP-ENO Everhart, Craig
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Ted Hardie
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Martin Thomson
- Re: [tcpinc] Revised version of TCP-ENO Daniel B Giffin
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Kyle Rose
- Re: [tcpinc] Revised version of TCP-ENO Kyle Rose
- Re: [tcpinc] Revised version of TCP-ENO Stephen Farrell
- Re: [tcpinc] Revised version of TCP-ENO Martin Thomson
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Martin Thomson
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Martin Thomson
- Re: [tcpinc] Revised version of TCP-ENO dm-list-tcpcrypt
- Re: [tcpinc] Revised version of TCP-ENO Stephen Farrell
- Re: [tcpinc] Revised version of TCP-ENO Martin Thomson
- Re: [tcpinc] Revised version of TCP-ENO Kyle Rose
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Kyle Rose
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres