[tcpinc] Comments on tcpcrypt draft
Kyle Rose <krose@krose.org> Sun, 06 March 2016 18:46 UTC
Return-Path: <krose@krose.org>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C5861B30BD for <tcpinc@ietfa.amsl.com>; Sun, 6 Mar 2016 10:46:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.82
X-Spam-Level: **
X-Spam-Status: No, score=2.82 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, MANGLED_NAIL=2.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FrHEYEu5mJHf for <tcpinc@ietfa.amsl.com>; Sun, 6 Mar 2016 10:46:06 -0800 (PST)
Received: from mail-qg0-x230.google.com (mail-qg0-x230.google.com [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 982391B30B8 for <tcpinc@ietf.org>; Sun, 6 Mar 2016 10:46:06 -0800 (PST)
Received: by mail-qg0-x230.google.com with SMTP id w104so81444656qge.1 for <tcpinc@ietf.org>; Sun, 06 Mar 2016 10:46:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:date:message-id:subject:from:to :content-transfer-encoding; bh=Gcd/JsqdRGelRNW8kcTsjbl2zcUwKhJD/5Z7mVII0uA=; b=QYrkVOk2SKYAitCU6XSLISSwhJXIG4UUsDk/OqdCx6iUAuV8NuHNdcTPvpWk6mvj70 Vshk3zkGRwpzXB8wjqJC2GPEi7NllbNtqUSRpG8ZIaT1iefJ5nhtIimvAufbvfAHxZBR MPze8m/kO2Fjlb/Z7FYFYo/GWnOwaak6IExII=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-transfer-encoding; bh=Gcd/JsqdRGelRNW8kcTsjbl2zcUwKhJD/5Z7mVII0uA=; b=PleBlBpWxSjNEpeUhCGnM8tYfbBb+/btKQ2HeBxFV58gvVtmed1As2pITNzP2SaEcT JTuYpf/08vIjqRhHb1KzDMkS/n6PjQ5+XGskOTKYMyJRFhC5zDxn0xIQ6GsutbxmuS39 Dcwf6tzTLDLpJXXrVUIRwOX0WfUs7aHI2HvRU2FX3ShQ611ybymJj2xuX6fLwZaGLXwh XHkiVTtM6ptCzmelN3Sm3bPdc8c74p5Avy5RJ4lvbhvaSoZPQ8yJeLlVGrpxZy1WKHPQ jSO6O4+jvIq0xXgLaZZ39KiPPextb6Wy29Y6zPrlbHulhAJLfUsvTef2jb/cD30wVOJb VJhA==
X-Gm-Message-State: AD7BkJJfAq2t6YNmYc/Hy5zrkJSFfMzKxY1VJ6u4zJ35NmxNGPnIhWHJBpLr+FQ2ABVeOIbHPAj0H0wRiwvbpA==
MIME-Version: 1.0
X-Received: by 10.140.238.8 with SMTP id j8mr25505370qhc.76.1457289965711; Sun, 06 Mar 2016 10:46:05 -0800 (PST)
Received: by 10.55.92.131 with HTTP; Sun, 6 Mar 2016 10:46:05 -0800 (PST)
X-Originating-IP: [24.120.55.131]
Date: Sun, 06 Mar 2016 10:46:05 -0800
Message-ID: <CAJU8_nWg07FNUXEAmnQQkapG2ymB7Ewt4VOtgc758NQUL+Y2Zw@mail.gmail.com>
From: Kyle Rose <krose@krose.org>
To: tcpinc <tcpinc@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/Fg2awFIeR9QwIERFMbv6s-TOeGg>
Subject: [tcpinc] Comments on tcpcrypt draft
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Mar 2016 18:46:09 -0000
Removing chair hat for this thread. Section 3 general comments: There seems to be a lot of exposition here beyond what is explicitly required to implement the protocol. I might use section 3 to describe the wire protocol without any explanations or security analysis of design choices, leaving those explanations for a later section. Accordingly, I might bring the specifications of INIT1 and INIT2 into section 3. I'm curious to know what experienced draft authors think about the options here. 3.1 "An extract function is used to generate a pseudo-random key": "Key" or "secret"? TLS 1.3 refers to the output of this key agreement as the "ephemeral secret". It might be helpful to harmonize on terminology. It's additionally confusing because this key is used to derive the "pre-master secret", which is then used to derive further keys; and this bit sequence is never used directly as the key for a cipher or MAC. 3.1 "A collision-resistant function is one on which, for sufficiently large L, an attacker cannot find...": I think this is unclear: L is not a function of the function chosen, but if "F"="family" might be a function of the family from which the function is chosen (though . Alternatively, is there a normative reference for this so the definition of CPRF can simply be dropped? 3.3 "when and only when": Precise and clear to me, but academic language-ish? Would be interested in others' opinions on this. 3.3 "This document reserves and associates four 'cs' values with tcpcrypt, as listed in Table 1": Registry? 3.4 "ephemeral public keys...SHOULD NOT ever be written to persistent storage": I agree for the private keys, but as written this states that the public keys shouldn't be written out either, which doesn't matter at all. 3.4 For harmonization with TLS terminology, I might suggest: ECDHE output = "ephemeral secret" PRK = "master secret" 3.4 "param := ...": Why this notation, where param is separate from PMS? 3.4 "PRK := Extract (N_A, ...": Why is N_A used as the salt here instead of N_A || N_B? I see that N_B is included in INIT2, but this just seems like an arbitrary choice without any explanation anywhere I can find. 3.4 "SID[0]...will with overwhelming probability be unique for each individual TCP connection": It feels like this belongs in a later security analysis section: for one thing, the uniqueness doesn't seem to be used elsewhere in section 3, and (as I said earlier) it feels like the doc would be better structured to separate the protocol description from any statements about its security properties, which qualify simply as "noise" to someone trying to implement it. 3.4 "There is no 'key confirmation' step in tcpcrypt...": Again, I'd move this later. 3.4 "If key negotiation is compromised and yields two different keys,...": This means collisions in SID[i](0..8) (72 bits) will result in failed connections, which will lead to a frequency of something like 1 out of every 2^36 connections wherever the session cache on the passive opener cannot distinguish between different active openers. Is this actually a problem? Not clear: should there be requirements around how active and passive openers partition their session caches? If naïve clients or servers use one big pool, you can expect to see this problem quite frequently at internet scale, with billions of connections per second. 3.5 The session cache section feels like it should also be split up into descriptions of protocol requirements and digressions (e.g., "the only cost is the additional ten bytes..."). 3.5 "The only cost is the additional ten bytes...": And the key exchange. 3.5 "The active opener MUST use the lowest value of 'i' that has not already appeared in a resumption suboption...": 'i' doesn't appear in the resumption suboption: SID[i] does. 3.6 "Each chunk is placed in the 'data' portion of a frame's 'plaintext' value, which is then encrypted to yield the frame's 'ciphertext' field.": This language is confusing. I envision a "frame" as a segment of communication, not as an intermediate value in a computation, which is all the plaintext is in this case. 3.6 "Chunks must be small enough that the ciphertext (slightly longer than the plaintext)...": Maybe "(as defined by the AEAD cipher used, but typically slightly longer than the plaintext)"? 3.6 "An 'associated data' value...": Is it worth looking at Damien Miller et al.'s construction for encrypted lengths? https://tools.ietf.org/html/draft-josefsson-ssh-chacha20-poly1305-openssh-00 Tcpcrypt is still in the draft stage, so it may be worth looking at this now to see if there's any value there. 3.8 "more than one concurrent re-key operation": What does it mean for two re-key operations to be concurrent? 4.1 "The four-byte field 'message_len'": This is to accommodate really long keys (e.g., PQC)? 4.1 Any particular reason for INIT1 to have both message_len and N_A? If the format changes in the future, INIT1_MAGIC could just be revved. 4.2.1 "an integrity 'tag'": This is never defined. 4.2.2 Should the associated data of the first data frame include the INIT1 message? It's included in the PRK, but is key derivation the right place to put what amounts to authentication of the handshake transcript? 4.2.3 Magic numbers are specified here, but not in INIT1_MAGIC, which is in the lonely appendix. Inconsistent layout. 4.2.3 Clear from this that a cipher MUST re-key at least every 2^64 bytes. Section 5 general comments: I wonder if this belongs in this document at all, or whether it should be moved to a separate API document. Section 6: "A tcpcrypt implementation MUST support at least the schemes ECDHE-P256 and ECDHE-P521": I wonder if, now that the safe curves stuff has moved through CFRG, whether we should MTI curve25519 and curve448 instead. Section 9: I wonder whether these should be a la carte or suites: should ENO choose the combination of KX and AEAD cipher at the same time? One way, you potentially get combinatorial explosion, which might be a problem with limited ENO option space as algorithms get replaced; the other, you get weird combinations of algorithms as judged by security margin, and a more complicated handshake. I'd love to hear opinions on this. Kyle
- [tcpinc] Comments on tcpcrypt draft Kyle Rose
- Re: [tcpinc] Comments on tcpcrypt draft Mirja Kühlewind
- Re: [tcpinc] Comments on tcpcrypt draft Daniel B Giffin