Re: [tcpinc] Genart telechat review of draft-ietf-tcpinc-tcpcrypt-10

Daniel B Giffin <dbg@scs.stanford.edu> Tue, 28 November 2017 20:59 UTC

Return-Path: <dbg@scs.stanford.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B76CF128AB0; Tue, 28 Nov 2017 12:59:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ao09mGRcG8be; Tue, 28 Nov 2017 12:59:32 -0800 (PST)
Received: from market.scs.stanford.edu (www.scs.stanford.edu [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC72412773A; Tue, 28 Nov 2017 12:59:32 -0800 (PST)
Received: from market.scs.stanford.edu (localhost [127.0.0.1]) by market.scs.stanford.edu (8.15.2/8.15.2) with ESMTP id vASKxSGQ032494; Tue, 28 Nov 2017 12:59:28 -0800 (PST)
Received: (from dbg@localhost) by market.scs.stanford.edu (8.15.2/8.15.2/Submit) id vASKxS2P032555; Tue, 28 Nov 2017 12:59:28 -0800 (PST)
Date: Tue, 28 Nov 2017 12:59:28 -0800
From: Daniel B Giffin <dbg@scs.stanford.edu>
To: Dale Worley <worley@ariadne.com>
Cc: gen-art@ietf.org, draft-ietf-tcpinc-tcpcrypt.all@ietf.org, tcpinc@ietf.org, ietf@ietf.org
Message-ID: <20171128205928.GC42654@scs.stanford.edu>
References: <151173726115.30946.6601859817056753241@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <151173726115.30946.6601859817056753241@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/JxmIGeWu5aywRLUVlaiUf7QVoC4>
Subject: Re: [tcpinc] Genart telechat review of draft-ietf-tcpinc-tcpcrypt-10
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Nov 2017 20:59:35 -0000

Hi Dale,

As described below, I've addressed these nits with a few
changes that will appear in the next draft (probably today).

Dale Worley wrote:
> Reviewer: Dale Worley
> Review result: Ready with Nits
> 
> I am the assigned Gen-ART reviewer for this draft.  The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed by
> the IESG for the IETF Chair.  Please wait for direction from your
> document shepherd or AD before posting a new version of the draft.
> 
> For more information, please see the FAQ at
> <https://wiki.tools.ietf.org/area/gen/wiki/GenArtfaq>;.
> 
> Document:  review-draft-ietf-tcpinc-tcpcrypt-10
> Reviewer:  Dale R. Worley
> Review Date:  2017-11-26
> IETF LC End Date:  2017-10-19
> IESG Telechat date:  2017-11-30
> 
> Summary:
> 
>     This draft is basically ready for publication, but has nits
>     that should be considered before publication.
> 
> I'm rather impressed that the authors have gone through three
> revisions in little more than a month after LC.
> 
> The text prefixed by ">" is extracted from Daniel B Giffin's reply of
> 21 Oct 2017 to my Gen-Art review of draft-ietf-tcpinc-tcpcrypt-07.
> 
>     [in my review of draft-ietf-tcpinc-tcpcrypt-07:]
>     6. It might be worth adjusting the rules for how the A and B roles are
>     carried forward during session resumption.  Of course, each host
>     should compute the resumption identifier that it expects to receive
>     based on the role it had in the previous session.  But it's not clear
>     to me why a host that used k_ab for encryption (i.e., had the A role)
>     in the previous session must also use k_ab for encryption in the
>     resumed session, since the two sequences of k_ab/k_ba are generated
>     from the different session keys of the two sessions.  If you made the
>     choice of k_ab/k_ba be dependent on the A/B roles established by
>     TCP-ENO for *this* session, it seems like the specification of the
>     protocol would be a bit simpler.
> 
>     > I'll explain this design choice under separate cover, when I
>     > have a moment ...
> 
> I can't find the discussion of this design choice.

Sorry about that ...

This choice (determining which encryption keys to use by the
host's role in the *original* session, not the current one)
is mostly arbitrary.  I agree it is not the most intuitive
choice, but there is a sliver of purpose to justify it:

If some weakness in a TCP-ENO implementation allowed
attackers to cause two connecting tcpcrypt hosts to play the
same role when resuming, and keys were dependent on the
roles in this resumed session, they would then go ahead to
encrypt using the same keys.  That would be quite dangerous.
And each instance of session resumption would be an
opportunity to perpetrate this role-confusion attack.

Using the original session's role to choose the keys means
such an attack would have to succeed against the original
key exchange, where a confusion of roles should cause an
abort due to the asymmetrical Init1/Init2 messages (and if
not, would result in unrelated encryption keys and
non-matching session IDs).

>     > Yes, underscores are used to mark terms that are being
>     > introduced for the first time and defined.
> 
> Contra this statement, _..._ is used in two places as an emphatic:
> 
> 3.2.  Protocol Negotiation
> 
>    If a passive opener receives an ENO option including tcpcrypt TEPs it
>    supports, it MAY then attach an ENO option to its SYN-ACK segment,
>    including _solely_ the TEP it wishes to enable.
> 
> 3.5.  Session Resumption
> 
>    If an active opener sends a resumption suboption with a particular
>    TEP and the appropriate half of a resumption identifier and then, in
>    the same TCP handshake, receives a resumption suboption with the same
>    TEP and an identifier-half that does _not_ match that resumption
>    identifier, it MUST ignore that suboption.

Indeed.  I've simply removed the emphasis in those two
cases, as it doesn't seem necessary to comprehension.

> --
> 
> 3.5.  Session Resumption
> 
>    Implementations that cache session secrets MUST provide a means for
>    applications to control that caching.  In particular, when an
>    application requests a new TCP connection, it must be able to specify
>    that during the connection no session secrets will be cached and all
>    resumption requests will be ignored in favor of fresh key exchange.
>    And for an established connection, an application must be able to
>    cause any cache state that was used in or resulted from establishing
>    the connection to be flushed.  A companion document
>    [I-D.ietf-tcpinc-api] describes recommended interfaces for this
>    purpose.
> 
> The phrase "all resumption requests will be ignored in favor of fresh
> key exchange" doesn't seem to carry quite the right meaning to me,
> although what it must mean in this context is clear.  That phrase
> seems to have some implication that it operates when a fresh key
> exchange is provided along with a resumption request as an
> alternative... which is implicitly what the situation is, but not
> explicitly.  I would prefer "all resumption requests will be ignored
> and a fresh key exchange will be required".

Okay.  I've gone a bit further in order to be very clear:

   Implementations that cache session secrets MUST provide a means for
   applications to control that caching.  In particular, when an
   application requests a new TCP connection, it must be able to specify
   two policies for the duration of the connection: 1) that resumption
   requests will be ignored, and thus fresh key exchange will be
   required; and 2) that no session secrets will be cached.  (These
   policies may be specified independently or as a unit.)  And for an
   established connection, an application must be able to cause any
   cache state that was used in or resulted from establishing the
   connection to be flushed.  A companion document [I-D.ietf-tcpinc-api]
   describes recommended interfaces for this purpose.


> 
> 3.6.  Data Encryption and Authentication
> 
>    ...
>    as above, and provides these and the ciphertext value to the the AEAD
>    ...
> 
> s/the the/the/

Thanks.

> 
>     > I've gone through and used something like "negotiated TEP"
>     > in a couple places where the document said that a parameter
>     > depended on the "negotiated key-agreement scheme", and also
>     > added various phrases to make clear that the TEP dictates
>     > all the parameters.
> 
> Note that the current sections 4.3 and 5 show that the *lengths* are
> determined by TEP, but the *constants* are fixed by tcpcrypt itself.

Yes.  I suppose having the constants be parameterized by the
TEP would be the ultimate in flexibility, but I can't think
of a good enough reason to add this slight complexity to
implementations.

> 
> 3.3.  Key exchange
> 
>    o  "PK_A", "PK_B": ephemeral public keys for hosts A and B,
>       respectively.
> 
>     [in my review of draft-ietf-tcpinc-tcpcrypt-07:]
>     The use of "PK" for a public key seems to be poorly mnemonic, as it is
>     also the acronym of "private key".  There ought to be standard (and
>     distinct!) abbreviations for these phrases, but I can't find any...
> 
>     > Yeah ... at least in this document we don't name private
>     > keys, as they are never transmitted.
> 
> How about "Pub_A" and "Pub_B"?  (This suggests "Prv_A" and "Prv_B"
> (which wouldn't be used in this document.))

Good enough; I've made this change.

> 
> [END]
> 
> 
> _______________________________________________
> Tcpinc mailing list
> Tcpinc@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpinc

Thanks for these comments!

daniel