Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)
Daniel B Giffin <dbg@scs.stanford.edu> Thu, 23 November 2017 08:02 UTC
Return-Path: <dbg@scs.stanford.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A200128BB7; Thu, 23 Nov 2017 00:02:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wK7UVfJS0TQw; Thu, 23 Nov 2017 00:02:52 -0800 (PST)
Received: from market.scs.stanford.edu (www.scs.stanford.edu [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FBA01271DF; Thu, 23 Nov 2017 00:02:43 -0800 (PST)
Received: from market.scs.stanford.edu (localhost [127.0.0.1]) by market.scs.stanford.edu (8.15.2/8.15.2) with ESMTP id vAN82g63085188; Thu, 23 Nov 2017 00:02:42 -0800 (PST)
Received: (from dbg@localhost) by market.scs.stanford.edu (8.15.2/8.15.2/Submit) id vAN82gqd029902; Thu, 23 Nov 2017 00:02:42 -0800 (PST)
Date: Thu, 23 Nov 2017 00:02:42 -0800
From: Daniel B Giffin <dbg@scs.stanford.edu>
To: Eric Rescorla <ekr@rtfm.com>
Cc: tcpinc <tcpinc@ietf.org>, Kyle Rose <krose@krose.org>, tcpinc-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-tcpinc-tcpcrypt@ietf.org
Message-ID: <20171123080242.GB80195@scs.stanford.edu>
References: <151036992713.398.18032326140786383584.idtracker@ietfa.amsl.com> <20171117121703.GE57159@scs.stanford.edu> <CABcZeBOas6FqCC0rwgvBvMZTJRhX4adfK1TytPY2W4TKL6PyUw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABcZeBOas6FqCC0rwgvBvMZTJRhX4adfK1TytPY2W4TKL6PyUw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/OvSHUsyB0EkHtQuVNc-pbrB8kkw>
Subject: Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Nov 2017 08:02:59 -0000
Eric Rescorla wrote: > As it happens, I was able to take a look. Several notes from my review: > > - Not all algorithms take a 12 byte nonce, so you probably want to allow > some generality > here. > - I'm not sure you still need the NONCE_MAGIC value. Yes, I agree on the above. I will change this to do the same as TLS: zero-pad the record number (frame offset for tcpcrypt) to the nonce size. > - Do you want to cover SACK in the section about how you handle > deprotection failures. I suppose that makes sense. I'll try to propose new language there shortly. > On Fri, Nov 17, 2017 at 8:17 PM, Daniel B Giffin <dbg@scs.stanford.edu> > wrote > > > > > Given that you are allowing P-256 and point reuse, you > > > should be requiring point validation. See: > > > https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13. > > html#rfc.section.4.2.8.2 > > > https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13. > > html#elliptic-curve-diffie-hellman > > > > Yes, thank you. For the NIST curves, I have added: > > > > Implementations MUST validate these "pubkey" values according to > > the > > algorithm in [ieee1363] Section A.16.10. > > > > But I see that TLS refers to ANSI X9.62 for validation, even > > though it refers to IEEE1363 for DH computation. Is there a > > good reason not to stick with the one source? > > > > TBH, not sure. Filed an issue on TLS for that. > > > > Also, I guess there's no need to check on-the-curve if we > > allow only compressed format, and it's not perfectly clear > > to me whether we need to check group membership, but I'd > > really rather not have all these details in this document if > > there's a good way to cite it out. > > > > I think your text is fine. Great. > > You should probably also be requiring Curve25519 output validation. > > > > I think you're saying we should check that the DH result is > > not zero? > > > > No harm, I suppose, but I'm going to try to get guidance on > > whether it's necessary. > > > > It's the way we're going in the security area. Is there some reason not to. Okay, having done some more reading about this, it sounds like a zero check on the output is not at all sufficient to ensure "contributory" behavior from the X25519 function: https://moderncrypto.org/mail-archive/curves/2017/000896.html And because our key-derivation function gets fresh randomness from each host's nonce, I don't believe we need to get this contribution from the DH function. (I mostly have a confirmation from Dan Boneh on this, but have asked for more clarity to be sure we can make this claim confidently; I'll report back as soon as I can.) In RFC7748, which we're referencing for how to perform X25519, it says in Section 6.1: Both now share K = X25519(a, X25519(b, 9)) = X25519(b, X25519(a, 9)) as a shared secret. Both MAY check, without leaking extra information about the value of K, whether K is the all-zero value and abort if so (see below). Alice and Bob can then use a key-derivation function that includes K, K_A, and K_B to derive a symmetric key. The check for the all-zero value results from the fact that the X25519 function produces that value if it operates on an input corresponding to a point with small order, where the order divides the cofactor of the curve (see Section 7). The check may be performed by ORing all the bytes together and checking whether the result is zero, as this eliminates standard side-channels in software implementations. So I guess tcpcrypt's instruction is "MAY abort" due to this reference. I believe this does not break anything (good-faith implementations will not cause each other to abort), but it doesn't sound like it solves anything either. Even if we wanted to "validate" X25519 pubkeys, I am not sure how to do that. The only instruction I can find is to compare the received pubkeys against this list of about a dozen bad values: https://cr.yp.to/ecdh.html#validate If there is some IETF discussion of best practice, can you point me to it? The closest I could find is in CFRG from 2015: https://www.ietf.org/mail-archive/web/cfrg/current/msg06558.html For now, I think my tentative proposal is to make no changes: that is, continue to reference RFC7748 and make no mention of public-key validation for X25519. > > > ---------------------------------------------------------------------- > > > COMMENT: > > > ---------------------------------------------------------------------- [skipped for now]
- [tcpinc] Eric Rescorla's Discuss on draft-ietf-tc… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Black, David
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Black, David
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Black, David
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Kyle Rose
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… David Mazieres
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… David Mazieres
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… David Mazieres
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Eric Rescorla
- Re: [tcpinc] Eric Rescorla's Discuss on draft-iet… Daniel B Giffin