IETF Logo Mail Archive

Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")

"Black, David" <David.Black@dell.com> Fri, 01 December 2017 14:49 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 365BF126B71 for <tcpinc@ietfa.amsl.com>; Fri, 1 Dec 2017 06:49:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dell.com header.b=BcASGii4; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=emc.com header.b=R0JluLtg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ZFfGjG1CNvH for <tcpinc@ietfa.amsl.com>; Fri, 1 Dec 2017 06:49:06 -0800 (PST)
Received: from esa8.dell-outbound.iphmx.com (esa8.dell-outbound.iphmx.com [68.232.149.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5EB7120725 for <tcpinc@ietf.org>; Fri, 1 Dec 2017 06:49:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1512139746; x=1543675746; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=cdKBHQnumYqbj3OSsIGP+yZUrM6hqiH51x/ZBOxEFrM=; b=BcASGii4kmIs+z3JbZui8wKuz5GrhU9bbQTwzwevCCASv4M7UOT0ny4e LT/cXpA36XGqutwv/vl9JvGjtsaNwbAuw2U8Bzo+0yxhNj5nBDA/Jdyi8 vQDLgZtaKVelvacER4EhMQoj5Su+rcC1t3/IvS3Imp5vwlzK/Lku1KcTD 4=;
IronPort-PHdr: 9a23:yGPKuxfJaG6wrJZ801YRl9vUlGMj4u6mDksu8pMizoh2WeGdxcS8Zh7h7PlgxGXEQZ/co6odzbGH4+a4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9GiTe5Yr5+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v9LlgRgP2hygbNj456GDXhdJ2jKJHuxKquhhzz5fJbI2JKPZye6XQds4YS2VcRMZcTyxPDJ2hYYsTAeQPPuhYoIv8p1QSohWxChKhBP/2yjJMmnP6wbE23/onHArb3AIgBdUOsHHModn7KaoSVfq6w7XLzTnbcvhY1y3y6JbJch88r/2HQLV9f8TLxkkxFgPKk0+cpJHhPzyPyusNsHOW4Pd+WuKrj24rsR1+oj+qxso1jITCm4Ebykjc+Ch4w4s5P8O0RUBlbdK+DZddty6XO5FyT84hW21kpTo2xqcYtZO1fyUG0psqyhHFZ/CafYWF4QrvVOiPLjp7mH5ofbeyihW9/EWkxO3xU8m530tQoSZbl9TAq20B2AfW58WIRPZw/Ues1DCS3A7J8O5EO1o7la/DJp4kxb4/i4QcvFzYHi/zhEX2lKiWdlg4+uSw6+TofLHmppiEOoBqkQHxKKsjltaiDusmNggOW3GX+eOh1L3/5kL5R6hKjvsrnaXHqpzaJNwbpq68Aw5ayIos9xG/DzK+3NQZm3kIMk5FdQqGgoXqIV3CPv71Aemlj1ixkDpmyOrKM7niD5nVK3jMirbhfbJz605GzwozyMhS6ZxOBbEfIfL8R1X9ucHcDhAjLwO0wP3qB8hj2YMaXWKDGLOWMKTXsVOQ/OIgP/GMZJMJuDb6M/Ul++LhjWc4mV8bYaakxpoXZ26kHvRoOUmZZmDsgthSWVsN6zQ3SOHwmRW5VC9IY3GsF/Yn+Dg9Ep+OAoLKR4Tri7uEinSVBJpTMypsDlmHEjOgW4yaWvtGIHa+K9FgnnouUbGqSKct2BWq8gT9zuw0faLv5iQEuMe7h5BO7OrJmER3rGQsAg==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2FgAACRayFah2Ka6ERcHAEBAQQBAQoBAYJsgSZ+JweOGI5zgX1+lX+BUkMKhTsChSg/GAEBAQEBAQEBAQECEAEBAQgNCQgoL4I4JAEOSyEFMgEBAQEBAQEBAQEBAQEBAQEBARcCPRMCGAEBAQMBOgYfGgEPAgEIDhQUBQsyJQIEDg2KEggBqUmDEIdUAQEBAQEFAQEBAQEBAQEYCINBgTZUgVeBaIJ1NoUNFoNEgjKiYQYCi12dB5YcAgQCBAUCGoE6H4IHb4J4gmIlgU54hz2BMoEUAQEB
X-IPAS-Result: A2FgAACRayFah2Ka6ERcHAEBAQQBAQoBAYJsgSZ+JweOGI5zgX1+lX+BUkMKhTsChSg/GAEBAQEBAQEBAQECEAEBAQgNCQgoL4I4JAEOSyEFMgEBAQEBAQEBAQEBAQEBAQEBARcCPRMCGAEBAQMBOgYfGgEPAgEIDhQUBQsyJQIEDg2KEggBqUmDEIdUAQEBAQEFAQEBAQEBAQEYCINBgTZUgVeBaIJ1NoUNFoNEgjKiYQYCi12dB5YcAgQCBAUCGoE6H4IHb4J4gmIlgU54hz2BMoEUAQEB
Received: from esa4.dell-outbound2.iphmx.com ([68.232.154.98]) by esa8.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Dec 2017 08:49:06 -0600
From: "Black, David" <David.Black@dell.com>
Received: from mailuogwhop.emc.com ([168.159.213.141]) by esa4.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Dec 2017 20:49:05 +0600
Received: from maildlpprd05.lss.emc.com (maildlpprd05.lss.emc.com [10.253.24.37]) by mailuogwprd01.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id vB1En4FA007906 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 1 Dec 2017 09:49:04 -0500
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd01.lss.emc.com vB1En4FA007906
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1512139744; bh=D0lEpxPHlFYUtQhHwsPBqSYZjFk=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=R0JluLtgRBD2jnrcVI1vCMFenb1rQsc0slIWKzTa3f1RmhhF8GyouZAec+qgUN6Nc aK+QOy4T2sZbn/T3c+KVsHDwkYcn3AGOR4t6ljI+BvCjnaUgmdxmmwnHJjrY10Mzre 5g2RAzDWlBn7Ihs8kqxwuxhu/7wxevZ9d0iymshc=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd01.lss.emc.com vB1En4FA007906
Received: from mailusrhubprd52.lss.emc.com (mailusrhubprd52.lss.emc.com [10.106.48.25]) by maildlpprd05.lss.emc.com (RSA Interceptor); Fri, 1 Dec 2017 09:48:44 -0500
Received: from MXHUB317.corp.emc.com (MXHUB317.corp.emc.com [10.146.3.95]) by mailusrhubprd52.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id vB1EmkOF019049 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=FAIL); Fri, 1 Dec 2017 09:48:46 -0500
Received: from MX307CL04.corp.emc.com ([fe80::849f:5da2:11b:4385]) by MXHUB317.corp.emc.com ([10.146.3.95]) with mapi id 14.03.0352.000; Fri, 1 Dec 2017 09:48:45 -0500
To: Valery Smyslov <svanru@gmail.com>
CC: 'tcpinc' <tcpinc@ietf.org>, 'Kyle Rose' <krose@krose.org>, "'Mirja Kuehlewind (IETF)'" <ietf@kuehlewind.net>, 'Eric Rescorla' <ekr@rtfm.com>
Thread-Topic: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")
Thread-Index: AQHTaWeKaqBgAqiJTU6Vp2CkSB85m6Ms+8NAgADSxICAAJUEAIAALnKA
Date: Fri, 01 Dec 2017 14:48:45 +0000
Message-ID: <CE03DB3D7B45C245BCA0D243277949362FDAF297@MX307CL04.corp.emc.com>
References: <CAJU8_nUUHbmFcPA2obo6q3dLqL1MGE2iKen-0EQ82re=+gtTfw@mail.gmail.com> <CE03DB3D7B45C245BCA0D243277949362FD96B0D@MX307CL04.corp.emc.com> <23072.32691.892725.97892@fireball.acr.fi> <01bc01d36a71$45957db0$d0c07910$@gmail.com>
In-Reply-To: <01bc01d36a71$45957db0$d0c07910$@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.238.44.138]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd52.lss.emc.com
X-RSA-Classifications: public
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/RX4yaTCA-LvnSZ3I2oD5HOGEpTE>
Subject: Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2017 14:49:08 -0000

> > > 2)      Copying a running virtual machine, including memory, which creates a
> > > copy of the session secrets.  Such copies are routinely stored on non-volatile
> > > storage, from which the VM can be resumed.
> 
> [...]
> 
> > > An additional reason for concern is that the encryption provided by the mandatory
> >> AEAD algorithm for tcpcrypt, AEAD_AES_128_GCM, is a stream cipher (AES GCM),
> >> for which reuse of a <nonce, key> pair is catastrophic - XOR-ing the two
> ciphertexts removes encryption.
> 
> This is not tcpcrypt problem. The same problem applies to any
> security protocol (IPsec, TLS, etc.) that uses counter based cipher modes (GCM, CCM, etc.).
> Switch to nonce-misuse resistant modes.

The actual situation is more subtle than that.  The VM is likely to be stored for long
enough that TCP connections drop - if not, e.g.,  the VM is cloned and the clone
runs immediately, that new VM likely has to be assigned a new IP address in order
to not conflict with the existing VM, and that also drops TCP connections.

In both cases, the security protocol resumes or restarts with a new TCP connection,
providing an opportunity to inject entropy.  TLS injects entropy when it resumes, but
the current tcpcrypt design does not.  If a restart happens, both protocols (obviously)
use new entropy.

Thanks, --David (still as an individual, not WG chair)

v2.23.0 | Report a Bug | By Email