[tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")

[Kyle Rose <krose@krose.org>]

In the IETF LC thread referenced in the thread subject (CC'ed to the tcpinc
list), Ekr (acting as security AD) raised an issue on which we need to seek
rough consensus from the WG: that of the key-reuse risk potential in the
resumption key schedule.

Please see that thread for more details (especially Ekr's email from Nov
18, in the archives at
https://www.ietf.org/mail-archive/web/tcpinc/current/msg01471.html), but a
brief summary is that, with the catastrophic loss of security inherent in
AEAD modes like GCM when the same key and nonce are used to encrypt
multiple blocks, the construction of ss[i] (see section 3.3 of
draft-ietf-tcpinc-tcpcrypt-10) depending only on ss[i-1] and some
constants, and in particular *not* depending on fresh randomness from each
party, will inevitably break confidentiality and authentication should an
implementation not strictly prevent the reuse of ss[i] on multiple
connections.

There is language in the draft prohibiting reuse of ss[i]:

q( A session secret may not be used to secure more than one TCP
connection.  To prevent this, a host MUST NOT resume with a session
secret if it has ever enabled encryption in the past with the same
secret, in either role. )

but there is concern that this language is not strong enough: first, that
it does not explain the reason for the prohibition; and second, because the
prohibition refers only to "a host" and does not directly address the
threat posed by sharing of resumption state across machines.

Given the absence of a mechanism for stateless resumption in tcpcrypt (such
as that provided by TLS session tickets), this prohibition essentially
precludes resumption across a server pool via periodic state sharing, as
there would be a race condition between use of ss[i] on one server and
invalidation of that value throughout the rest of the pool.

The chairs are looking for direction from the WG on how to proceed. From
the discussion in the other thread, I see a number of basic options,
ranging from least- to most-invasive:

(1) Strengthening the language around this prohibition.
(2) Adding a 0-RT mechanism for adding fresh randomness to the resumption
key schedule.
(3) Adding a 1-RT mechanism for adding fresh randomness to the resumption
key schedule (that also provides a measure of replay protection at the cost
of an additional round trip).
(4) Switching to a stateless resumption mechanism, which would necessarily
involve fresh randomness (but at the cost of requiring an additional round
trip for resumption owing to insufficient option space for encoding state).

I would like the WG to discuss the risks and benefits of each option and
decide how to proceed. I believe we already have rough consensus on
sticking with a stateful resumption scheme given the latency costs of
stateless resumption under the constraints of TCP, but the WG can always
reopen that question if there is rough consensus to do so.

Thanks,
Kyle