Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")

Tero Kivinen <kivinen@iki.fi> Thu, 30 November 2017 22:01 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CA55126C83 for <tcpinc@ietfa.amsl.com>; Thu, 30 Nov 2017 14:01:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q8zQk_qQ92HS for <tcpinc@ietfa.amsl.com>; Thu, 30 Nov 2017 14:01:36 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [212.16.101.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79455126BF6 for <tcpinc@ietf.org>; Thu, 30 Nov 2017 14:01:36 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id vAUM1PcE024922 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 1 Dec 2017 00:01:25 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id vAUM1NV3017828; Fri, 1 Dec 2017 00:01:23 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23072.32691.892725.97892@fireball.acr.fi>
Date: Fri, 1 Dec 2017 00:01:23 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "Black\, David" <David.Black@dell.com>
Cc: Kyle Rose <krose@krose.org>, tcpinc <tcpinc@ietf.org>, Eric Rescorla <ekr@rtfm.com>, "Mirja Kuehlewind \(IETF\)" <ietf@kuehlewind.net>
In-Reply-To: <CE03DB3D7B45C245BCA0D243277949362FD96B0D@MX307CL04.corp.emc.com>
References: <CAJU8_nUUHbmFcPA2obo6q3dLqL1MGE2iKen-0EQ82re=+gtTfw@mail.gmail.com> <CE03DB3D7B45C245BCA0D243277949362FD96B0D@MX307CL04.corp.emc.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 16 min
X-Total-Time: 16 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/Yna6X5lJYXuzkTsn2hkeASFC0P4>
Subject: Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Nov 2017 22:01:38 -0000

Black, David writes:
> 2)      Copying a running virtual machine, including memory, which creates a
> copy of the session secrets.  Such copies are routinely stored on non-volatile
> storage, from which the VM can be resumed.

I think this kind of behavior is so common, (and is getting even more
common in future) that the protocol needs to be resistant to this. I
mean, the person doing the cloning does not have any knowledge about
the tcpcrypt used in the machine, and quite often this is something
that is even impossible to detect inside the machine, so
implementation cannot do anything for this. As this will cause
catastrophic failure for the security it is something we should deal
with even when it will cost us something.

Note, that attacker might be able to trigger this also on purpose, but
as those would require active attacks, they are mostly outside the
scope of what tcpcrypt is trying to protect.

But I still think accidental cases (i.e., where old VM is restored
even when no real attack), are common enough that we should cope with
them. So I think we should add protection against accidental reuse.
-- 
kivinen@iki.fi