Re: [tcpinc] Revised version of TCP-ENO
David Mazieres <dm-list-tcpcrypt@scs.stanford.edu> Fri, 14 August 2015 17:25 UTC
Return-Path: <dm-list-tcpcrypt@scs.stanford.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B3271B2AA6 for <tcpinc@ietfa.amsl.com>; Fri, 14 Aug 2015 10:25:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.91
X-Spam-Level:
X-Spam-Status: No, score=-0.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9sqw-I6kS8C for <tcpinc@ietfa.amsl.com>; Fri, 14 Aug 2015 10:25:26 -0700 (PDT)
Received: from market.scs.stanford.edu (www.scs.stanford.edu [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AAEB1B2AA3 for <tcpinc@ietf.org>; Fri, 14 Aug 2015 10:25:26 -0700 (PDT)
Received: from market.scs.stanford.edu (localhost.scs.stanford.edu [127.0.0.1]) by market.scs.stanford.edu (8.14.7/8.14.7) with ESMTP id t7EHPNjc011562; Fri, 14 Aug 2015 10:25:23 -0700 (PDT)
Received: (from dm@localhost) by market.scs.stanford.edu (8.14.7/8.14.7/Submit) id t7EHPNE2028029; Fri, 14 Aug 2015 10:25:23 -0700 (PDT)
X-Authentication-Warning: market.scs.stanford.edu: dm set sender to dm-list-tcpcrypt@scs.stanford.edu using -f
From: David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>
To: Martin Thomson <martin.thomson@gmail.com>
In-Reply-To: <CABkgnnU8eeX3QV+D_g2XJqWGf9YzUZ1v-eqjg9HsioGJP8-GqQ@mail.gmail.com>
References: <87pp2vqplu.fsf@ta.scs.stanford.edu> <CAJU8_nXAHhf6dqqs0gUEGz49bG7YUO1qaGwaLm04+vstPTyfWg@mail.gmail.com> <87h9o4rqwz.fsf@ta.scs.stanford.edu> <874mk2kj56.fsf@alice.fifthhorseman.net> <CAJU8_nVcDmCw-0KYviJ5GWZL+-YcCg3wLMJqpkuh=iN8RppA+A@mail.gmail.com> <87y4hej2vf.fsf@alice.fifthhorseman.net> <87egj67sac.fsf@ta.scs.stanford.edu> <87bnea7rr6.fsf@ta.scs.stanford.edu> <CABkgnnUF-byT2MH8mrmZJaMY2PTsspWJ8W3wJmddXdgMqGHCkQ@mail.gmail.com> <87614i7o2l.fsf@ta.scs.stanford.edu> <CABkgnnU8eeX3QV+D_g2XJqWGf9YzUZ1v-eqjg9HsioGJP8-GqQ@mail.gmail.com>
Date: Fri, 14 Aug 2015 10:25:22 -0700
Message-ID: <87io8hwznh.fsf@ta.scs.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/Zu2xV2z1t3Ev3IqjnnesfPqNMHg>
Cc: tcpinc <tcpinc@ietf.org>
Subject: Re: [tcpinc] Revised version of TCP-ENO
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2015 17:25:27 -0000
Martin Thomson <martin.thomson@gmail.com> writes: > I didn't suggest that you reduce entropy. My point was that you are > creating a special carve-out for your current solution. What if you > decide you want *two* bytes of discriminator? My point is that all > you need is to have the session ID as a whole be hard to > guess.synthesize, etc... By our current solution, do you mean TCP-ENO? It seems reasonable for the TCP-ENO specification to include a special carve-out for itself. Any other spec that needs a discriminator can just include the discriminator in the collision-resistant hash input. That's fine because a spec knows what goes into the collision-resistant hash. The problem is that TCP-ENO doesn't even know which cryptographic hash functions specs will employ for the session ID. If someday one of those hashes turns out to be incredibly insecure, we want to make sure that if *either* end of the connection disables the bad spec, the security problem goes away. The minimum you need for that is to sign/MAC/etc. not just some hash but also something specifying how that hash was computed, to avoid cross-spec collisions. Given the way the TCP-ENO spec is written, one byte is sufficient for that purpose. There is another solution, which is to hard-code the hash function in TCP-ENO. It's not entirely elegant, either, but you could say all 32-byte session IDs are SHA-256 starting with the negotiation transcript, and IANA can specify other lengths and hash functions down the line. So that's more elegant in that the whole session ID can be made indistinguishable from random, but less elegant in that spec authors might have to rely on two different hash functions. So I can see arguments for 0 or 1 bytes not being indistinguishable from random, but I can't see arguments for a two-byte discriminator, unless you are also advocating more fundamental changes to ENO's negotiation mechanism (which is of course still on the table at this point). David
- [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Kyle Rose
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Daniel Kahn Gillmor
- Re: [tcpinc] Revised version of TCP-ENO Daniel Kahn Gillmor
- Re: [tcpinc] Revised version of TCP-ENO Kyle Rose
- Re: [tcpinc] Revised version of TCP-ENO Everhart, Craig
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Ted Hardie
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Martin Thomson
- Re: [tcpinc] Revised version of TCP-ENO Daniel B Giffin
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Kyle Rose
- Re: [tcpinc] Revised version of TCP-ENO Kyle Rose
- Re: [tcpinc] Revised version of TCP-ENO Stephen Farrell
- Re: [tcpinc] Revised version of TCP-ENO Martin Thomson
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Martin Thomson
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Martin Thomson
- Re: [tcpinc] Revised version of TCP-ENO dm-list-tcpcrypt
- Re: [tcpinc] Revised version of TCP-ENO Stephen Farrell
- Re: [tcpinc] Revised version of TCP-ENO Martin Thomson
- Re: [tcpinc] Revised version of TCP-ENO Kyle Rose
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres
- Re: [tcpinc] Revised version of TCP-ENO Kyle Rose
- Re: [tcpinc] Revised version of TCP-ENO David Mazieres