IETF Logo Mail Archive

Re: [tcpinc] Revised version of TCP-ENO

David Mazieres <dm-list-tcpcrypt@scs.stanford.edu> Fri, 14 August 2015 17:25 UTC

Return-Path: <dm-list-tcpcrypt@scs.stanford.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B3271B2AA6 for <tcpinc@ietfa.amsl.com>; Fri, 14 Aug 2015 10:25:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.91
X-Spam-Level:
X-Spam-Status: No, score=-0.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9sqw-I6kS8C for <tcpinc@ietfa.amsl.com>; Fri, 14 Aug 2015 10:25:26 -0700 (PDT)
Received: from market.scs.stanford.edu (www.scs.stanford.edu [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AAEB1B2AA3 for <tcpinc@ietf.org>; Fri, 14 Aug 2015 10:25:26 -0700 (PDT)
Received: from market.scs.stanford.edu (localhost.scs.stanford.edu [127.0.0.1]) by market.scs.stanford.edu (8.14.7/8.14.7) with ESMTP id t7EHPNjc011562; Fri, 14 Aug 2015 10:25:23 -0700 (PDT)
Received: (from dm@localhost) by market.scs.stanford.edu (8.14.7/8.14.7/Submit) id t7EHPNE2028029; Fri, 14 Aug 2015 10:25:23 -0700 (PDT)
X-Authentication-Warning: market.scs.stanford.edu: dm set sender to dm-list-tcpcrypt@scs.stanford.edu using -f
From: David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>
To: Martin Thomson <martin.thomson@gmail.com>
In-Reply-To: <CABkgnnU8eeX3QV+D_g2XJqWGf9YzUZ1v-eqjg9HsioGJP8-GqQ@mail.gmail.com>
References: <87pp2vqplu.fsf@ta.scs.stanford.edu> <CAJU8_nXAHhf6dqqs0gUEGz49bG7YUO1qaGwaLm04+vstPTyfWg@mail.gmail.com> <87h9o4rqwz.fsf@ta.scs.stanford.edu> <874mk2kj56.fsf@alice.fifthhorseman.net> <CAJU8_nVcDmCw-0KYviJ5GWZL+-YcCg3wLMJqpkuh=iN8RppA+A@mail.gmail.com> <87y4hej2vf.fsf@alice.fifthhorseman.net> <87egj67sac.fsf@ta.scs.stanford.edu> <87bnea7rr6.fsf@ta.scs.stanford.edu> <CABkgnnUF-byT2MH8mrmZJaMY2PTsspWJ8W3wJmddXdgMqGHCkQ@mail.gmail.com> <87614i7o2l.fsf@ta.scs.stanford.edu> <CABkgnnU8eeX3QV+D_g2XJqWGf9YzUZ1v-eqjg9HsioGJP8-GqQ@mail.gmail.com>
Date: Fri, 14 Aug 2015 10:25:22 -0700
Message-ID: <87io8hwznh.fsf@ta.scs.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/Zu2xV2z1t3Ev3IqjnnesfPqNMHg>
Cc: tcpinc <tcpinc@ietf.org>
Subject: Re: [tcpinc] Revised version of TCP-ENO
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2015 17:25:27 -0000

Martin Thomson <martin.thomson@gmail.com> writes:

> I didn't suggest that you reduce entropy.  My point was that you are
> creating a special carve-out for your current solution.  What if you
> decide you want *two* bytes of discriminator?  My point is that all
> you need is to have the session ID as a whole be hard to
> guess.synthesize, etc...

By our current solution, do you mean TCP-ENO?  It seems reasonable for
the TCP-ENO specification to include a special carve-out for itself.
Any other spec that needs a discriminator can just include the
discriminator in the collision-resistant hash input.  That's fine
because a spec knows what goes into the collision-resistant hash.

The problem is that TCP-ENO doesn't even know which cryptographic hash
functions specs will employ for the session ID.  If someday one of those
hashes turns out to be incredibly insecure, we want to make sure that if
*either* end of the connection disables the bad spec, the security
problem goes away.  The minimum you need for that is to
sign/MAC/etc. not just some hash but also something specifying how that
hash was computed, to avoid cross-spec collisions.  Given the way the
TCP-ENO spec is written, one byte is sufficient for that purpose.

There is another solution, which is to hard-code the hash function in
TCP-ENO.  It's not entirely elegant, either, but you could say all
32-byte session IDs are SHA-256 starting with the negotiation
transcript, and IANA can specify other lengths and hash functions down
the line.  So that's more elegant in that the whole session ID can be
made indistinguishable from random, but less elegant in that spec
authors might have to rely on two different hash functions.

So I can see arguments for 0 or 1 bytes not being indistinguishable from
random, but I can't see arguments for a two-byte discriminator, unless
you are also advocating more fundamental changes to ENO's negotiation
mechanism (which is of course still on the table at this point).

David

v2.23.0 | Report a Bug | By Email