Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)

David Mazieres <dm-list-tcpcrypt@scs.stanford.edu> Mon, 05 November 2018 14:02 UTC

Return-Path: <dm-list-tcpcrypt@scs.stanford.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 953811298C5; Mon, 5 Nov 2018 06:02:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HK_RANDOM_ENVFROM=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=scs.stanford.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zJy3ST54h_-Q; Mon, 5 Nov 2018 06:02:29 -0800 (PST)
Received: from market.scs.stanford.edu (www.scs.stanford.edu [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A77112426A; Mon, 5 Nov 2018 06:02:29 -0800 (PST)
Received: from market.scs.stanford.edu (localhost [127.0.0.1]) by market.scs.stanford.edu (8.16.0.29/8.16.0.21) with ESMTP id wA5E2Qw7045184; Mon, 5 Nov 2018 06:02:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=scs.stanford.edu; s=scs; t=1541426546; bh=Vq37YPtQOROjGDU6qzWGUUrGlZClbwsjb2Nvawk3gRM=; h=From:To:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version; b=ksMPcGMZeVQd2rD/xbf/zA2rX3slGeu8ol3x551JY2DAMXemRT+V/9DC3tIp64JcW 7qT8UH2yhhpGzxmS0PLtS5Z1Sa1Gaj2AT8K+mQo7IlpmM0aQd6d6AOli+o4SL2J68I Y7KAQRs1cjcm4aBs5GeK6YekEtsOekmlgAQU7fiA=
Received: (from dm@localhost) by market.scs.stanford.edu (8.16.0.29/8.16.0.29/Submit) id wA5E2PxR098479; Mon, 5 Nov 2018 06:02:25 -0800 (PST)
From: David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>
To: Eric Rescorla <ekr@rtfm.com>
Cc: tcpinc <tcpinc@ietf.org>, Daniel B Giffin <dbg@scs.stanford.edu>, Kyle Rose <krose@krose.org>, tcpinc-chairs@ietf.org, "Black\, David" <David.Black@dell.com>, IESG <iesg@ietf.org>, draft-ietf-tcpinc-tcpcrypt@ietf.org
In-Reply-To: <CABcZeBNHxqU0k+jK61zTKoUmuY2V9tcgEZM9Y=R5RkciZjnXtQ@mail.gmail.com>
References: <20171124182842.GA80062@scs.stanford.edu> <CABcZeBORGhsgWem3P6GS=1qfkwBEZxX=CBGCOoU3R_+MsO4FrQ@mail.gmail.com> <CAJU8_nXA_1L_XVJAMGj+L4JY-so+LO79pxt_s=BTLWj_g47f_Q@mail.gmail.com> <CABcZeBNQEs6BKnxzQOuN4A4qvEDsk8kGQLt6S9Wy0OXsJ3u5cw@mail.gmail.com> <CAJU8_nWMn0_SSLUH+reS5La4J7t0uEN5u2zC8XFRXDMOffc1Qg@mail.gmail.com> <CABcZeBP2mN-Y3GFda3mqawFuFFqtzpwpsceseE5FNMH1iSpFPQ@mail.gmail.com> <CAJU8_nWk_Opuj+m4jv79qwFMUGqi5=JMk3S_3QfJLahOjL+77g@mail.gmail.com> <CE03DB3D7B45C245BCA0D243277949362FD89888@MX307CL04.corp.emc.com> <20171128041124.GA42654@scs.stanford.edu> <CAJU8_nUx=k-nKLcrY0iVeSL7THCVARanZymWbTHaNbR+FKavPw@mail.gmail.com> <20171128223855.GE42654@scs.stanford.edu> <CAJU8_nUeTj2fwr4PAJ1T34uACHK=OnX1_OC3+UB9DomcvvcPMw@mail.gmail.com> <CABcZeBPe5_UhhmhiSBMGqYTfT7pyVhaeWXBOkw7CHRumghN57Q@mail.gmail.com> <8736skgjot.fsf@ta.scs.stanford.edu> <CABcZeBO6HRTCfkcNivnagjpxOhEvEvC5WeKFXOhdcHAnCc1tFw@mail.gmail.com> <87a7mp9din.fsf@ta.scs.stanford.edu> <CABcZeBNHxqU0k+jK61zTKoUmuY2V9tcgEZM9Y=R5RkciZjnXtQ@mail.gmail.com>
Reply-To: David Mazieres expires 2019-02-03 PST <mazieres-kx7qrxyxxj6yvhuta3dps7wf5n@temporary-address.scs.stanford.edu>
Date: Mon, 05 Nov 2018 06:02:25 -0800
Message-ID: <87efbz1v2m.fsf@ta.scs.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/cOdS2WLftuzmYTGT2JnPD8USk1o>
Subject: Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 14:02:36 -0000

Eric Rescorla <ekr@rtfm.com>; writes:

> On Sun, Nov 4, 2018 at 5:29 AM David Mazieres <
> dm-list-tcpcrypt@scs.stanford.edu>; wrote:
>
>> I've posted a new draft in the usual place:
>>
>>         https://datatracker.ietf.org/doc/draft-ietf-tcpinc-tcpcrypt/
>>
>> Please let us know if the diffs satisfy your concerns:
>>
>>
>> https://www.ietf.org/rfcdiff?url1=draft-ietf-tcpinc-tcpcrypt-13&url2=draft-ietf-tcpinc-tcpcrypt-14&difftype=--html
>
>
> I am not an EC expert, but my impression based on the discussion in TLS was
> that checking for the zero value for X25519 was not sufficient defense
> against malicious peers if you didn't use the 7748 computations, hence the
> language in 8446. Do you believe otherwise?

I don't understand what you are asking for here.  Section 7 of RFC7748
is mostly advice applicable to tcpcrypt's authors, which we are
following--for instance by including the entire transcript with nonces
in the session key computation so as not to depend on "contributory
behavior" of the Diffie-Hellman parameters.  What is it that you want us
to specify in our RFC for tcpcrypt implementers?

The only think tcpcrypt cares about for malicious peers is preventing
session ID reuse, which the design indeed appropriately prevents.
Otherwise, if a malicious peer causes a connection to be aborted or
leaks the session key--well, that's something they could have done
anyway.

Can you be more concrete about what you are worried about and what you
want us to do about it?

David