IETF Logo Mail Archive

Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno-01

Kyle Rose <krose@krose.org> Mon, 24 August 2015 17:48 UTC

Return-Path: <krose@krose.org>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CED11A6F07 for <tcpinc@ietfa.amsl.com>; Mon, 24 Aug 2015 10:48:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XOsYyip1st8C for <tcpinc@ietfa.amsl.com>; Mon, 24 Aug 2015 10:48:48 -0700 (PDT)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C2341ACCEC for <tcpinc@ietf.org>; Mon, 24 Aug 2015 10:48:48 -0700 (PDT)
Received: by igcse8 with SMTP id se8so53484554igc.1 for <tcpinc@ietf.org>; Mon, 24 Aug 2015 10:48:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7LYXnRjxHgul2VYFRhTGfq477rGdN3IA9Ra+5sDwJ/8=; b=mnu+7fTVyU6wBmkL7ts4pLkAiES3zBYhWITnWLCK16O5ADuQ6eIdGfpU9JOwsMsALQ 9iWR9Kqd1wgR9UtidP4/57CV4qhYYcD72fD2ZSeDqLbBD/6ZnxrV9tJzCCwFkOsWw2Wb /ub8Z1fowvnQGUfFJdSgX0vVMjlfN+mV2AoMM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=7LYXnRjxHgul2VYFRhTGfq477rGdN3IA9Ra+5sDwJ/8=; b=TepNm7pfbYeRqCUNosCw1DLNvzdR4jCjPuKj8TINfxH89Ty9o0xrNuXLydvJj7Dlg8 3JY/bqt0aWFCsKCgpzMk8vQnvRVgptzIX/qM3wFQgJiNLA1rgbKnZ61K4szxbuTfoTM5 U4nNK+/JJKQZi3gP/l+tFvdwy5sy4ihaVTam1MZZYKAeUBhkz8uWTYY1lopAJ34YpsdE Rj0VhfINmkUcSDuHnfy4X0L1HpmfYjdyprGMU4P3BwIW0m8dJAa5b592JinSGXWCbLEY lZ56/ZEZ5iR7zQNMrqsKWz0wThz4bqMe2b50PcaOdPPGXEERJ5xWxQmQTqf5oZzompj/ ZdnQ==
X-Gm-Message-State: ALoCoQkFRcP1tvrd0Mpc6N7/UG7ttD07vwbdSQDX/6zPkw0qAjX4aWpLZjeqj4YsqcNLL16hYXZI
MIME-Version: 1.0
X-Received: by 10.50.30.226 with SMTP id v2mr17164041igh.11.1440438527793; Mon, 24 Aug 2015 10:48:47 -0700 (PDT)
Received: by 10.79.31.197 with HTTP; Mon, 24 Aug 2015 10:48:47 -0700 (PDT)
X-Originating-IP: [72.246.0.14]
In-Reply-To: <87zj1inf7n.fsf@ta.scs.stanford.edu>
References: <CABcZeBNEFVkDi38y3G-C2nQF=dzW2mGDsj5DVK_OKVkPwK=G0g@mail.gmail.com> <878u92oadf.fsf@ta.scs.stanford.edu> <CABcZeBMfk5C4-LF0fDLKpJktV3hJyzRUNfe0gO8RYDnzcs3yMA@mail.gmail.com> <87zj1inf7n.fsf@ta.scs.stanford.edu>
Date: Mon, 24 Aug 2015 13:48:47 -0400
Message-ID: <CAJU8_nXGdeqU6SaXPFTSD2KDBfNSz3HY=EsmfAUVccZe4zCTsg@mail.gmail.com>
From: Kyle Rose <krose@krose.org>
To: David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/fpHutWjK1e00qDKkE2gYRQ5XpKY>
Cc: Eric Rescorla <ekr@rtfm.com>, tcpinc <tcpinc@ietf.org>
Subject: Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno-01
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 17:48:50 -0000

>>> S 4.1.
>>> > Given that session IDs are required to be unique, why bother with the
>>> > spec-id prefix?
>>>
>>> Precisely to guarantee this uniqueness.  If one spec uses SHA-256 for
>>> session IDs and another uses Keccak, no standard cryptographic
>>> assumption implies uniqueness without that tag byte.
>>
>>
>> Can you unpack this some?
>
> Let's say that we can compute two transcripts, A and B, such that
> SHA-256(A) == KECCAK-256(B).  This doesn't violate any standard
> cryptographic assumptions.  Yet without the tag byte, it would be
> devastating to TCP-ENO's security in the event that different specs use
> different hash functions.

To further illustrate: it's not impossible to imagine someone creating
a SHA-256-twiddle that transforms the input in some invertible way
(perhaps specifically to make one transcript look like another) and
then produces as output the SHA-256 of this transformed input. The
security of SHA-256 and SHA-256-twiddle are equivalent, but are
related in such a way as to make this precise type of attack possible.
The tag byte eliminates this entire class of attack.

I'll admit that the scenario is far-fetched, and that two different
hash functions that reach the standardization stage are very unlikely
to be related in a way useful to such an attack.

Kyle

v2.23.0 | Report a Bug | By Email