Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno-01

Kyle Rose <> Mon, 24 August 2015 17:48 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4CED11A6F07 for <>; Mon, 24 Aug 2015 10:48:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XOsYyip1st8C for <>; Mon, 24 Aug 2015 10:48:48 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4C2341ACCEC for <>; Mon, 24 Aug 2015 10:48:48 -0700 (PDT)
Received: by igcse8 with SMTP id se8so53484554igc.1 for <>; Mon, 24 Aug 2015 10:48:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7LYXnRjxHgul2VYFRhTGfq477rGdN3IA9Ra+5sDwJ/8=; b=mnu+7fTVyU6wBmkL7ts4pLkAiES3zBYhWITnWLCK16O5ADuQ6eIdGfpU9JOwsMsALQ 9iWR9Kqd1wgR9UtidP4/57CV4qhYYcD72fD2ZSeDqLbBD/6ZnxrV9tJzCCwFkOsWw2Wb /ub8Z1fowvnQGUfFJdSgX0vVMjlfN+mV2AoMM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=7LYXnRjxHgul2VYFRhTGfq477rGdN3IA9Ra+5sDwJ/8=; b=TepNm7pfbYeRqCUNosCw1DLNvzdR4jCjPuKj8TINfxH89Ty9o0xrNuXLydvJj7Dlg8 3JY/bqt0aWFCsKCgpzMk8vQnvRVgptzIX/qM3wFQgJiNLA1rgbKnZ61K4szxbuTfoTM5 U4nNK+/JJKQZi3gP/l+tFvdwy5sy4ihaVTam1MZZYKAeUBhkz8uWTYY1lopAJ34YpsdE Rj0VhfINmkUcSDuHnfy4X0L1HpmfYjdyprGMU4P3BwIW0m8dJAa5b592JinSGXWCbLEY lZ56/ZEZ5iR7zQNMrqsKWz0wThz4bqMe2b50PcaOdPPGXEERJ5xWxQmQTqf5oZzompj/ ZdnQ==
X-Gm-Message-State: ALoCoQkFRcP1tvrd0Mpc6N7/UG7ttD07vwbdSQDX/6zPkw0qAjX4aWpLZjeqj4YsqcNLL16hYXZI
MIME-Version: 1.0
X-Received: by with SMTP id v2mr17164041igh.11.1440438527793; Mon, 24 Aug 2015 10:48:47 -0700 (PDT)
Received: by with HTTP; Mon, 24 Aug 2015 10:48:47 -0700 (PDT)
X-Originating-IP: []
In-Reply-To: <>
References: <> <> <> <>
Date: Mon, 24 Aug 2015 13:48:47 -0400
Message-ID: <>
From: Kyle Rose <>
To: David Mazieres <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc: Eric Rescorla <>, tcpinc <>
Subject: Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno-01
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 24 Aug 2015 17:48:50 -0000

>>> S 4.1.
>>> > Given that session IDs are required to be unique, why bother with the
>>> > spec-id prefix?
>>> Precisely to guarantee this uniqueness.  If one spec uses SHA-256 for
>>> session IDs and another uses Keccak, no standard cryptographic
>>> assumption implies uniqueness without that tag byte.
>> Can you unpack this some?
> Let's say that we can compute two transcripts, A and B, such that
> SHA-256(A) == KECCAK-256(B).  This doesn't violate any standard
> cryptographic assumptions.  Yet without the tag byte, it would be
> devastating to TCP-ENO's security in the event that different specs use
> different hash functions.

To further illustrate: it's not impossible to imagine someone creating
a SHA-256-twiddle that transforms the input in some invertible way
(perhaps specifically to make one transcript look like another) and
then produces as output the SHA-256 of this transformed input. The
security of SHA-256 and SHA-256-twiddle are equivalent, but are
related in such a way as to make this precise type of attack possible.
The tag byte eliminates this entire class of attack.

I'll admit that the scenario is far-fetched, and that two different
hash functions that reach the standardization stage are very unlikely
to be related in a way useful to such an attack.