Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")

"Valery Smyslov" <svanru@gmail.com> Fri, 01 December 2017 06:55 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2EEA1201F2 for <tcpinc@ietfa.amsl.com>; Thu, 30 Nov 2017 22:55:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.2
X-Spam-Level:
X-Spam-Status: No, score=-1.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id knxt4CCzM_87 for <tcpinc@ietfa.amsl.com>; Thu, 30 Nov 2017 22:55:10 -0800 (PST)
Received: from mail-lf0-x22e.google.com (mail-lf0-x22e.google.com [IPv6:2a00:1450:4010:c07::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E889D1267BB for <tcpinc@ietf.org>; Thu, 30 Nov 2017 22:55:09 -0800 (PST)
Received: by mail-lf0-x22e.google.com with SMTP id j124so10596680lfg.2 for <tcpinc@ietf.org>; Thu, 30 Nov 2017 22:55:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=MOSAGikVVO7qkDNgQswMQsfiRVrQXQc63+q1vxldwhA=; b=GcMa4UaanOpx2i7cJ+S1AfF+9TFl1yyAbg2FkrFoFnKAsvE+BN1TX7Mk2gm4IHQm3N +8fJ5ejAAECK+9Lnh3o/yklQiyG+aVN44SZZ4V1XTjHBh4aPILmdh3B917mHYUgrMCMX 8mfppvvlflwv5l7t8vEo1ALFkmVe2rNkRP9Py6FIQaMIadvMoul7qyBMceFPrRlzAsF2 kdB2glVZB7HVdyHV0a5HDd+uOcdNlmtMmgNJMulm3yhLFQ/418G97BGtrZ/AJ9JB9TWV 9eKzGlg/5D5cuC+h4OzfeeDMFQYEugaXLWswsJr4XHRsuN2miFXPpCaenjuDwSTXVMnm Jh8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=MOSAGikVVO7qkDNgQswMQsfiRVrQXQc63+q1vxldwhA=; b=qsJO4jPf5a9jBK28aytbXXGz2K44jJsOYLiagax41IVYaLtrIDm+PhG8d5TVjiPQXH xlxddEj6jHgumCgmdhIq6sdtB13KBPeO02BsHkqYFvkRSPtuJU9weqpUa3+NtcGqeDlc PpQdjU/dU8xI+9ew5KO7wP6B3xvvmOduzkWo6g/deAh2vTjHFC8c+NMKyQfh6cNUG+Hm eFTSMD0cBDIZrp8cnsui1nMyAjoJB12E4ntAJhW1wgE3hHPc2w/8nuHfolDwWhIUpijF 0AWfQUloBl0rhD6uOYzFm82PseiMrur5Fpy5fztk2jOUdeyPsLnWkZRNcE1lX3UMbU3L zRWg==
X-Gm-Message-State: AJaThX4sdHbDVxKkW8GrGmHtPNniBlCa9t1qOfPeExcry0PDXxRy+2lU MyXNheguCgwnjP3eF9OpF3trUQ==
X-Google-Smtp-Source: AGs4zMYBhJPjYvJHoruo5EMshZ4gekyypSplY/r2rbgDZE7MeIdV/ay/MFck+jGPZNN3AK66pEdmOQ==
X-Received: by 10.46.92.9 with SMTP id q9mr4436755ljb.78.1512111308088; Thu, 30 Nov 2017 22:55:08 -0800 (PST)
Received: from buildpc ([82.138.51.4]) by smtp.gmail.com with ESMTPSA id r66sm21718lfe.48.2017.11.30.22.55.06 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 30 Nov 2017 22:55:07 -0800 (PST)
From: "Valery Smyslov" <svanru@gmail.com>
To: "'Black, David'" <David.Black@dell.com>
Cc: "'tcpinc'" <tcpinc@ietf.org>, "'Kyle Rose'" <krose@krose.org>, "'Mirja Kuehlewind \(IETF\)'" <ietf@kuehlewind.net>, "'Eric Rescorla'" <ekr@rtfm.com>
References: <CAJU8_nUUHbmFcPA2obo6q3dLqL1MGE2iKen-0EQ82re=+gtTfw@mail.gmail.com> <CE03DB3D7B45C245BCA0D243277949362FD96B0D@MX307CL04.corp.emc.com> <23072.32691.892725.97892@fireball.acr.fi>
In-Reply-To: <23072.32691.892725.97892@fireball.acr.fi>
Date: Fri, 1 Dec 2017 09:54:44 +0300
Message-ID: <01bc01d36a71$45957db0$d0c07910$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJ6HNqDgiiWUzt7fki+kFl693dS/wJwqHQYAvTkOkqhtXl0sA==
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/oMRt--z-dVgAjK8hLbsjhpJf9fU>
Subject: Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2017 06:55:12 -0000

Hi,

> Black, David writes:
> > 2)      Copying a running virtual machine, including memory, which creates a
> > copy of the session secrets.  Such copies are routinely stored on non-volatile
> > storage, from which the VM can be resumed.

[...]

> > An additional reason for concern is that the encryption provided by the mandatory 
>> AEAD algorithm for tcpcrypt, AEAD_AES_128_GCM, is a stream cipher (AES GCM), 
>> for which reuse of a <nonce, key> pair is catastrophic - XOR-ing the two ciphertexts removes encryption.

This is not tcpcrypt problem. The same problem applies to any
security protocol (IPsec, TLS, etc.) that uses counter based cipher modes (GCM, CCM, etc.). 
Switch to nonce-misuse resistant modes.

Regards,
Valery Smyslov.