Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")

Kyle Rose <> Mon, 11 December 2017 19:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B5999128854 for <>; Mon, 11 Dec 2017 11:29:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Xo6CrhOmCk3D for <>; Mon, 11 Dec 2017 11:29:05 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c0d::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F1905126DD9 for <>; Mon, 11 Dec 2017 11:29:04 -0800 (PST)
Received: by with SMTP id w10so41457615qtb.10 for <>; Mon, 11 Dec 2017 11:29:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=qld69rMyWvMK1rJvUomZpTCR21d73txdxGoiHzwKmdk=; b=qMzdSLRG3pXEbM3uj6J8BrcZoEQXD348LCARoCKj9vkOfnaU4EvUKpWqYJ4hQTWm3C W61ZMz4pkmdsh2RUkk9b8wIjHqrs9aPDzuHOmMwKhUxEhX+3fXEkw/74ec8TkJZdNDfK ZVy/E3/dgF7j4KOhvFnNCvE98P69QAhrRqE8c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=qld69rMyWvMK1rJvUomZpTCR21d73txdxGoiHzwKmdk=; b=CtahOHxugIlOa6gOm11+daXPBz5C8iteYt6Iy9uUx2oC5qgVfn8aM7EbeKyGHRvDYA yjAxmpAzQPl3QOOPXjPN2AXesFbg1tRkxT+frlAtTUl1oaYra+6L7l3xTJ8GbLd4x055 uWBLCsH0dzN2FGbuoU7aejFcz2C1bxvjVgbAKc4UMHo3g82x65MAcbyWHxlGJXKBwF2f zzOvaKgGBpIPQV+VRUcqnxXkhU8SDMRFZwWUlIaaLY+iniE/VHLijgRL6yiOJHRNI6lB aYooJeTpvPsy/i52RJ/c0qnVZ4Sb1KVhr7A6d2dMSt01TC7h/c0oCHz0zo1mkJaaN7fT sFng==
X-Gm-Message-State: AKGB3mJ2ON0bdofu+kkCE0IEs3LVF0TsRqwMei5eGsXFXuBzYv3zQyGv soNePkuqogY+IiZzqNG3j8apNwDxmol/XdFuGUiAoPhW
X-Google-Smtp-Source: ACJfBotXlSPj8KK7vHFeScdQjhoqY/8yf41PFG8A2Ov/YNZzPRbKyV5rHiChM1uZSKbyhJbFFRPuORRUjr36ZP2bsuw=
X-Received: by with SMTP id x144mr2174158qka.26.1513020543911; Mon, 11 Dec 2017 11:29:03 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 11 Dec 2017 11:29:03 -0800 (PST)
X-Originating-IP: [2001:4878:a000:3000:4062:9a1e:a20:4bf0]
In-Reply-To: <>
References: <> <> <> <01bc01d36a71$45957db0$d0c07910$> <> <B0FB25D40E23475C9259A4C204B327D2@chichi> <> <>
From: Kyle Rose <>
Date: Mon, 11 Dec 2017 14:29:03 -0500
Message-ID: <>
To: "Black, David" <>
Cc: Valery Smyslov <>, Eric Rescorla <>, tcpinc <>, "Mirja Kuehlewind (IETF)" <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [tcpinc] Resumption safety (was "Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)")
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Dec 2017 19:29:06 -0000

I want to add:

On Mon, Dec 11, 2017 at 2:01 PM, Kyle Rose <> wrote:
> It's not clear that this will make its way into the entropy pool
> before use unless the hypervisor and guest kernel have some explicit
> interaction to re-seed the entropy pool before resumption.

...and unless applications pull new entropy from this pool for every
single PRNG iteration, something I think is not done by userspace
PRNGs more complicated than "read directly from /dev/urandom". The
application would need to be aware of the resumption, or add
expected-distinct input to the PRNG as a matter of course (e.g.,
timestamp). And even then, there's still a race condition depending on
the order of operations.

The more I look into this, the more convinced I am that SIV-like
constructions are the only way to entirely avoid catastrophic loss of
security. To otherwise deal completely with the problem of VM cloning
involves the invasive complexity of layer violation. That said, I
don't think we want to take that step at this late date, but we should
recognize the benefits and limitations of adding nonces and look into
adding GCM-SIV (and related) cipher modes as future TEPs.