IETF Logo Mail Archive

Re: [tcpinc] Revised version of TCP-ENO

David Mazieres <dm-list-tcpcrypt@scs.stanford.edu> Thu, 13 August 2015 22:11 UTC

Return-Path: <dm-list-tcpcrypt@scs.stanford.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E61D91B3B6B for <tcpinc@ietfa.amsl.com>; Thu, 13 Aug 2015 15:11:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.91
X-Spam-Level:
X-Spam-Status: No, score=-0.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TOuQSftwEapl for <tcpinc@ietfa.amsl.com>; Thu, 13 Aug 2015 15:11:26 -0700 (PDT)
Received: from market.scs.stanford.edu (www.scs.stanford.edu [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FCA21B3B6A for <tcpinc@ietf.org>; Thu, 13 Aug 2015 15:11:26 -0700 (PDT)
Received: from market.scs.stanford.edu (localhost.scs.stanford.edu [127.0.0.1]) by market.scs.stanford.edu (8.14.7/8.14.7) with ESMTP id t7DMBOMb028946; Thu, 13 Aug 2015 15:11:24 -0700 (PDT)
Received: (from dm@localhost) by market.scs.stanford.edu (8.14.7/8.14.7/Submit) id t7DMBOqA009613; Thu, 13 Aug 2015 15:11:24 -0700 (PDT)
X-Authentication-Warning: market.scs.stanford.edu: dm set sender to dm-list-tcpcrypt@scs.stanford.edu using -f
From: David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Kyle Rose <krose@krose.org>
In-Reply-To: <87y4hej2vf.fsf@alice.fifthhorseman.net>
References: <87pp2vqplu.fsf@ta.scs.stanford.edu> <CAJU8_nXAHhf6dqqs0gUEGz49bG7YUO1qaGwaLm04+vstPTyfWg@mail.gmail.com> <87h9o4rqwz.fsf@ta.scs.stanford.edu> <874mk2kj56.fsf@alice.fifthhorseman.net> <CAJU8_nVcDmCw-0KYviJ5GWZL+-YcCg3wLMJqpkuh=iN8RppA+A@mail.gmail.com> <87y4hej2vf.fsf@alice.fifthhorseman.net>
Date: Thu, 13 Aug 2015 15:11:23 -0700
Message-ID: <87egj67sac.fsf@ta.scs.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/swYcwQlwohj29Vxuvcdfv-W98s8>
Cc: tcpinc@ietf.org
Subject: Re: [tcpinc] Revised version of TCP-ENO
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2015 22:11:27 -0000

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> On Thu 2015-08-13 17:05:38 -0400, Kyle Rose wrote:
>> This can't be the case if, for instance, the session IDs are signed in
>> batches as proposed in the tcpcrypt paper.
>
> You seem to be assuming that peer authentication will happen by an
> cryptographic public-key signature over the session id.  In this case, i
> agree that the session id could be published without a problem.
>
> But this isn't necessarily the only mechanism that could be used to
> authenticate the peer.

So I think this conversation is convincing me of Kyle's point of view
that we should use the word public, to convey intended usage.  What
about something along the lines of:

    * Specs should assume the session ID will be made public and ensure
      that it contains no confidential data (such as data permitting the
      derivation of session keys).

    * However, unless the application at either end of a connection
      takes steps to disclose the session ID, specs should ensure that a
      network eavesdropper has a negligible advantage in differentiating
      the collision-resistant hash in a session ID from uniform random
      bytes.

Whether you are using Public keys to sign session IDs, or HMAC to
authenticate them, or some PAKE thing dependent on the session ID, it
shouldn't matter that the session ID is public.  You don't have to make
it public, but the formula for generating it should assume it will be
made public.

That said, one could imagine a fringe use case where an application
wants to prove that two anonymous TCP connections belong to the same two
processes, in which case the session ID of the first connection might be
used as a MAC key to authenticate the session ID of the second.  So you
don't want the session ID to be predictable, even if making it public
doesn't hurt TCPINC itself.

What do you think?

David

v2.23.0 | Report a Bug | By Email