Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)

Kyle Rose <> Mon, 13 November 2017 07:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5B1E81288B8 for <>; Sun, 12 Nov 2017 23:01:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HQYhwQv-xfXu for <>; Sun, 12 Nov 2017 23:01:01 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1EB2B12008A for <>; Sun, 12 Nov 2017 23:00:59 -0800 (PST)
Received: by with SMTP id j58so18393544qtj.0 for <>; Sun, 12 Nov 2017 23:00:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=utKRIp5GzywoYP9FLLJj2Bv0OkdXmOi0+VXIrIGv53M=; b=jSWCWbZvdRlqa8M8vGQSylrauKhoJeAw120SGnwSLcgBxQeN8vAQhA07579vSjtgMV +an3XbxuLyTT65fzMwp65aOOodtqUvKKPdw9LjRpdim6gvSbcABEU4iAYozZHS4NvJsF FeB05Fvlz1UruyGnLC+OP+aVSb4U39Wmq1baI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=utKRIp5GzywoYP9FLLJj2Bv0OkdXmOi0+VXIrIGv53M=; b=g7UJNVrRyjDWQARk3XOtPZJwBzomMfbemQ4MbY04Wf8EeeoiklqUyZhf5Lok3xSaj6 j41UpzRNRIkwRObs5UAo+Tv641vRt7c6LFMinozH6kICv+aKV0SnY4MnPf0eu/OYb8Wj gdw7ie9Emf6LjWQegEKGtLiwy0YEriK7p81sbwTwGIKNcfbRihhgiC6WtLXlP6J/JQJA dbLaa3L3LkvKYGTkWYqbFgEn3tOLEPrkA1JYWxFLqq9cpA3//DlDEjW6Hl9WS0w4ZQug 4k8uJuUyQ0bdAsvOpM+kUfdHhdusPISuNyYSSZO4wQj1f8rWHrfGYPp6OAaU/dVt0CJJ c99w==
X-Gm-Message-State: AJaThX4gJ/vcVlfo0erkCWeqP7VmrqRWyK31LqpV1nnZ+a97JvWZOMPu GqaN47ITrJgzyXbhE+2AdeMCUuOqjydOtlG3k7XTGQ==
X-Google-Smtp-Source: AGs4zMbrDVzs8M9fDOr8LBkmExp2gKBXDoXwUX/wKRT7bO6X038hSxs6CajbgsYEwWBZgnehaJUooShNa4zN8ASmDKk=
X-Received: by with SMTP id h35mr6827100qte.293.1510556458032; Sun, 12 Nov 2017 23:00:58 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Sun, 12 Nov 2017 23:00:57 -0800 (PST)
X-Originating-IP: [2001:67c:370:128:a132:c009:e15c:777e]
In-Reply-To: <>
References: <> <> <>
From: Kyle Rose <>
Date: Mon, 13 Nov 2017 15:00:57 +0800
Message-ID: <>
To: Eric Rescorla <>
Cc: The IESG <>,,, tcpinc <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Nov 2017 07:01:02 -0000

On Mon, Nov 13, 2017 at 10:09 AM, Eric Rescorla <> wrote:
> On Mon, Nov 13, 2017 at 9:56 AM, Kyle Rose <> wrote:
>> What is the situation, commonly the case for HTTP, in which different
>> users would be using the same key for encryption?
> That's not the assumption. It's a time-space tradeoff. Say you have a
> 128-bit
> key. The attacker computes the value:
>   Encrypt(K, "GET / HTTP/1.1") [or whatever]
> For a feasible subset of the key space (e.g., 2^80 or so). It then captures
> a large fraction of the traffic on the Internet and looks for matches for
> one
> of these strings. If it has a match, it now immediately knows the key. Given
> the amount of traffic on the Internet, this is just maybe barely feasible
> with
> 128-bit keys. However, with a randomized (secret) nonce, it becomes
> infeasible.

Interesting. I don't have a strong opinion about this one, but if
there are no (or cheap) tradeoffs, it seems reasonable to use this

>> I'm confused. The byte stream will be delivered in-order via TCP
>> sequence semantics, so receiving frames (TLV within the TCP
>> bytestream) out-of-order should not be possible. If a MitM reordered
>> the frames, the receiver would either drop the frame or close the
>> connection following a failure to authenticate upon decryption:
>> q( In the latter case, the implementation MUST
>>    either drop the TCP segment(s) containing the frame or abort the
>>    connection; but if it aborts, the implementation MUST raise an error
>>    condition distinct from the end-of-file condition. )
> Maybe I'm misunderstanding tcpcrypt, so let me ask a preliminary
> question:
> Say you have two TCP segments protected using tcpcrypt, N and N+1
> If the receiver receives N+1 before N, how does it behave?

Tcpcrypt lives entirely within the ordered TCP data stream. If N+1
arrives before N, that payload will not be delivered to the tcpcrypt
engine until after N arrives, in accordance with the in-order
semantics of TCP payload delivery.

>> The idea of doing something more ticket-like was discussed, but David
>> pointed out (in the thread here:
>> that tickets might not meet the charter mandate for forward secrecy. I
>> don't recall discussing the implications of mismanaging ss[i], but
>> I'll defer to Daniel on that point. Same goes for the following:
> I don't think the issue here is tickets, but rather the lack of a nonce.
> The point is that (say) the implementation fails to properly delete
> ss[i] after encrypting some data. Then if an attacker can force
> you to reuse ss[i], it can potentially recover data. This would not
> be the case if you mixed in a nonce from both sides (the way that
> TLS and IKE do).

I like the idea of added defense-in-depth against faulty
implementations, but it's not clear to me what tradeoffs this involves
re: (e.g.) SYN data on resumption, or on number of round trips, or on
the latency-to-first-payload-byte. I'd like Daniel to chime in here.