Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)

Kyle Rose <krose@krose.org> Mon, 13 November 2017 07:01 UTC

Return-Path: <krose@krose.org>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B1E81288B8 for <tcpinc@ietfa.amsl.com>; Sun, 12 Nov 2017 23:01:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HQYhwQv-xfXu for <tcpinc@ietfa.amsl.com>; Sun, 12 Nov 2017 23:01:01 -0800 (PST)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EB2B12008A for <tcpinc@ietf.org>; Sun, 12 Nov 2017 23:00:59 -0800 (PST)
Received: by mail-qt0-x235.google.com with SMTP id j58so18393544qtj.0 for <tcpinc@ietf.org>; Sun, 12 Nov 2017 23:00:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=utKRIp5GzywoYP9FLLJj2Bv0OkdXmOi0+VXIrIGv53M=; b=jSWCWbZvdRlqa8M8vGQSylrauKhoJeAw120SGnwSLcgBxQeN8vAQhA07579vSjtgMV +an3XbxuLyTT65fzMwp65aOOodtqUvKKPdw9LjRpdim6gvSbcABEU4iAYozZHS4NvJsF FeB05Fvlz1UruyGnLC+OP+aVSb4U39Wmq1baI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=utKRIp5GzywoYP9FLLJj2Bv0OkdXmOi0+VXIrIGv53M=; b=g7UJNVrRyjDWQARk3XOtPZJwBzomMfbemQ4MbY04Wf8EeeoiklqUyZhf5Lok3xSaj6 j41UpzRNRIkwRObs5UAo+Tv641vRt7c6LFMinozH6kICv+aKV0SnY4MnPf0eu/OYb8Wj gdw7ie9Emf6LjWQegEKGtLiwy0YEriK7p81sbwTwGIKNcfbRihhgiC6WtLXlP6J/JQJA dbLaa3L3LkvKYGTkWYqbFgEn3tOLEPrkA1JYWxFLqq9cpA3//DlDEjW6Hl9WS0w4ZQug 4k8uJuUyQ0bdAsvOpM+kUfdHhdusPISuNyYSSZO4wQj1f8rWHrfGYPp6OAaU/dVt0CJJ c99w==
X-Gm-Message-State: AJaThX4gJ/vcVlfo0erkCWeqP7VmrqRWyK31LqpV1nnZ+a97JvWZOMPu GqaN47ITrJgzyXbhE+2AdeMCUuOqjydOtlG3k7XTGQ==
X-Google-Smtp-Source: AGs4zMbrDVzs8M9fDOr8LBkmExp2gKBXDoXwUX/wKRT7bO6X038hSxs6CajbgsYEwWBZgnehaJUooShNa4zN8ASmDKk=
X-Received: by 10.200.49.166 with SMTP id h35mr6827100qte.293.1510556458032; Sun, 12 Nov 2017 23:00:58 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.204.17 with HTTP; Sun, 12 Nov 2017 23:00:57 -0800 (PST)
X-Originating-IP: [2001:67c:370:128:a132:c009:e15c:777e]
In-Reply-To: <CABcZeBPaLwD++SPPNwx3Qd9ydOM46h1PwVyiOcw=S-Hif=CO5w@mail.gmail.com>
References: <151036992713.398.18032326140786383584.idtracker@ietfa.amsl.com> <CAJU8_nXKpEgvWEZtEPw=wyDmrVteOJaDvmXsDwbUdueMUcaRhA@mail.gmail.com> <CABcZeBPaLwD++SPPNwx3Qd9ydOM46h1PwVyiOcw=S-Hif=CO5w@mail.gmail.com>
From: Kyle Rose <krose@krose.org>
Date: Mon, 13 Nov 2017 15:00:57 +0800
Message-ID: <CAJU8_nVfXum1JnU6KYEsTBJiQmXaah5iYfTCmdrerWPNKcdYKw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-tcpinc-tcpcrypt@ietf.org, tcpinc-chairs@ietf.org, tcpinc <tcpinc@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/u-5lCFfo3I2emximxAtQ-vQ-SNE>
Subject: Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2017 07:01:02 -0000

On Mon, Nov 13, 2017 at 10:09 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> On Mon, Nov 13, 2017 at 9:56 AM, Kyle Rose <krose@krose.org> wrote:
>> What is the situation, commonly the case for HTTP, in which different
>>
>> users would be using the same key for encryption?
>
>
> That's not the assumption. It's a time-space tradeoff. Say you have a
> 128-bit
> key. The attacker computes the value:
>
>   Encrypt(K, "GET / HTTP/1.1") [or whatever]
>
> For a feasible subset of the key space (e.g., 2^80 or so). It then captures
> a large fraction of the traffic on the Internet and looks for matches for
> one
> of these strings. If it has a match, it now immediately knows the key. Given
> the amount of traffic on the Internet, this is just maybe barely feasible
> with
> 128-bit keys. However, with a randomized (secret) nonce, it becomes
> infeasible.

Interesting. I don't have a strong opinion about this one, but if
there are no (or cheap) tradeoffs, it seems reasonable to use this
construction.

>> I'm confused. The byte stream will be delivered in-order via TCP
>> sequence semantics, so receiving frames (TLV within the TCP
>> bytestream) out-of-order should not be possible. If a MitM reordered
>> the frames, the receiver would either drop the frame or close the
>> connection following a failure to authenticate upon decryption:
>>
>> q( In the latter case, the implementation MUST
>>    either drop the TCP segment(s) containing the frame or abort the
>>    connection; but if it aborts, the implementation MUST raise an error
>>    condition distinct from the end-of-file condition. )
>
>
> Maybe I'm misunderstanding tcpcrypt, so let me ask a preliminary
> question:
>
> Say you have two TCP segments protected using tcpcrypt, N and N+1
> If the receiver receives N+1 before N, how does it behave?

Tcpcrypt lives entirely within the ordered TCP data stream. If N+1
arrives before N, that payload will not be delivered to the tcpcrypt
engine until after N arrives, in accordance with the in-order
semantics of TCP payload delivery.

>> The idea of doing something more ticket-like was discussed, but David
>> pointed out (in the thread here:
>> https://www.ietf.org/mail-archive/web/tcpinc/current/msg00919.html)
>> that tickets might not meet the charter mandate for forward secrecy. I
>> don't recall discussing the implications of mismanaging ss[i], but
>> I'll defer to Daniel on that point. Same goes for the following:
>
>
> I don't think the issue here is tickets, but rather the lack of a nonce.
> The point is that (say) the implementation fails to properly delete
> ss[i] after encrypting some data. Then if an attacker can force
> you to reuse ss[i], it can potentially recover data. This would not
> be the case if you mixed in a nonce from both sides (the way that
> TLS and IKE do).

I like the idea of added defense-in-depth against faulty
implementations, but it's not clear to me what tradeoffs this involves
re: (e.g.) SYN data on resumption, or on number of round trips, or on
the latency-to-first-payload-byte. I'd like Daniel to chime in here.

Kyle