Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)

David Mazieres <> Fri, 02 November 2018 04:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AD2B012D4EA; Thu, 1 Nov 2018 21:58:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HK_RANDOM_ENVFROM=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id imx0iosEswSD; Thu, 1 Nov 2018 21:58:04 -0700 (PDT)
Received: from ( [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6CCAC129C6A; Thu, 1 Nov 2018 21:57:58 -0700 (PDT)
Received: from (localhost []) by ( with ESMTP id wA24vtOZ082509; Thu, 1 Nov 2018 21:57:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=scs; t=1541134675; bh=Q/AR7PLdhnUMnjzzktetCjirlHjXoNBH+XZRn0+bbb8=; h=From:To:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version; b=dCje4YWvTPx1XVFdARp1E+b46wnIlISzynquXNuTqB+a7h37IpeF0InCHKXD8+kt9 XPUhKOoGW1KZLJkUzlNtV8ta7w50GHbayMpuJ3nBR9kQzWPwMaOfUJ7zO/KCY79ixB TN3JafXhH0bZYivdrUUUktrBltpVD3LnK3dn8jeY=
Received: (from dm@localhost) by ( id wA24vt7n023747; Thu, 1 Nov 2018 21:57:55 -0700 (PDT)
From: David Mazieres <>
To: Eric Rescorla <>, Kyle Rose <>
Cc: tcpinc <>, Daniel B Giffin <>,, "Black, David" <>, IESG <>,
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
Reply-To: David Mazieres expires 2019-01-30 PST <>
Date: Thu, 01 Nov 2018 21:57:54 -0700
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <>
Subject: Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpcrypt-09: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Nov 2018 04:58:06 -0000

Eric Rescorla <> writes:

>    When a frame is received, tcpcrypt reconstructs the associated data
>    and frame ID values (the former contains only data sent in the clear,
>    and the latter is implicit in the TCP stream), computes the nonce "N"
>    as above, and provides these and the ciphertext value to the AEAD
>    decryption operation.  The output of this operation is either a
>    plaintext value "P" or the special symbol FAIL.  In the latter case,
>    the implementation SHOULD abort the connection and raise an error
>    condition distinct from the end-of-file condition.  But if none of
>    the TCP segment(s) containing the frame have been acknowledged and
>    retransmission could potentially result in a valid frame, an
>    implementation MAY instead drop these segments (and "renege" if they
>    have been SACKed, according to [RFC2018] Section 8).
> Looking through this again, why is this the right guidance? It seems
> like:
> 1. You shouldn't ACK data that you can't verify, because it's confusing
> to the other side. This seems like one of the arguments for tcpcrypt
> rather than protocols that run over top of TCP.

This obviously isn't how the original tcpcrypt worked, but the working
group decided that for middlebox robustness, tcpcrypt should not protect
the integrity of the TCP header (including ACK bits).  As it is, nothing
requires TCP segments to align with tcpcrypt frames.  If the recipient
lucks out and hasn't ACKed any of the corrupt data, then maybe hope a
retransmission is better, although middleboxes might prevent sequence
numbers from being overwritten anyway.  Since that's a rather fringe
case, if you only do one thing it needs to be aborting the connection.

> 2. You would get better resistance to connection failure if you instead
> decrypted packets and then ACKed.

Not especially, because tcpcrypt doesn't protect the header, so an
active attacker can just inject bad packets and desynchronize the TCP
connection.  There does exist a protocol that does better--namely the
original version of tcpcrypt, but for various reasons the working group
ultimately rejected this design (over my objections), and it's too late
to revisit the decision at this point.

> Is the situation that sometimes you have to ACK? I haven't thought
> this through. Perhaps you should recommend against ACKing if you
> don't have to.

The ACKing is effectively dictated by RFC793 (+SACK).

> I also notice you don't require checking that the result of the
> X25519 function is nonzero. We hve been requiring this in other
> IETF protocols.

Seems like a vanishingly low-probability event, but I see no problem to
adding such a requirement.  Do you have some language to suggest?  Maybe
we could cut and paste out of another RFC with already approved

>    the number of past connections that are vulnerable.  Of course,
>    placing private keys in persistent storage introduces severe risks
>    that they will not be destroyed reliably and in a timely fashion, and
>    SHOULD be avoided at all costs.
> This seems a bit over the top. Either it's this serious and you need
> a MUST, or it's not this serious, and you should tone it down.

It is serious, especially with SSDs.  The reason not to make it a MUST
is that some implementations may be unable to avoid it--like a virtual
machine that gets transparently paged to disk.  That could still be okay
if, say, the swap partition is encrypted with an ephemeral key.

>    To meet that ideal, it might appear natural to also mandate ECDHE
>    using P-256, as this scheme is well-studied, widely implemented, and
>    sufficiently different from the Curve25519-based scheme that it is
>    unlikely they will both suffer from a single (non-quantum)
>    cryptanalytic advance.
> I'm not sure how persuasive this argument is. Wouldn't an efficient
> discrete log algorithm in generic groups affect both of these functions.
> As far as I know, it's not known that no such algorithm exists.

In fact, there are lower bounds on generic-group discrete-log attacks.
See, for example, this recent Eurocrypt paper:

But it sounds like you actually agree with us that we don't need to
mandate P-256, so I'm not sure what you are suggesting here.