IETF Logo Mail Archive

Re: [tcpm] discussion of draft-rescorla-tcp-auth-arch-00.txt

Eric Rescorla <ekr@networkresonance.com> Tue, 11 March 2008 12:41 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: ietfarch-tcpm-archive@core3.amsl.com
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9566F28C3A3; Tue, 11 Mar 2008 05:41:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.484
X-Spam-Level:
X-Spam-Status: No, score=-99.484 tagged_above=-999 required=5 tests=[AWL=-0.287, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, SARE_LWSHORTT=1.24, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZBPe4VJUQJjI; Tue, 11 Mar 2008 05:41:17 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9A76828C379; Tue, 11 Mar 2008 05:41:17 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4DF4B28C384 for <tcpm@core3.amsl.com>; Tue, 11 Mar 2008 05:41:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o4wI+UPiv2m4 for <tcpm@core3.amsl.com>; Tue, 11 Mar 2008 05:41:11 -0700 (PDT)
Received: from kilo.rtfm.com (dhcp-11ec.ietf71.ietf.org [130.129.17.236]) by core3.amsl.com (Postfix) with ESMTP id AF8A128C334 for <tcpm@ietf.org>; Tue, 11 Mar 2008 05:41:11 -0700 (PDT)
Received: from dhcp-1679.ietf71.ietf.org (localhost [127.0.0.1]) by kilo.rtfm.com (Postfix) with ESMTP id 9CF841AB60F; Tue, 11 Mar 2008 08:38:51 -0400 (EDT)
Date: Tue, 11 Mar 2008 08:38:51 -0400
From: Eric Rescorla <ekr@networkresonance.com>
To: Joe Touch <touch@ISI.EDU>
In-Reply-To: <47D6784B.3030107@isi.edu>
References: <47D5E09A.5000803@isi.edu> <20080311115220.A85891AB2B9@kilo.rtfm.com> <47D6784B.3030107@isi.edu>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.1 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Message-Id: <20080311123851.9CF841AB60F@kilo.rtfm.com>
Cc: IETF Security Area WG <saag@mit.edu>, tcpm@ietf.org
Subject: Re: [tcpm] discussion of draft-rescorla-tcp-auth-arch-00.txt
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

At Tue, 11 Mar 2008 05:17:15 -0700,
Joe Touch wrote:

> Eric Rescorla wrote:
> >> Key changes are to reduce the amount of material signed under a single 
> >> key, to reduce the utility of signed packets to a cryptoanalyst.
> > 
> > As I indicate in S 3.3, while this is certainly crypto lore for
> > symmetric ciphers, I am unaware of any evidence that having
> > large (but practical) numbers of plaintext/ciphertext pairs 
> > is of any significant value in attacking modern algorithms.
> 
> That lore is expressed in RFC3562,and implied in RFC4107 in the phrase 
> "short term" key. We'd be glad to be advised otherwise; if so, then:
> 
> 	- we could note that the key-ID would be used only for
> 	deliberate key changes, e.g., due to compromise, or to
> 	avoid a key rollover replay attack
> 
> 		note: this is also why we need a byte/segment
> 		counter; when it hits 2^32, we MUST change
> 		keys or there is a clear replay attack

As I stated in my original document, this is not correct. You simply
treat the sequence number as 64 bits long with only the low order
32-bits represented on the wire, but include the entire sequence
number in the MAC. The relevant technique is described in RFC 4304.


> > - With a single connection.
> > - Between connections which happen to share parameters by coincidence.
> > 
> > As I indicate in S 3.1, there's no replay issue in the first case
> > except for TCP sequence number rollover, which can be fixed by
> > using extended sequence numbers. 
> 
> TCP does not have extended sequence numbers. Adding that 
> cross-connection information, and including it in every tcp-opt header, 
> was explored but is decided against for numerous reasons.

As noted above, this is not included on the wire. 


> > The relevant issue is the
> > second case, again discussed in S 3.1, but it's not clear to
> > me how important this actually is.
> 
> That's why we believe it's sufficient to address this at the TSAD, 
> requiring keys to change when connections end and new ones start with 
> the same port numbers. That can be accomplished in various ways, e.g., by:
> 	- forcing a TSAD key change
> 	- keeping a cache of previous TSAD keys for that connection
> 	etc.
> 
> The first one above might be sufficient - and simple to implement - if 
> this is not a severe concern.

Well, you're assuming that it's something we need to do at all. Given
that it comes at some cost, I think it should be discussed first.


> > But this is not what I'm talking about. I'm merely talking about
> > using the ISNs as a diversifier for the per-connection key.
> > Could you elaborate more on issues with this.
> 
> Are you suggesting instead to retain the ISN for a connection and use it 
> in the crypto alg? 

See S 6.1.2.

   K_connection = HMAC(K_static, ISN_client || ISN_server)

-Ekr
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm

v2.30.2 | Report a Bug | By Email | System Status