Re: [tcpm] "The SYN trick"
Brian Weis <bew@cisco.com> Tue, 11 March 2008 21:15 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: ietfarch-tcpm-archive@core3.amsl.com
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 73D6228C243; Tue, 11 Mar 2008 14:15:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.997
X-Spam-Level:
X-Spam-Status: No, score=-100.997 tagged_above=-999 required=5 tests=[AWL=-0.560, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stKI23Y1XBAe; Tue, 11 Mar 2008 14:15:21 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6BDB328C51A; Tue, 11 Mar 2008 14:15:18 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0E1E628C51A for <tcpm@core3.amsl.com>; Tue, 11 Mar 2008 14:15:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rwXsc73rBgMy for <tcpm@core3.amsl.com>; Tue, 11 Mar 2008 14:15:17 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 5498128C21B for <tcpm@ietf.org>; Tue, 11 Mar 2008 14:15:14 -0700 (PDT)
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-2.cisco.com with ESMTP; 11 Mar 2008 14:12:55 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id m2BLCt2u020528; Tue, 11 Mar 2008 14:12:55 -0700
Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com [64.102.31.102]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id m2BLChgq005777; Tue, 11 Mar 2008 21:12:54 GMT
Received: from xfe-rtp-201.amer.cisco.com ([64.102.31.38]) by xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 11 Mar 2008 17:12:46 -0400
Received: from [10.150.135.191] ([10.82.241.146]) by xfe-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 11 Mar 2008 17:12:45 -0400
In-Reply-To: <20080311202500.F245A1AD5EF@kilo.rtfm.com>
References: <20080311183651.BE37B1ACED8@kilo.rtfm.com> <3FD0E4F5-8AA3-427E-BE87-EACAE62AA78D@cisco.com> <20080311202500.F245A1AD5EF@kilo.rtfm.com>
Mime-Version: 1.0 (Apple Message framework v753)
Message-Id: <FFDE3AFB-26EC-43A4-AE37-897F0CAA48E4@cisco.com>
From: Brian Weis <bew@cisco.com>
Date: Tue, 11 Mar 2008 17:13:31 -0400
To: Eric Rescorla <ekr@networkresonance.com>
X-Mailer: Apple Mail (2.753)
X-OriginalArrivalTime: 11 Mar 2008 21:12:45.0838 (UTC) FILETIME=[A6F762E0:01C883BC]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3112; t=1205269975; x=1206133975; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bew@cisco.com; z=From:=20Brian=20Weis=20<bew@cisco.com> |Subject:=20Re=3A=20[tcpm]=20=22The=20SYN=20trick=22 |Sender:=20; bh=yHNYy2FNey8YtP7ZEqqnEm9RUqXmk1q7r0hSKTBeyzo=; b=ZFp1vqK5XJiN5cbJIyMeqknNBRuAuT+xv3TkpSpVbUTNSz3yEVaS2xRF9Z 5vW06mfFjVUlZ3dHuqBQg3HueqJnXRWLn4KsRJTeQzrc4Xq4t7yZDVc4D9MG EBPISmQ/QdHvV9WEXzkjlgzqKf+/0Q9ArEwyCdeQz+glrYPIURZiM=;
Authentication-Results: sj-dkim-1; header.From=bew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: tcpm@ietf.org
Subject: Re: [tcpm] "The SYN trick"
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
Hi Eric,
On Mar 11, 2008, at 4:25 PM, Eric Rescorla wrote:
> At Tue, 11 Mar 2008 15:55:29 -0400,
> Brian Weis wrote:
>>
>> Hi Eric,
>>
>> I like the simplicity of this approach. But using the ISNs to
>> generate keys requires that the ISN values be generated from good
>> random numbers (to avoid the generation of predicable keys). I think
>> most systems today do happen to use a good RNG for generating the
>> ISN, but there's no guarantee.
>
> Actually, this isn't correct, because we're assuming that we have
> an initial strong key and we're just using the ISNs for diversity.
> S 6.1.2 of draft-rescorla-tcp-auth-arch-00 goes into this in
> more detail:
>
> A substantial amount of resistance to inter-connection cut-and-
> paste
> attacks can be achieved by exploiting connection information other
> than the host/port quartet. For instance, one could start with a
> static key and use the TCP ISNs to produce a unique per-connection
> key:
>
> K_connection = HMAC(K_static, ISN_client || ISN_server)
>
> If we treat ISNs as random variates (note: this does not require
> cryptographic randomness, just low probability of collisions) then
> there are 2^{64} equally probable ISN combinations between any pair
> of hosts, which implies 2^{64} potential keys (even if we ignore
> the
> host/port quartet), so the chance of two connection keys colliding
> becomes acceptably low: on average there will be a collision after
> 2^{32} connections. If the host/port quartet is included, then
> collisions become even less probable.
>
> Note: the ISNs are being used here serve the same role as
> nonces
> in standard cryptographic protocols (e.g., the ClientRandom and
> ServerRandom in TLS). Therefore, the security model explicitly
> assumes that they are public information. Thus, the sequence
> number predictability issues described on [RFC1948] do not
> impact
> the security of the system. Only nonce uniqueness is required.
Treating the ISNs as nonces makes a lot of sense.
But that reminds me that NIST is preparing a draft document (for
release one of these days) describing acceptable KDFs based on a
secret key. I've been advised that it will recommend including entity
identities in the derivation, to tie key derivation to a particular
session. So something like the following method might be better:
K_connection = HMAC(K_master, ISN_i, ISN_r, IP_address_i,
IP_address_r, port_i, port_r)
Thanks,
Brian
> This scheme has very similar security properties to the scheme
> described in Section 6.1.1, including having a compatible key
> management interface. Unlike static keys, however, there is a
> significant amount of resistance to inter-connection cut-and-paste
> attacks because each connection with high probability uses a unique
> key.
>
> -Ekr
>
--
Brian Weis
Advanced Security Development, Security Technology Group, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] "The SYN trick" Eric Rescorla
- Re: [tcpm] "The SYN trick" Brian Weis
- Re: [tcpm] "The SYN trick" Eric Rescorla
- Re: [tcpm] "The SYN trick" Brian Weis
- Re: [tcpm] "The SYN trick" Eric Rescorla