Re: [tcpm] "The SYN trick"
Brian Weis <bew@cisco.com> Tue, 11 March 2008 21:15 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: ietfarch-tcpm-archive@core3.amsl.com
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 73D6228C243; Tue, 11 Mar 2008 14:15:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.997
X-Spam-Level:
X-Spam-Status: No, score=-100.997 tagged_above=-999 required=5 tests=[AWL=-0.560, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stKI23Y1XBAe; Tue, 11 Mar 2008 14:15:21 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6BDB328C51A; Tue, 11 Mar 2008 14:15:18 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0E1E628C51A for <tcpm@core3.amsl.com>; Tue, 11 Mar 2008 14:15:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rwXsc73rBgMy for <tcpm@core3.amsl.com>; Tue, 11 Mar 2008 14:15:17 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 5498128C21B for <tcpm@ietf.org>; Tue, 11 Mar 2008 14:15:14 -0700 (PDT)
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-2.cisco.com with ESMTP; 11 Mar 2008 14:12:55 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id m2BLCt2u020528; Tue, 11 Mar 2008 14:12:55 -0700
Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com [64.102.31.102]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id m2BLChgq005777; Tue, 11 Mar 2008 21:12:54 GMT
Received: from xfe-rtp-201.amer.cisco.com ([64.102.31.38]) by xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 11 Mar 2008 17:12:46 -0400
Received: from [10.150.135.191] ([10.82.241.146]) by xfe-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 11 Mar 2008 17:12:45 -0400
In-Reply-To: <20080311202500.F245A1AD5EF@kilo.rtfm.com>
References: <20080311183651.BE37B1ACED8@kilo.rtfm.com> <3FD0E4F5-8AA3-427E-BE87-EACAE62AA78D@cisco.com> <20080311202500.F245A1AD5EF@kilo.rtfm.com>
Mime-Version: 1.0 (Apple Message framework v753)
Message-Id: <FFDE3AFB-26EC-43A4-AE37-897F0CAA48E4@cisco.com>
From: Brian Weis <bew@cisco.com>
Date: Tue, 11 Mar 2008 17:13:31 -0400
To: Eric Rescorla <ekr@networkresonance.com>
X-Mailer: Apple Mail (2.753)
X-OriginalArrivalTime: 11 Mar 2008 21:12:45.0838 (UTC) FILETIME=[A6F762E0:01C883BC]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3112; t=1205269975; x=1206133975; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bew@cisco.com; z=From:=20Brian=20Weis=20<bew@cisco.com> |Subject:=20Re=3A=20[tcpm]=20=22The=20SYN=20trick=22 |Sender:=20; bh=yHNYy2FNey8YtP7ZEqqnEm9RUqXmk1q7r0hSKTBeyzo=; b=ZFp1vqK5XJiN5cbJIyMeqknNBRuAuT+xv3TkpSpVbUTNSz3yEVaS2xRF9Z 5vW06mfFjVUlZ3dHuqBQg3HueqJnXRWLn4KsRJTeQzrc4Xq4t7yZDVc4D9MG EBPISmQ/QdHvV9WEXzkjlgzqKf+/0Q9ArEwyCdeQz+glrYPIURZiM=;
Authentication-Results: sj-dkim-1; header.From=bew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: tcpm@ietf.org
Subject: Re: [tcpm] "The SYN trick"
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
Hi Eric, On Mar 11, 2008, at 4:25 PM, Eric Rescorla wrote: > At Tue, 11 Mar 2008 15:55:29 -0400, > Brian Weis wrote: >> >> Hi Eric, >> >> I like the simplicity of this approach. But using the ISNs to >> generate keys requires that the ISN values be generated from good >> random numbers (to avoid the generation of predicable keys). I think >> most systems today do happen to use a good RNG for generating the >> ISN, but there's no guarantee. > > Actually, this isn't correct, because we're assuming that we have > an initial strong key and we're just using the ISNs for diversity. > S 6.1.2 of draft-rescorla-tcp-auth-arch-00 goes into this in > more detail: > > A substantial amount of resistance to inter-connection cut-and- > paste > attacks can be achieved by exploiting connection information other > than the host/port quartet. For instance, one could start with a > static key and use the TCP ISNs to produce a unique per-connection > key: > > K_connection = HMAC(K_static, ISN_client || ISN_server) > > If we treat ISNs as random variates (note: this does not require > cryptographic randomness, just low probability of collisions) then > there are 2^{64} equally probable ISN combinations between any pair > of hosts, which implies 2^{64} potential keys (even if we ignore > the > host/port quartet), so the chance of two connection keys colliding > becomes acceptably low: on average there will be a collision after > 2^{32} connections. If the host/port quartet is included, then > collisions become even less probable. > > Note: the ISNs are being used here serve the same role as > nonces > in standard cryptographic protocols (e.g., the ClientRandom and > ServerRandom in TLS). Therefore, the security model explicitly > assumes that they are public information. Thus, the sequence > number predictability issues described on [RFC1948] do not > impact > the security of the system. Only nonce uniqueness is required. Treating the ISNs as nonces makes a lot of sense. But that reminds me that NIST is preparing a draft document (for release one of these days) describing acceptable KDFs based on a secret key. I've been advised that it will recommend including entity identities in the derivation, to tie key derivation to a particular session. So something like the following method might be better: K_connection = HMAC(K_master, ISN_i, ISN_r, IP_address_i, IP_address_r, port_i, port_r) Thanks, Brian > This scheme has very similar security properties to the scheme > described in Section 6.1.1, including having a compatible key > management interface. Unlike static keys, however, there is a > significant amount of resistance to inter-connection cut-and-paste > attacks because each connection with high probability uses a unique > key. > > -Ekr > -- Brian Weis Advanced Security Development, Security Technology Group, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] "The SYN trick" Eric Rescorla
- Re: [tcpm] "The SYN trick" Brian Weis
- Re: [tcpm] "The SYN trick" Eric Rescorla
- Re: [tcpm] "The SYN trick" Brian Weis
- Re: [tcpm] "The SYN trick" Eric Rescorla