Re: [tcpm] public-private keys for TCP-AO

"Jakob Heitz (jheitz)" <> Tue, 30 October 2018 02:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 381DE1288BD for <>; Mon, 29 Oct 2018 19:00:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.97
X-Spam-Status: No, score=-14.97 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vQlsAUeAYMSG for <>; Mon, 29 Oct 2018 19:00:19 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B3211126DBF for <>; Mon, 29 Oct 2018 19:00:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=32968; q=dns/txt; s=iport; t=1540864818; x=1542074418; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=yqlR0FxYLbkoPkZx61yM7hxmFp2uk1gfvdL1zTq0uyc=; b=km3cKNxq65uwqn5xmAeeaY3CrS74VjHscpn3PBt31IQ2bg8uCpF8WMfD B5iC0bnFB8HtT4I6FhmJJUlS+ZbSKfuxzUyrMrlhq+Ko3KazeJixTIEhZ PY08ZNr+wHCyMGdw5S00lsT3BIa2dAJRsIMW0HMf7gdUIsA1GIgjeoinl M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AEAAA/utdb/5hdJa1kGgEBAQEBAgE?= =?us-ascii?q?BAQEHAgEBAQGBUQUBAQEBCwGBDUgvZn8oCoNriBiMGYINlyCBegsBARgBCoR?= =?us-ascii?q?JAheDFiE0DQ0BAwEBAgEBAm0cDIU6AQEBAQMBASEKQQsQAgEIEQQBASEHAwI?= =?us-ascii?q?CAiULFAkIAgQOBQiDGoEdZA+pZoEuih0Fi0keF4FBP4QjWYJCAQGCF4JOglc?= =?us-ascii?q?CiGmFYYYiiUlUCQKQeiCNZoJhlnUCERSBJh04gVVwFTuCbIIlAReIXIU+b4w?= =?us-ascii?q?GgR8BAQ?=
X-IronPort-AV: E=Sophos;i="5.54,442,1534809600"; d="scan'208,217";a="192925432"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Oct 2018 02:00:17 +0000
Received: from ( []) by (8.15.2/8.15.2) with ESMTPS id w9U20HG5005086 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 30 Oct 2018 02:00:17 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 29 Oct 2018 21:00:16 -0500
Received: from ([]) by ([]) with mapi id 15.00.1395.000; Mon, 29 Oct 2018 21:00:16 -0500
From: "Jakob Heitz (jheitz)" <>
To: Joe Touch <>
CC: "" <>
Thread-Topic: [tcpm] public-private keys for TCP-AO
Thread-Index: AdRv51Oca8SVyggpTLame1T3B/a0kQAME/iAAApbkFD//7O5gIAAU4Pg//+v9oCAAFNQ4A==
Date: Tue, 30 Oct 2018 02:00:16 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_bd707072e91b420d93dd898f69d94898XCHALN014ciscocom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [tcpm] public-private keys for TCP-AO
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 30 Oct 2018 02:00:22 -0000

There are use cases where I don't need to generate a LOT.
One a month should be just fine, because I have no fear of them leaking into enemy hands.
I posit that distributing one shared secret key is a LOT harder than distributing 1000 public keys.


From: Joe Touch <>
Sent: Monday, October 29, 2018 6:49 PM
To: Jakob Heitz (jheitz) <>
Subject: Re: [tcpm] public-private keys for TCP-AO

On Oct 29, 2018, at 6:41 PM, Jakob Heitz (jheitz) <<>> wrote:

Because distributing public keys is easier.
Private keys don't need to be distributed. They stay inside the machine that generates them.

Sure, but you need to generate private/public key pairs on both sides of the connection - many of them - and then distribute them to both sides. I.e., the work gets a LOT larger.

Distributing and safe guarding symmetric keys is a major hassle.

Agreed, but you only need one such shared key between each endpoint pair because you can derive session keys algorithmically.

You can certainly TRY to work out the details as you suggest, but I suspect the number of keys needed would be prohibitive even for a single pair of endpoints.



From: Joe Touch <<>>
Sent: Monday, October 29, 2018 6:37 PM
To: Jakob Heitz (jheitz) <<>>
Subject: Re: [tcpm] public-private keys for TCP-AO

On Oct 29, 2018, at 6:22 PM, Jakob Heitz (jheitz) <<>> wrote:

Can you think of a way to do it that will work?
Like the KDF is just a static list or something.
The sender generates a set of key pairs and numbers them.
It then puts the list of public keys into a file and distributes them to all receivers in the clear.

You’d have to find a way to specify the use of private and public keys on both sides, in advance, and distribute enough for the upcoming connections - then you’d have to hash into that list in a way that avoids reuse. At that point, why not just distribute symmetric keys and be done with it?


The KDF is just to index into this file.

Because the use case, at least, makes sense.


From: Joe Touch <<>>
Sent: Monday, October 29, 2018 6:13 PM
To: Jakob Heitz (jheitz) <<>>
Subject: Re: [tcpm] public-private keys for TCP-AO

On Oct 29, 2018, at 5:45 PM, Jakob Heitz (jheitz) <<>> wrote:

Why was there not a public-private key algorithm specified for TCP-AO? Or did I miss it?

There has not been. I doubt it would make sense (see below).

For example ECC.
An MKT can specify a private key for the sender and a public key for the receivers.

Yes, but the MKT is derived into public/private keys using a KDF.

I am not aware of a KDF that can take a private key and generate a derived private key that would work with a correspondingly derived public key generated from the corresponding public key.

To use, the sender will hash the data, encrypt the hash and put the result into the MAC field.
The receiver would decrypt the MAC field, then hash the data and verify the hash against the decrypted MAC.
This way, the private key never needs to be exposed to anyone, simplifying key management.
Is there any objection to getting this done?

See above; it doesn’t make sense with the way TCP-AO derives keys for each connection, AFAICT.



tcpm mailing list<>

tcpm mailing list<>

tcpm mailing list<>