In the IETF LC thread referenced in the thread subject (CC'ed to the tcpinc list), Ekr (acting as security AD) raised an issue on which we need to seek rough consensus from the WG: that of the key-reuse risk potential in the resumption key schedule.
Please see that thread for more details (especially Ekr's email from Nov 18, in the archives at https://www.ietf.org/mail-archive/web/tcpinc/current/msg01471.html), but a brief summary is that, with the catastrophic loss of security inherent in AEAD modes like GCM when the same key and nonce are used to encrypt multiple blocks, the construction of ss[i] (see section 3.3 of draft-ietf-tcpinc-tcpcrypt-10) depending only on ss[i-1] and some constants, and in particular *not* depending on fresh randomness from each party, will inevitably break confidentiality and authentication should an implementation not strictly prevent the reuse of ss[i] on multiple connections. There is language in the draft prohibiting reuse of ss[i]: q( A session secret may not be used to secure more than one TCP connection. To prevent this, a host MUST NOT resume with a session secret if it has ever enabled encryption in the past with the same secret, in either role. ) but there is concern that this language is not strong enough: first, that it does not explain the reason for the prohibition; and second, because the prohibition refers only to "a host" and does not directly address the threat posed by sharing of resumption state across machines. Given the absence of a mechanism for stateless resumption in tcpcrypt (such as that provided by TLS session tickets), this prohibition essentially precludes resumption across a server pool via periodic state sharing, as there would be a race condition between use of ss[i] on one server and invalidation of that value throughout the rest of the pool. The chairs are looking for direction from the WG on how to proceed. From the discussion in the other thread, I see a number of basic options, ranging from least- to most-invasive: (1) Strengthening the language around this prohibition. (2) Adding a 0-RT mechanism for adding fresh randomness to the resumption key schedule. (3) Adding a 1-RT mechanism for adding fresh randomness to the resumption key schedule (that also provides a measure of replay protection at the cost of an additional round trip). (4) Switching to a stateless resumption mechanism, which would necessarily involve fresh randomness (but at the cost of requiring an additional round trip for resumption owing to insufficient option space for encoding state). I would like the WG to discuss the risks and benefits of each option and decide how to proceed. I believe we already have rough consensus on sticking with a stateful resumption scheme given the latency costs of stateless resumption under the constraints of TCP, but the WG can always reopen that question if there is rough consensus to do so. Thanks, Kyle
_______________________________________________ Tcpinc mailing list Tcpinc@ietf.org https://www.ietf.org/mailman/listinfo/tcpinc
