Transport-level encryption with Tcpcrypt

By Jake Edge
August 25, 2010

It has been said that the US National Security Agency (NSA) blocked the implementation of encryption in the TCP/IP protocol for the original ARPANET, because it wanted to be able to listen in on the traffic that crossed that early precursor to the internet. Since that time, we have been relegated to always sending clear-text packets via TCP/IP. Higher level application protocols (i.e. ssh, HTTPS, etc.) have enabled encryption for some traffic, but the vast majority of internet communication is still in the clear. The Tcpcrypt project is an attempt to change that, transparently, so that two conforming nodes can encrypt all of the data portion of any packets they exchange.

One of the key benefits that Tcpcrypt offers is transparency. That means that if both endpoints of a connection support it, the connection will be encrypted, but if one doesn't support Tcpcrypt, the other will gracefully fall back to standard clear-text TCP/IP. No applications are required to change, and no "new" protocols are required (beyond Tcpcrypt itself, of course) as applications will send and receive data just as they do today. But there is an additional benefit available for those applications that are willing to change: strong authentication.

Tcpcrypt has the concept of a "session ID" that is generated on both sides as part of the key exchange. This ID can be used in conjunction with a shared secret, like a password, to authenticate both ends of the communication. Because the client and server can exchange cryptographic hash values derived from the shared secret and session ID, they can be assured that each is talking over an encrypted channel to an endpoint that has the key (password). A "man in the middle" would not have access to the password and therefore can't spoof the exchange.

Even without any application changes for stronger authentication, Tcpcrypt would defend against passive man-in-the-middle attacks, like eavesdropping. Active attacks could still spoof responses that said Tcpcrypt was not supported, even if the other endpoint did support it, or even relay encrypted traffic. That would still be better than the usual situation today where a passive attacker can gather an enormous amount of clear-text traffic, especially from unencrypted or weakly encrypted wireless networks.

There is an Internet Engineering Task Force (IETF) draft available that describes how Tcpcrypt works by using two new TCP options. Those two options, CRYPT and MAC, will not be recognized by endpoints without Tcpcrypt support, and are therefore harmless. The CRYPT option is used to negotiate the use of Tcpcrypt and to exchange encryption keys, while the MAC option carries a hash value that can be used to verify the integrity of the packet data.

In addition to the IETF draft, the project has produced a paper, The case for ubiquitous transport-level encryption [PDF], that was presented at the 2010 USENIX Security conference. It gives a somewhat higher-level look at how Tcpcrypt integrates with TCP/IP, while providing a lot more information on the cryptographic and authentication algorithms. The slides [PDF] from the presentation are also instructive.

One of the basic premises that underlies Tcpcrypt is that computers have gotten "fast enough" to handle encrypting all internet traffic. Doing so at the transport level, rather than in application protocols (e.g. ssh), can make it transparent to applications. In addition, Tcpcrypt can work through NAT devices, which is something that another lower-layer encryption protocol, IPSec, cannot handle.

Because Tcpcrypt keys are short-lived, non-persistent public/private key pairs, it does not require the public key infrastructure (PKI) that other solutions, like HTTPS, need. That means that endpoints can communicate without getting certificates signed by centralized authorities. Of course the existing PKI certificates will work just fine on top of Tcpcrypt.

While computers may be "fast enough" to handle encryption on every packet, there is still the problem of asymmetry. Servers typically handle much more traffic than clients, so Tcpcrypt is designed to put the most difficult parts of the key negotiation and encryption onto the client side. The claim is that speeds of up to 25x that of HTTPS (i.e. SSL/TLS) can be achieved by Tcpcrypt. One wonders whether mobile devices are "fast enough", but that problem—if it even is one—is probably not one for that much longer.

Overall, Tcpcrypt is an intriguing idea. It certainly isn't a panacea for all of today's network ills, but that is no surprise. Unlike other proposals, Tcpcrypt can be incrementally deployed without requiring that we, somehow, restart the internet. Since it won't break existing devices, it can be developed and tested within the framework of the existing net. If for no other reason, that should give Tcpcrypt a leg up on other potential solutions.

Index entries for this article
Security	Encryption/Network

to post comments

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 3:33 UTC (Thu) by djao (guest, #4263) [Link] (19 responses)

It is important to emphasize that the tcpcrypt effort is being led by skilled and experienced cryptographers. The USENIX conference where the paper was published is highly regarded, and one of the authors (Boneh) is arguably the top cryptographer of this generation. In short, tcpcrypt is not your average snake oil -- it is a serious proposal, worthy of consideration.

I'm glad to see that tcpcrypt adopts the sensible policy of encrypting by default, even when authentication is not available. Many other protocols, such as SSL, refuse to work without authentication, or at best provide only second-class support for this use case, and this horrible design decision is in my opinion (yes, I am a cryptographer) the single worst mistake ever made in the history of network security. Firefox, in particular, is one of the worst offenders: an unauthenticated encrypted connection is met with scarier warnings and error messages than radioactive waste, whereas a totally unencrypted (and also unauthenticated) connection is allowed through with no warnings whatsoever! The Firefox example is a dramatic illustration of the absurdity that arises when programmers without cryptography expertise try to write security software. It would be supremely satisfying to see this vexing problem fixed at a lower level through ubiquitous deployment of tcpcrypt.

(Before anyone chimes in with the usual advice to "send a patch": it's been tried already, and it didn't work. For better or for worse, the Firefox developers are convinced that they are right, and nothing will sway them from that view.)

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 4:35 UTC (Thu) by blitzkrieg3 (guest, #57873) [Link] (9 responses)

If you see the little locked icon in your address bar, you shouldsleep easy in the knowledge that the only other party to view your communications was the web site. The fact that no-auth algorithms are easily exploitable by MitM makes them kind of uninteresting, and users _should_ be scared into not connecting, especially if they're doing something like web banking, which is what the majority of TLS is used for these days.

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 4:51 UTC (Thu) by djao (guest, #4263) [Link] (5 responses)

I never suggested that an unauthenticated connection should have a lock icon. In fact, the reverse is true -- they should not have a lock icon. The lock icon should remain reserved for situations where the user needs to sleep easy.

Your web banking example is a bad one. Firefox already allows unencrypted unauthenticated connections without any scary warnings, even if the user is doing web banking. Currently, an attacker can already launch a phishing attack using no SSL/TLS at all. Unless the user notices that the lock icon is absent, the attack will work often enough to be useful.

I propose allowing encrypted unauthenticated connections, with no warnings, and no lock icon. This does not make attacks any easier than they are now. Every attack that an attacker can perform using encrypted unauthenticated connections can also be performed using unencrypted unauthenticated connections.

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 14:39 UTC (Thu) by foom (subscriber, #14868) [Link] (4 responses)

> This does not make attacks any easier than they are now.

Yes it does. Let's say you have https://mybank.com bookmarked or memorized. You go to that url expecting it to be secure. That has always been the case up till now [modulo the questionable trustworthiness of the 5000 multinational certification authorities your browser trusts].

With your proposal, I would have to check on every connection to see if there's a "lock" icon for that site, because https now just means "please encrypt" not "please authenticate". That is definitely a loosening of security, and will make MiTM attacks possible where they were not before. Nobody is gonna go for that...

For your proposal to actually work, you need to do the opposite: transparently *upgrade* http:// to be anonymously-encrypted when possible. That's a great idea. But you've gotta leave https:// alone.

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 14:50 UTC (Thu) by djao (guest, #4263) [Link] (2 responses)

You make a valid point. However, this problem can be easily, almost trivially fixed. The browser can (and should) be programmed to give a huge scary warning if a web site which previously offered authentication in the past has changed so that it no longer offers authentication.

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 16:42 UTC (Thu) by gmaxwell (guest, #30048) [Link]

I don't know that I agree but instead I'd argue that few enough people are typing the "https" that it's irrelevant: Because most people are typing "http" (or providing no protocol at all) We absolutely _MUST_ solve the bootstrapping problem regardless of warning free cert-free-ssl, and people are diligently working on that problem, and any solution to that also addresses the concerns with warning-free-https.

The authentication-state caching thing you suggest is one possible solution, but it's somewhat fragile and still leaves a window of exposure. See https://secure.wikimedia.org/wikipedia/en/wiki/Strict_Tra... for more information on the initiatives in this area.

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 18:22 UTC (Thu) by Simetrical (guest, #53439) [Link]

This is basically exactly what STS (formerly known as ForceTLS) does. For added effectiveness, browsers will likely precache STS headers for many major sites. Once this is done, there will be no reason to present scary warnings anymore for self-signed certs. Firefox has just implemented this: it's RESOLVED FIXED as of two days ago, so I guess it will be in the next Firefox 4 beta.

I still agree that the current behavior is way over the top. As this paper observes, a certificate error these days is a guarantee that the site is not malicious, since only a complete idiot of an attacker would try pulling off an attack via a page that raised a giant error . . .

Transport-level encryption with Tcpcrypt

Posted Aug 27, 2010 10:12 UTC (Fri) by epa (subscriber, #39769) [Link]

Perhaps https should remain reserved for encrypted, authenticated connections, but a new 'httpx' or similar URI scheme would be introduced for encrypted but not-necessarily-authenticated ones.

95% of users have no idea what https means or even that there is a difference between http and https, so it's not a big issue, but I take your point that any change shouldn't downgrade the security currently offered by https bookmarks.

Transport-level encryption with Tcpcrypt

Posted Aug 29, 2010 16:37 UTC (Sun) by Tet (guest, #5433) [Link] (2 responses)

If you see the little locked icon in your address bar, you should sleep easy in the knowledge that the only other party to view your communications was the web site

Utter nonsense. Yes, that's supposed to be how it works, but in the real world, it's simply not true. The obvious example is 3-D Secure, as used by banks here in the UK (and elsewhere?). You go to a web site, fill your cart and go to the checkout. You enter your credit card details, because the lock icon is present and you're confident that it's not a scam site. Then you're sent to a secondary authentication page. The lock icon is still showing everything's good. But what you're seeing is actually an iframe pointing to an entirely different site (in my case, hopefully it's LloydsTSB ClickSafe). But the padlock icon has nothing to do with this site, and thus offers no guarantees that the connection is secure, or that the page is being served by an entity that you trust. As a technically adept user, I can (and do) explicitly check the certificate of the iframe. But I'm in a very, very small minority. It's trivially easy for a phishing site to show a valid padlock throughout the entire transaction.

Transport-level encryption with Tcpcrypt

Posted Aug 29, 2010 17:52 UTC (Sun) by foom (subscriber, #14868) [Link]

That is how it works.

The padlock is shown on the outermost site. It is up to that site to ensure the security of its own website against XSS, against hacking of its servers, and against using insecure content inappropriately. It's their responsibility, not yours, to make sure they use secure iframes not insecure ones. And your browser checks the certificate to make sure that it *actually* belongs to the site that your bank trusted. So no, you don't need to verify every iframe individually.

Okay, so it's not literally true that "the only other party to view your communications was the web site", it's the web site and other web sites that the web site trusts.

> It's trivially easy for a phishing site to show a valid padlock throughout the entire transaction.

Of course, but that has nothing to do with the rest of your complaint. In the case of a phising site, "the web site" that the user is visiting, and which is protected, is the phising site.

Transport-level encryption with Tcpcrypt

Posted Sep 2, 2010 8:47 UTC (Thu) by eduperez (guest, #11232) [Link]

That is why my bank refuses transactions if their website is displayed inside an iframe.

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 15:39 UTC (Thu) by zooko (guest, #2589) [Link] (7 responses)

> The Firefox example is a dramatic illustration of the absurdity that arises when programmers without cryptography expertise try to write security software.

Now hold on there, mister. The PKI paradigm in which public keys are supposed to be vetted by a centralized trusted third party can be blamed squarely on the cryptographers who invented public key encryption in the first place.

The reason Mozilla and every other user-facing app has this stupid design is a direct consequence of them trusting in cryptographers to give them good advice about security distributed systems design.

(Now granted, we all should have known at the start that cryptographers are the wrong people to go to for secure distributed systems design.)

Anyway, I can't hold silent while you reverse the history and saying that application hackers like the Netscape engineers are the ones to blame when they should have listened to cryptographers. That's backward! They did listen to cryptographers, and that's how we got here!

Since then a lot of distributed systems hackers (myself included) have pushed alternative models instead of the PKI model, and more recently (*after* we distributed systems hackers made significant progress) cryptographers like Prof. Boneh have started working on it too.

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 15:49 UTC (Thu) by Trelane (subscriber, #56877) [Link] (4 responses)

Link to these other models, for those of us non-cryptographer non-distributed people in the audience? Thanks!

Transport-level encryption with Tcpcrypt

Posted Sep 4, 2010 4:52 UTC (Sat) by zooko (guest, #2589) [Link] (3 responses)

Self-certifying filesystem:

ftp://cag.lcs.mit.edu/pub/dm/papers/mazieres:thesis.ps.gz

ssh's model which Peter Gutmann calls the "baby-duck" model or "key continuity"

Web of Trust by Phil Zimmermann

The FreeS/WAN project by John Gilmore, Hugh Daniel et al., known as "Opportunistic Encryption".

The Capability Access Control model:

original:

http://www.cs.washington.edu/homes/levy/capabook/Chapter3...

modern synthesis:

http://erights.org/talks/thesis/index.html

Zooko's Triangle and Pet Names:

http://www.skyhunter.com/marcs/petnames/IntroPetNames.html

ZRTP:

http://en.wikipedia.org/wiki/ZRTP

Tahoe-LAFS:

http://tahoe-lafs.org

(Those last three are self-citations.)

The overall theme here is that the good ideas about robust decentralized security came originally from systems researchers and hackers, not from cryptographers. Cryptographers traditionally focused on elegant mathematical models and (with almost no explicit justification) they settled on the globe-spanning, centralized, hierarchical security model that we all know and love today as "PKI".

Transport-level encryption with Tcpcrypt

Posted Sep 6, 2010 3:20 UTC (Mon) by zooko (guest, #2589) [Link] (2 responses)

I was remiss in omitting Carl Ellison:

Carl Ellison. Establishing Identity Without Certification Authorities. In Proc. Sixth USENIX Security Symposium, pages 6776, Berkeley, 1996. Usenix.

Again, this is a fellow who is basically a systems researcher, not a cryptographer as such (he has no publications in crypto theory to my knowledge), and he was publishing good ideas along these lines back in '96.

Oh, and of course Ron Rivest was doing a very similar thing in '96: http://people.csail.mit.edu/rivest/sdsi10.html

So there's the first example I can come up with of a bona fide cryptographer giving us something more robust and decentralized than the PKI model.

Transport-level encryption with Tcpcrypt

Posted Sep 6, 2010 3:26 UTC (Mon) by zooko (guest, #2589) [Link] (1 responses)

Oh, and I see that Rivest's SDSI 1.0 in '96 cites:

Matt Blaze, Joan Feigenbaum, and Jack Lacy. Decentralized trust management. In Proceedings 1996 IEEE Symposium on Security and Privacy, page (to appear), May 1996.

Also real cryptographers.

But I should emphasize that while SDSI and to a lesser extent PolicyMaker were influential, these were exceptions to the centralized hierarchical PKI model that dominated cryptography, and they were too late. By 1996 the damage had already been done when Netscape engineers baked the PKI model into their socket encryption protocol, SSL.

Transport-level encryption with Tcpcrypt

Posted Sep 6, 2010 3:27 UTC (Mon) by zooko (guest, #2589) [Link]

I wrote "by 1996 the damage had already been done...", but I meant that it had already been done two years earlier, when Netscape invented SSL.

Okay I'm definitely going to stop following-up to myself now. :-)

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 15:56 UTC (Thu) by djao (guest, #4263) [Link]

I do not, did not, and never have faulted the original Netscape engineers. They did the best job that they could at the time. In particular, Netscape predates SSH, and SSH was the first program to demonstrate that crypto is much easier to deploy without a PKI. (SSH is also, incidentally, the only crypto protocol in history successful enough to have driven its corresponding unencrypted alternative to extinction.) I also fully agree that cryptographers are largely at fault for the colossal PKI mistake.

But Firefox was developed well after the rise of SSH, and the particular design decision that I am criticizing, namely the decision to change the warning dialogs for unauthenticated encrypted connections from one mild warning to three consecutive very big scary warnings, was made in Firefox 2.0, released in 2006. The Netscape engineers had valid excuses for their mistakes. The Firefox engineers do not.

Transport-level encryption with Tcpcrypt

Posted Aug 29, 2010 1:54 UTC (Sun) by zooko (guest, #2589) [Link]

Oh hey I see David Mazières is on the Tcpcrypt project. I have to give him props for Self-certifying Filesystem (circa 2000) as being an early part of what I call the "good" tradition.

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 17:58 UTC (Thu) by emk (subscriber, #1128) [Link]

Thank you for your comments about tcpcrypt. I had written it off the first few times I saw it, because who needs crypto connections that "fail open" if a single TCP option gets stripped?

As it turns out, though, tcpcrypt does two very useful things:

1) tcpcrypt provides extremely low-overhead session key creation, more than an order of magnitude faster than SSL.

2) tcpcrypt provides non-secret, unique session identifiers that allow you to build authentication primitives at the application level. Among other things, you can use RSA to sign the session ID (turning tcpcrypt into a much faster SSL replacement) or perform mutual authentication using a client-only password and a corresponding hash on the server.

Essentially, tcpcrypt separates encryption from authentication, and provides the building blocks to do both well.

Even though tcpcrypt looks like junk at first glance, it's a _very_ slick protocol. But the authors really need to revamp their home page so that they stop getting written off as cranks who don't understand why "fail open" is a bad security policy.

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 3:58 UTC (Thu) by zooko (guest, #2589) [Link] (7 responses)

> It has been said that the US National Security Agency (NSA) blocked the implementation of encryption in the TCP/IP protocol for the original ARPANET, because it wanted to be able to listen in on the traffic that crossed that early precursor to the internet.

Citation needed! I've never heard that story, and I've read much of what has been written on the history of modern encryption.

According to Paul Lambert and Howard Weiss [1], NSA actually sponsored development of encryption for ARPANET.

http://www.toad.com/gnu/netcrypt.html

N.B. NSA certainly tried to prevent widespread encryption several times during the 1990's, so I wouldn't be surprised if they did block encryption in TCP/IP, but unless you have some evidence that they did, or at least you can say who told you this rumor, then why publish it?

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 6:13 UTC (Thu) by djao (guest, #4263) [Link] (6 responses)

The NSA is far too secretive for anyone to procure a reliable citation for such allegations. However, given that we all agree the NSA did block encryption from being deployed on the internet during the 1990s, during a period which was at least as crucial to the formation of today's internet as the old ARPANET, what difference does it make? There's no logical reason why the NSA's position on this issue would change between 1970 and 1990. Occam's Razor certainly implies that the NSA opposed encryption software deployment consistently throughout this entire timeframe, and they had ample ability and opportunity to take action behind the scenes, out of public view.

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 13:37 UTC (Thu) by csigler (subscriber, #1224) [Link] (4 responses)

> The NSA is far too secretive for anyone to procure
> a reliable citation for such allegations.

You should have ended your comment with the above sentence. I'm not saying the NSA doesn't want to read all traffic on the Internet. However, you have _no_ proof for your claim. It is based on sheer speculation and approaches tinfoil hat-worthiness.

Clemmitt

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 14:23 UTC (Thu) by djao (guest, #4263) [Link] (2 responses)

To be clear, I'm not claiming that the NSA actually did block encryption software in the 1970s. I have no proof of that.

What I am claiming is that their actions of 1970 are largely irrelevant. The NSA unquestionably did block encryption software in the 1990s, and in doing so heavily damaged the development of the internet. Against that backdrop, the events of the 1970s, whether positive or negative, have no more significance than a rounding error. If the sentence you point out from the article is indeed an error, it is an extremely minor one. The major thrust of the claim (that the NSA held back public use of encryption software) is correct, even if the timeline is off.

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 16:31 UTC (Thu) by zooko (guest, #2589) [Link] (1 responses)

Journalists (and indeed, everyone who posts things that are going to preserved for posterity, which means all of us) should strive for accuracy. If Jake can tell us from whom he heard this rumor or what else he heard about it, then that might help us learn something.

If it doesn't matter whether the rumor is true or false, then one can omit it just as well as include it.

One reason that I object to printing unsubstantiated rumors is that it reduces the credibility and impact of truths. NSA did indeed block distribution of crypto in the 1990's through means both legal (export regs, Clipper chip) and shady (pressuring Netscape and Cisco to cripple security products), and in fact they were still doing it as recently as 2007 when they pressured Sun (without any legal justification that I can see) to omit the crypto accelerator from the GPL'ed source code of the UltraSparc T2.

These things matter to me! I don't want people to be complacent or ignorant of a powerful, shadowy, ill-regulated organization interfering with freedom of speech, freedom of commerce, and democracy! Accusing them of things without evidence only serves to inure people to their real offences.

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 16:45 UTC (Thu) by jake (editor, #205) [Link]

> If Jake can tell us from whom he heard this rumor or what else he
> heard about it, then that might help us learn something.

I read it (somewhere) within the last week or so ... as I was writing the article I did some Googling and even poking through my (voluminous) browser history to see if I could find it. The fact that I didn't should probably have made me shy away from saying it.

"It has been said ..." was basically a cop-out ... my apologies ...

If I do come up with a reference I'll post it here.

jake

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 16:03 UTC (Thu) by gmaxwell (guest, #30048) [Link]

The fact of the NSA disrupting the public introduction and even _discussion_ of cryptographic techniques isn't really up for debate. It's stated fairly plainly in their own documents: http://cryptome.org/0001/nsa-meyer.htm

From the horses (formerly top secret) mouth: "NSA hunted diligently for a way to stop cryptography from going public."

Though I've never seen any disclosure specific to the arpanet, it would be a logical consequence of the chilling effect of their academic suppression in other areas even absent direct intervention.

But really... would you have done differently in their shoes?

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 19:32 UTC (Thu) by smoogen (subscriber, #97) [Link]

> There's no logical reason why the NSA's position on this issue would
> change between 1970 and 1990.

Applying Occam's razor without enough facts gets you wrong conclusions. There were many many differences between 1969 ARPAnet and 1994 Internet.

1) ARPAnet was a Cold War research unit where designing new things to help the military was paramount. The NSA at that time was quite aware that designing in security first versus later was important for future military networks. The institutes that were going to connect to ARPAnet were limited and controlled putting in encryption would be easier to secure. The Internet on the other hand was completely different with it already spanning into .su and other places.

2) The politics were completely different in 1970's and the 1990's. In the 1970's ARPAnet was going to be connecting and learning about dealing with network failures in that war with the soviet union any day now. This environment security was more important than Control. In the 1990's the war was over and the US had won.. so control was more important than security.

The simple fact is that encryption is very expensive hardware wise and when your research computers are at best on a partial T1 adding in DES or some other encryption would make it too much for anyone to want to use. Back in the late 1980's we had encryption in our Kerberos systems but most people turned it off because it sucked the living bejezus out of the CPU when you were trying to do a telnet.

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 4:29 UTC (Thu) by njs (subscriber, #40338) [Link]

Sounds excellent, but... what's the chance that they'll actually get to use those TCP options? Wasn't the scarcity of those what killed the last attempt at this (Langley's "obfuscated TCP")?

FTP with Tcpcrypt vs. NAT

Posted Aug 26, 2010 9:04 UTC (Thu) by richdawe (subscriber, #33805) [Link] (11 responses)

It's not clear to me how this works with protocols like FTP which embed port-numbers into their commands. For protocols like FTP, I thought NAT devices had to rewrite the data within the protocol.

I'm guessing that FTP-over-tcpcrypt doesn't really work in the presence of NAT devices. How would the NAT device decrypt the data, rewrite FTP commands, and re-encrypt?

FTP with Tcpcrypt vs. NAT

Posted Aug 26, 2010 9:15 UTC (Thu) by ilmari (guest, #14175) [Link] (7 responses)

Seeing as there is no authentication, the NAT device could do a man-in-the-middle "attack" on the control connection and de- and re-encrypt the traffic while rewriting it.

FTP with Tcpcrypt vs. NAT

Posted Aug 26, 2010 13:24 UTC (Thu) by djao (guest, #4263) [Link] (6 responses)

Tcpcrypt supports authentication, it's just not mandatory. This is not the same thing as no authentication. As I wrote in my first comment, I believe mandatory authentication is one of the biggest mistaken design decisions of all time.

But even when using an authenticated connection, tcpcrypt works with NAT. It accomplishes this feat by not encrypting or authenticating the port numbers. This design allows for some attacks (such as traffic analysis on port numbers), but the tradeoff seems to be worth it. The USENIX paper discusses this issue in some detail.

FTP with Tcpcrypt vs. NAT

Posted Aug 26, 2010 13:55 UTC (Thu) by ilmari (guest, #14175) [Link] (5 responses)

Not authenticating or encrypting port numbers still doesn't help when you need to inspect and rewrite port numbers and IP addresses in the payload of the packet, as with FTP (PORT and EPRT commands), IRC (DCC connections) and a whole bunch of other protocols (see the various conntrack modules in netfilter).

FTP with Tcpcrypt vs. NAT

Posted Aug 26, 2010 14:32 UTC (Thu) by djao (guest, #4263) [Link] (4 responses)

I thought my statement was pretty clear, but it seems that I'll have to clarify. Tcpcrypt does not encrypt or authenticate the portions of the TCP header in the IP payload that encode port numbers and IP addresses. Neither does the (optional) authentication portion of tcpcrypt rely on port numbers or IP addresses, which in any case are easily forged. Present-day encryption protocols such as SSL and SSH already work fine over NAT -- there's no inherent reason why NAT is incompatible with strong authentication or encryption.

Besides the conference paper, the protocol has been implemented on Windows/Mac/Linux, and the implementation itself is publicly available on the web site under the GPL. The implementation demonstrably works over NAT, and it works with FTP and IRC and DCC and all those other problem cases that you cite. I suggest taking a look at the working implementation rather than arguing about whether or not the software works.

FTP with Tcpcrypt vs. NAT

Posted Aug 26, 2010 15:31 UTC (Thu) by bboissin (subscriber, #29506) [Link]

See http://en.wikipedia.org/wiki/File_Transfer_Protocol#NAT_a...

some NAT routers modify the TCP *payload* to let active FTP connection work (same for DCC I guess). So if the content is encrypted there's no way for the router to modify the payload.

FTP with Tcpcrypt vs. NAT

Posted Aug 26, 2010 15:50 UTC (Thu) by imitev (guest, #60045) [Link] (2 responses)

I guess what ilmari had in mind is that there are protocols which give indication of port numbers in the *payload*.
In the case of FTP passive, you usually connect to port 21 (control channel), and if you up/down something (or even ls ?) the server replies (in the payload) with "ok, connect to port 12345" ; port 12345 is random and is for the data channel.

Now in the case of NAT, if you want - say - to match RELATED packets with iptables, you need the ftp conntrack helper which will *read* the payload/data for ftp connections (control channel) so that what would be a NEW connection to the data channel on the random port supplied by the ftp server is actually matched by the connection tracking logic, and labelled as RELATED.
Having the headers clear text doesn't help here, you really need to be able to read what's in the payload.

I may be wrong though, it's been a long time I dealt with that stuff.

FTP with Tcpcrypt vs. NAT

Posted Aug 26, 2010 16:02 UTC (Thu) by djao (guest, #4263) [Link]

Right, I didn't think about that. Thanks for the explanation.

FTP with Tcpcrypt vs. NAT

Posted Aug 26, 2010 17:05 UTC (Thu) by imitev (guest, #60045) [Link]

replying to myself: I mentioned NAT but it has nothing to do with matching RELATED connections, I mixed the nat helper and the conntrack helper.
Anyway, in both case you still need to read what's in the payload.

FTP with Tcpcrypt vs. NAT

Posted Aug 26, 2010 9:44 UTC (Thu) by jengelh (subscriber, #33263) [Link]

Incentive to use smarter protocols and programs then. Say, SCTP with its multistream feature, or foo-over-SSH2 transports like rsync does.

FTP with Tcpcrypt vs. NAT

Posted Aug 26, 2010 15:01 UTC (Thu) by sync (guest, #39669) [Link] (1 responses)

Like FTPS it doesn't work with NAT.
You have to use a sane protocol.

FTP with Tcpcrypt vs. NAT

Posted Aug 26, 2010 19:08 UTC (Thu) by RobSeace (subscriber, #4435) [Link]

Or, better yet, go for full sanity by just eliminating NAT... (Yeah, I know, it's not really possible in the current IPv4 world... I can't wait for IPv6, and hope that sounds NAT's death knell once and for good, though...)

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 9:45 UTC (Thu) by jengelh (subscriber, #33263) [Link]

>Tcpcrypt can work through NAT devices, which is something that another lower-layer encryption protocol, IPSec, cannot handle.

Eh? Did they ever hear of udpencap? Port 4500, anyone?

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 13:18 UTC (Thu) by Fowl (subscriber, #65667) [Link] (4 responses)

I've thought that this kind of "opportunistic encryption" should be more pervasive for quite some time now.

I'm wondering how far off actual widespread implementation is - it should be relatively easy to get this into the (Linux) kernel, harder to get it on by default; but I'm left wondering if it'll ever make it into OSX or NT in our lifetimes...

Anyway, indepth articles on topics like this are why I hand over my hard earned student dollars to subscribe *hint* *hint*. =)

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 13:50 UTC (Thu) by Fowl (subscriber, #65667) [Link]

I really should've read the linked pdf before commenting: It seems that already have user space implementations for *nix, BSD and OSX. The integration mechanism looks interesting too.

This is very exciting for me however! Hopefully in the not too distant future, this will make it into mainline and large chunks of internet traffic will start become opaque with almost no one noticing! =)

So I suppose what I was really asking for is more of a political (urgh) view of the situation - what sort of chances this has for general consumption, etc.

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 13:52 UTC (Thu) by jackb (guest, #41909) [Link] (2 responses)

Can't you already do opportunistic encryption with IPsec and DNS TXT keys?

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 14:44 UTC (Thu) by djao (guest, #4263) [Link]

You can, but it's unbelievably difficult. To start with, opportunistic encryption is (to my knowledge) not yet a standard part of IPsec. It's a nonstandard extension offered by some implementations, not all of which are compatible. Also, installation and configuration of IPsec is much more intrusive and time-consuming than tcpcrypt. But the biggest problem is that the DNS TXT key needs to go in the reverse DNS zone file. I don't know a single residential ISP that allows customers to add something to their reverse DNS, and even among business ISPs this kind of thing is very rare. So, in practice, opportunistic encryption via IPsec is available only to a very few privileged users, which is not enough to support large-scale deployment or make any measurable difference in the percentage of internet traffic that undergoes encryption.

Transport-level encryption with Tcpcrypt

Posted Aug 26, 2010 17:33 UTC (Thu) by imitev (guest, #60045) [Link]

Even if every provider allowed messing with TXT records, the percentage of people configuring it would be ~0.
As a general rule if you need to configure something then say goodbye to mass usage. If you need to understand DNS TXT and ipsec (and its weird implementation interoperability issues), then say not only goodbye to mass usage, but also to a good amount of sysadmins.

Packaged version?

Posted Aug 26, 2010 18:18 UTC (Thu) by sflintham (guest, #47422) [Link]

Does anyone feel up to knocking up a packaged version of this which starts tcpcryptd and adds the relevant firewall rules on boot? I could probably just about hack it into my startup scripts myself, but I always feel bad doing it (like I'm bound to break something later), and making a proper package always intimidates me...

Admittedly it is a bit pointless right now, but I would quite like to try using this for a while and see if I encounter any breakage or noticeable overhead. I haven't been an early adopter for ages, it might be my turn to suffer for the greater good. :-)

Transport-level encryption with Tcpcrypt

Posted Aug 27, 2010 12:48 UTC (Fri) by intgr (subscriber, #39733) [Link]

I have created an AUR package of tcpcrypt for Arch Linux users: http://aur.archlinux.org/packages.php?ID=40308

This is the user space version, so it's quite foolproof (be careful with it on headless servers though), and surprising how easy it is to deploy.
Just 'makepkg -i' as usual and '/etc/rc.d/tcpcryptd start'. Enjoy! :)