Re: [babel] Babel-MAC: Blake2s is 128-bits by default

Toke Høiland-Jørgensen <toke@toke.dk> Mon, 23 November 2020 10:55 UTC

Return-Path: <toke@toke.dk>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 941613A07F4 for <babel@ietfa.amsl.com>; Mon, 23 Nov 2020 02:55:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=toke.dk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G_2eE58qzBbx for <babel@ietfa.amsl.com>; Mon, 23 Nov 2020 02:55:43 -0800 (PST)
Received: from mail.toke.dk (mail.toke.dk [45.145.95.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C4D83A0603 for <babel@ietf.org>; Mon, 23 Nov 2020 02:55:40 -0800 (PST)
From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1606128936; bh=XwfE7BK37qFy5PCWr7Sl2DkDvFnbf5DnJJWiR3OjQ18=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=bAbzk6+w4a1A0eTaMSkiDQo+xkbtd396Tj8oITR3VWC+Ab8TK9hhm6iktPixOyIef 9GqG3ryzV2QQRW1WzfTVcF6UxQN9Y6/bu//Dol+q3SdVhw0LySnq9JIDkFHk0oSPdo Z+rthBU+tLHD+NVbhGwJJsuB1FCBWNBrDu+SfSSjWWswd1arSh+X1y4z28JJzpkC+4 cQ+Dp4MjFRIWfmG9dlXG/vHecO/Ts+45/crAonZ58iK+9wuhNQiY7pckgrDzhn/dGL sw9ZpP4GnOokA+wtMkD58Q0V5iW2p08ZClLE6ktEvRy4ZX5OIDHedatXypJWYSjNpS f11IjNEfCQ48Q==
To: Juliusz Chroboczek <jch@irif.fr>
Cc: babel@ietf.org, Valery Smyslov <valery@smyslov.net>
In-Reply-To: <87o8jvylta.fsf@toke.dk>
References: <87d00qungk.wl-jch@irif.fr> <87h7q2f6a2.fsf@toke.dk> <87o8jya4jz.wl-jch@irif.fr> <87wnyl4dgi.fsf@toke.dk> <878sazh7ge.wl-jch@irif.fr> <87o8jvylta.fsf@toke.dk>
Date: Mon, 23 Nov 2020 11:55:36 +0100
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID: <87o8jomjfb.fsf@toke.dk>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/BKW-IPGtptirbg9zrJhU2nSd2kQ>
Subject: Re: [babel] Babel-MAC: Blake2s is 128-bits by default
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 10:55:52 -0000

Toke Høiland-Jørgensen <toke@toke.dk> writes:

> Juliusz Chroboczek <jch@irif.fr> writes:
>
>>>> Toke and Dave originally suggested adding Blake2s to Babel-HMAC [...]
>>
>>> Note sure that I quite agree with your history here,
>>
>> It's quite likely I got it wrong, sorry if that's the case.
>>
>>> I'm not actually opposed to 128-bit signatures per se, although I would
>>> be more comfortable if someone with a crypto background could weigh in
>>> with an opinion on this.
>>
>> Valery, perhaps you could help?
>>
>>>> 1. Toke agrees to switch to 128-bit Blake2s signatures;
>>
>>> I think what would happen is that Bird would support both.
>>
>> Ok.
>>
>> You didn't address the most important question: do you agree with modifying
>> the RFC-to-be so that the SHOULD applies to 128-bit signatures, and
>> clarifying the information model that the "Blake2s" algorithm implies
>> 128-bit signatures?
>
> I asked my go-to crypto guy who assured me that 128 bits is sufficient
> for this use case. So no objections from me :)

This does raise one question, though (as I just found out while
implementing the option for a 128-bit version): How does this impact the
recommendations for key size? I've been restricting the key size to
always be equal to the output size, so does this also imply that the key
size recommendation should change to 16 bytes?

-Toke