[babel] Babel-MAC: Blake2s is 128-bits by default

Juliusz Chroboczek <jch@irif.fr> Fri, 06 November 2020 22:31 UTC

Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 883493A0DDA for <babel@ietfa.amsl.com>; Fri, 6 Nov 2020 14:31:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L2Zoa33J4WyF for <babel@ietfa.amsl.com>; Fri, 6 Nov 2020 14:31:42 -0800 (PST)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 697253A0DDB for <babel@ietf.org>; Fri, 6 Nov 2020 14:31:36 -0800 (PST)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 0A6MVQUi022411; Fri, 6 Nov 2020 23:31:26 +0100
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 4F970122AA3; Fri, 6 Nov 2020 23:31:26 +0100 (CET)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id Yp2hEP28Jgk3; Fri, 6 Nov 2020 23:31:24 +0100 (CET)
Received: from pirx.irif.fr (82-64-141-196.subs.proxad.net [82.64.141.196]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 6620A122AA1; Fri, 6 Nov 2020 23:31:23 +0100 (CET)
Date: Fri, 06 Nov 2020 23:31:23 +0100
Message-ID: <87d00qungk.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: babel@ietf.org
Cc: Valery Smyslov <valery@smyslov.net>, Donald Eastlake <d3e3e3@gmail.com>, Barbara Stark <bs7652@att.com>, Toke =?ISO-8859-1?Q?H=F8iland-J=F8rgense?= =?ISO-8859-1?Q?n?= <toke@toke.dk>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.1 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Fri, 06 Nov 2020 23:31:26 +0100 (CET)
X-Miltered: at korolev with ID 5FA5CEBE.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5FA5CEBE.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5FA5CEBE.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/FvFYHMHwUndg_to33Shn9GSAeSU>
Subject: [babel] Babel-MAC: Blake2s is 128-bits by default
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2020 22:31:45 -0000

Dear all,

We've had a discussion with Barbara and Toke today, and we've come to the
conclusion that there is an oversight in draft-ietf-babel-hmac-12.  In
Section 4.1, we say

   Every implementation MUST implement HMAC-SHA256 as defined in [RFC6234]
   and Section 2 of [RFC2104], SHOULD implement keyed BLAKE2s [RFC7693],
   and MAY implement other MAC algorithms.

As Valery Smyslov noted, BLAKE2s is able to produce hashes of any size
between 1 and 32 octets (8 and 256 bits).  However, both implementations
of Babel-MAC only ever produce 16-octet BLAKE2s hashes.  This is done for
the following reasons:

  - Babel-MAC is not believed to be vulnerable to collision attacks, hence
    128 bits is believed to be large enough;

  - BLAKE2s is intended as a more lightweight alternative to SHA2-256,
    which is the recommended algorithm if 128-bit hashes are believed to
    not be sufficient.

However, the digest size is not indicated in the draft.  Therefore, in
order to align the draft with implementation practice, I am asking the
list's permission to clarify the draft by changing the paragraph cited
above to say:

   Every implementation MUST implement HMAC-SHA256 as defined in [RFC6234]
   and Section 2 of [RFC2104], SHOULD implement keyed BLAKE2s [RFC7693]
   with 16-octet (128-bit) hashes, and MAY implement other MAC algorithms
   and hash sizes.

Donald, assuming nobody objects to the above, what is the right point at
which to request this clarification?  AUTH48?  Or publish an erratum just
after the RFC goes out?

Sorry for the oversight, and thanks for everyone's help,

-- Juliusz