[babel] Babel-MAC: key size and digest size
Antonin Décimo <antonin.decimo@gmail.com> Fri, 27 December 2019 19:46 UTC
Return-Path: <antonin.decimo@gmail.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A763D1200E5 for <babel@ietfa.amsl.com>; Fri, 27 Dec 2019 11:46:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Da2HzBwKGGxC for <babel@ietfa.amsl.com>; Fri, 27 Dec 2019 11:46:27 -0800 (PST)
Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3C7712006F for <babel@ietf.org>; Fri, 27 Dec 2019 11:46:26 -0800 (PST)
Received: by mail-ot1-x32d.google.com with SMTP id w21so29679785otj.7 for <babel@ietf.org>; Fri, 27 Dec 2019 11:46:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=dJMq9DbrS1oj7+RGOt6hDj4mjWUpdFzT6DiQpAUgw7o=; b=Idd5k3hMBQjvof7NWt+chvIaeh8oj6Kozt+tmTNRlXdflzxltV+XQbocTCDmjiDQ0L hJu63Cc0D3LiLjwldHLJAQ5Imt4+G5lZfvmaHhJL10f6O7usvfEkJV+ZPNlhIRdaD/FU 8v6yKRffzUw0XuTtByFn4AkzfN+NKc5G5+EPo2N0sHQOHR+yONH+j42nDx99ARI1Otfs +glSp7xxRQk8yndl9HSqKZZQuqdciRaHy1TDPNjXfSzpDepo5xgSZ+Jg/OebiuFnsK1Z wJ/yfk1mNa8q9oR7naDGAK3X3Hyvj29zYearH8LjX3SpSguJhxxegEptBPXqb0wZ7U+B XCpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=dJMq9DbrS1oj7+RGOt6hDj4mjWUpdFzT6DiQpAUgw7o=; b=j8NmuZWOhYyRG75QAYckuvsAG31eqigBwWzK14rxYGDi0xIhIpkINTNnCQVosxqP9A 4ZhHYjNR25uDPcsAAzNj7lqNijTqNbnrl3HhdLMJT2GvvqUPkSBaQygv3szwTcbqGdEx e2WBApsF+NBPXn3Y0a5N40S5JczH8zIIzHHwUY7U6sB237nlyiaqvmCk55Q18avuO1hY xJKJhSON508O5Iw0eFS7sMy3R3tB0EH8yLpUj8Zl1iuwk/m97iLypMJHkXGBcsOxrhDe e/4d7vtzCHLBiDmrPfCjYvIFndNLJ6OaMRHZkAF12Yu0Hnv/H8ofJmyreVl7x8ahl45w l6dg==
X-Gm-Message-State: APjAAAVXXr6qDxyL1FpsCBF60J7nBq7fBw81+Z+Xl0i9PNJ065Y9svAv ZDyF50S/Qe1lq1QK85aK8Zdj/xnQJZ9uIxZ7v01UgFTJ
X-Google-Smtp-Source: APXvYqw7aBbYLs2sT5OJgwLr58cTlEUG7BDWO4P5+2Yrxjrfl4Adr+HQAmi4f8UDsw0/COnTH6oA9ljzRgvJC7K1RKo=
X-Received: by 2002:a05:6830:1f89:: with SMTP id v9mr55709553otr.90.1577475985971; Fri, 27 Dec 2019 11:46:25 -0800 (PST)
MIME-Version: 1.0
From: Antonin Décimo <antonin.decimo@gmail.com>
Date: Fri, 27 Dec 2019 20:46:31 +0100
Message-ID: <CAC=54BL7Be5joBChiO1e=1nB7QpY8Ozx3qwDMUzEpDp2noWD3A@mail.gmail.com>
To: Babel at IETF <babel@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/W3DFlCMflZk9Pp844XKEGL0FNsE>
Subject: [babel] Babel-MAC: key size and digest size
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Dec 2019 19:46:30 -0000
Dear all, After working a bit on the MAC authentication for Babel implementation in babeld, I think that the draft need clarification on two points: 1. Key size The draft reads: §7 > Ideally, they should have a length of 32 octets (both for > HMAC-SHA256 and Blake2s) Other RFCs state: - https://tools.ietf.org/html/rfc2104#section-3 > However, less than L [hashing function block size] bytes is > strongly discouraged as it would decrease the security strength of > the function. - https://tools.ietf.org/html/rfc4868#section-2.1.2 SHA256 has a block size of 64 octets (see RFC6234, search SHA256_Message_Block_Size). Blake2s key length is 0 <= kk <= 32 (see https://tools.ietf.org/html/rfc7693#section-2.1) HMAC algorithms deal with shorter keys by padding them with zeroes up to some size, and with longer keys by hashing them first. I suggest we rephrase the draft to state that key length should ideally be the maximum key length advertised by the hashing algorithm, which for Blake2s is explicitly 32 octets, or no less than the block size of the hashing algorithm which is 64 octets for SHA256. 2. Digest size The length of the digest (= the MAC) produced by Blake2s may be configured. Blake2s: 1 <= nn <= 32 For instance, the API of the reference implementation let the programmer ask for specific digest length (outlen parameter). // Initialize the hashing context "ctx" with optional key "key". // 1 <= outlen <= 32 gives the digest size in bytes. // Secret key (also <= 32 bytes) is optional (keylen = 0). int blake2s_init(blake2s_ctx *ctx, size_t outlen, const void *key, size_t keylen); The MAC TLV §6.1 is composed by the length L of the digest, followed by the digest D. On reception of a packet, D must be validated. A logical thing to do is to compute a digest of length L with Blake2s. The draft does not explicitly state that the checking code must use L for the digest length, and not say, the maximum digest length. We may conservatively assume that if two digests D1 and D2 of length L1 < L2 are computed from the same message, D1 won't necessarily be a prefix of D2. Now, suppose that we allow digests of various length for the same hashing algorithm. What happens when we receive a MAC TLV of length 0? Or what if an attacker captures a packet, tampers with it, removes all MAC TLVs, and adds 256 MAC TLVs of length 1 with all 256 possible digest values? A least one MAC would be accepted, and the overhead is only 3*256=768 octets. If I am not mistaken this breaks the first assumption of the protocol §1.2: > that the Message Authentication Code (MAC) being used is > invulnerable to pre-image attacks, i.e., that an attacker is unable > to generate a packet with a correct MAC without access to the secret > key; Short digest lengths should not be allowed; a fix could be that the draft explicitly states that only digests of the maximum (or a predefined) length for each hashing algorithm should be send and checked on reception. Cheers! -- Antonin
- [babel] Babel-MAC: key size and digest size Antonin Décimo
- Re: [babel] Babel-MAC: key size and digest size Antonin Décimo
- Re: [babel] Babel-MAC: key size and digest size Donald Eastlake