IETF Logo Mail Archive

Re: [babel] babel-hmac: key requirements

Markus Stenberg <markus.stenberg@iki.fi> Sat, 12 January 2019 14:05 UTC

Return-Path: <fingon@kapsi.fi>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 511201274D0 for <babel@ietfa.amsl.com>; Sat, 12 Jan 2019 06:05:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kapsi.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XMQBQE5mtW2I for <babel@ietfa.amsl.com>; Sat, 12 Jan 2019 06:05:08 -0800 (PST)
Received: from mail.kapsi.fi (mail.kapsi.fi [IPv6:2001:67c:1be8::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A986C124BAA for <babel@ietf.org>; Sat, 12 Jan 2019 06:05:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kapsi.fi; s=20161220; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date: In-Reply-To:From:Subject:Mime-Version:Content-Type:Sender:Reply-To:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=JeMSACFu77HBmCH+hkUh+2NPznOxxy3InySsp5w1sAc=; b=vDkkTjn7uRCG3W7PTksun4yNPN 8XK8O3R1b+j/jGqYuz86w+s13E0t+vdI4KL8XvhJpKuHte0ebSajrZsmtPpvPHARXCx8pCbUC/g// kK6PK7351RJuHDtHcGeadGWbbkdNNwZJltpGdUxuAxaQ8j19QxThYfG+ziqSqLSlhRzBH8wwab9kQ jMCXZfTr5/8qOr2vt4mr98A1W9936RCry1uU5kCbdC/AKomHnK2A/v5MgMv9leW17njizccWpCzCx kWB83GwxcXYm92xdbvNH2UtYOzTb86J/bP+HxAhK6sOhS69lMM8g/mds3Q96THWa5j9M6AgLC5oqp +8JOeiwg==;
Received: from 91-155-69-202.elisa-laajakaista.fi ([91.155.69.202] helo=himawari.lan) by mail.kapsi.fi with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <markus.stenberg@iki.fi>) id 1giJuK-0007ic-HL; Sat, 12 Jan 2019 16:05:04 +0200
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Markus Stenberg <markus.stenberg@iki.fi>
In-Reply-To: <874laevyy4.wl-jch@irif.fr>
Date: Sat, 12 Jan 2019 16:05:04 +0200
Cc: BARBARA H STARK <bs7652@att.com>, Babel at IETF <babel@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A2C6A38B-FD48-4C4B-BC7D-48A56996C95E@iki.fi>
References: <2D09D61DDFA73D4C884805CC7865E6114DF96321@GAALPA1MSGUSRBF.ITServices.sbc.com> <874laevyy4.wl-jch@irif.fr>
To: Juliusz Chroboczek <jch@irif.fr>
X-Mailer: Apple Mail (2.3445.102.3)
X-SA-Exim-Connect-IP: 91.155.69.202
X-SA-Exim-Mail-From: markus.stenberg@iki.fi
X-SA-Exim-Scanned: No (on mail.kapsi.fi); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/ZkzEgrxAJoDGP0gapREI2EbjFPE>
Subject: Re: [babel] babel-hmac: key requirements
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jan 2019 14:05:11 -0000

On 12.01.2019, at 14.32, Juliusz Chroboczek <jch@irif.fr> wrote:
>> I've also discovered that the HMAC RFC (RFC 2104) says:
> 
> Both of these look extremely naive to my untrained eyes (and 2104 is
> confusing).  Better approaches include:
> 
>  - drawing the key randomly before distribution (RFC 4086);
>  - using a proper KDF to derive a key from a passphrase (see e.g. RFC 5869).
> 
> As mentioned above, the key generation should happen offline, and is
> therefore out of scope for this draft.

+1.

If one really cares about security, few bytes of ASCII is not really what you want to use as key; ideally, very close to random bits, and plenty of them.

One way of sourcing them is by deriving them from passphrase using some computation which is hard to brute-force though, so even if I use password 'Markus rul3s', someone is unlikely to bother trying to bruteforce it and the clever 3 is sufficient as a security mechanism if it takes (say) minute per attempt on modern CPU.

e.g. RFC5869 is a good starting point (or its SHA-2 application in RFC6234).

>> My preference is that we have something in the HMAC draft, not too much
>> unlike the OSPF text.
> I disagree.  RFC 5709 is very naive, if a key is generated from user
> input, that should be done offline, and using a proper KDF, not the naive
> procedure described in 5709.

+1.

All the classic 'let's HMAC and call it done' mechanisms are completely obsolete as security mechanisms, unless the input to HMAC is in and of itself pseudorandom garbage of sufficient length and not passphrase in the first place.

Disclaimer: These are 'old school' recommendations, current KDF state of the art is bit different IIRC but even these are much better than the good old IETF standard (toss MD5 in), or 'modern-ish' IETF standard (toss HMAC-SHA in) way.

Draft should possibly state that if passphrases are used, KDF of SOME SORT should be used, but the actual KDF is IMHO implementation matter and as long as all implementations can be configured with same bytes that come out of KDF they would interoperate.

Cheers,

-Markus

v2.23.0 | Report a Bug | By Email