IETF Logo Mail Archive

Re: [babel] info-model: preparing -09 on github

David Schinazi <dschinazi.ietf@gmail.com> Thu, 15 August 2019 22:56 UTC

Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0242E1200F1 for <babel@ietfa.amsl.com>; Thu, 15 Aug 2019 15:56:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DH3tw0-WeqJr for <babel@ietfa.amsl.com>; Thu, 15 Aug 2019 15:56:40 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C4731200E7 for <babel@ietf.org>; Thu, 15 Aug 2019 15:56:40 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id x18so3657937ljh.1 for <babel@ietf.org>; Thu, 15 Aug 2019 15:56:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=O4hw2HdOUAdicILTKSm7n/yaTq+QHrNZJtlVW99QmNM=; b=RfZrwu1euclxzlOq++SQsU1U/geEzaP6TJC0P3TyCvgkafHjhq1T8V2E3IIbHoXPy+ Nx+9QMi/whC8FVbzBf+ZEDW+LOgMjHpW5Fi2WimBwqguTxkqpPDMEMcppI1hj4opumib +GRjcQWyzVlvQLD5CR1D7LmRoU3fR9guUskslEFKKLHNu+BE6E7ufP128kaUp/Ovsa4d PZFqZ6zCMfUQA9vYk7mbEspHkGGIVGYrfIADjvKKhwxcHFWbLfAPE1EV1pjSdCgunfnJ +kaWW//TPYCBKK9BmEK6XdYOkDfFMwXpilEBSq45vLM5hOi5ND8YrpSm2oUL66AaQ8JE XInQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=O4hw2HdOUAdicILTKSm7n/yaTq+QHrNZJtlVW99QmNM=; b=QhvBrZX/ojMak+psjFCe8sFdHmirxh8UMzxTjRt4bd8FPbvEI7k4GrmRMmgibSYSEs hg4sLpoKDEXYSMbEOdb2jdGP6DgNxQJ5rnLfZUfzjz8OqX8ARgKmaT4YA+p9eHUNF7l3 piE4aky4cZu7rvSI4xunOpE0jANdqg+xeAhPByD7MVVhSJBLUviv5laSKPTq2zuEtoo/ sD2UM/M9VhaqH6yv/E/iBs2MoUxcan81fLy4iUEs/ptCMCCSbJyfj9hliOKIrCeLGAQQ ByDob6UL3EgkIad66vlyOon+mpfw+JYUoOLqYZ6qEQZLxD5Y0GjmbLLhdKBsg5NkJxMF cM+g==
X-Gm-Message-State: APjAAAUaoqSggrUaJWYjqGPDch7Pl5nVIlTidwHa+N8kvbR9TFLJ5ez5 KkCWywKGWvgl/XLWsena2l0ez67bse7UwMGQXWE=
X-Google-Smtp-Source: APXvYqzPS3uftFNdmPK+zLU5XtppHRHOsG3PH/Tfj8SNXk78mNYATNKzhF/0DvUBl6e1WI/SUxNiqnGZfO3xeaFOLFg=
X-Received: by 2002:a2e:81c3:: with SMTP id s3mr3922241ljg.70.1565909798445; Thu, 15 Aug 2019 15:56:38 -0700 (PDT)
MIME-Version: 1.0
References: <2D09D61DDFA73D4C884805CC7865E6114E2694DE@GAALPA1MSGUSRBF.ITServices.sbc.com> <87ftm3u0a6.wl-jch@irif.fr> <2D09D61DDFA73D4C884805CC7865E6114E269981@GAALPA1MSGUSRBF.ITServices.sbc.com> <87blwrtudx.wl-jch@irif.fr> <2D09D61DDFA73D4C884805CC7865E6114E275E65@GAALPA1MSGUSRBF.ITServices.sbc.com> <CAPDSy+4+46nUbUF=C-U1Jvw2QDZMRZ9-vXrRVwh71y8ne6e0Mg@mail.gmail.com> <2D09D61DDFA73D4C884805CC7865E6114E27796E@GAALPA1MSGUSRBF.ITServices.sbc.com>
In-Reply-To: <2D09D61DDFA73D4C884805CC7865E6114E27796E@GAALPA1MSGUSRBF.ITServices.sbc.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Thu, 15 Aug 2019 15:56:27 -0700
Message-ID: <CAPDSy+79ZOf6fywMmetXn-e+L9LazGaFCO6X=apu7NeDwa9sNw@mail.gmail.com>
To: "STARK, BARBARA H" <bs7652@att.com>
Cc: "babel@ietf.org" <babel@ietf.org>, Juliusz Chroboczek <jch@irif.fr>
Content-Type: multipart/alternative; boundary="00000000000049657805902fc920"
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/fX__oK2J-JpBcfXPbc_hmBNwUJk>
Subject: Re: [babel] info-model: preparing -09 on github
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2019 22:56:44 -0000

If we're considering adding restrictions specific to Babel (and/or the info
model), I think we should take a principled approach. What fundamental
principles are we using to decide these restrictions? If we allow a 1-byte
key but disallow a 65-byte key, then the principle we're after is not
improving security?

On Thu, Aug 15, 2019 at 2:46 PM STARK, BARBARA H <bs7652@att.com> wrote:

> I disagree.
>
>
>
> The HMAC specs (RFC2104) says:
>
>    Applications that use keys longer
>
>    than B [block size] bytes will first hash the key using H and then use
> the
>
>    resultant L [hash output size] byte string as the actual key to HMAC.
> In any case the
>
>    minimal recommended length for K is L bytes (as the hash output
>
>    length). See section 3 for more information on keys.
>
> and from section 3
>
>    The key for HMAC can be of any length (keys longer than B bytes are
>
>    first hashed using H).  However, less than L bytes is strongly
>
>    discouraged as it would decrease the security strength of the
>
>    function.  Keys longer than L bytes are acceptable but the extra
>
>    length would not significantly increase the function strength. (A
>
>    longer key may be advisable if the randomness of the key is
>
>    considered weak.)
>
>
>
> In this language, there is no requirement for applications using HMAC to
> accept (or be able to use) keys longer than B bytes. The two statements do
> say what must happen **if** a key longer than B bytes is provided. But if
> Babel wants to restrict keys to no more than B bytes, that is well within
> Babel’s purview to do so. RFC2106 very clearly tells applications get to
> decide what to use.
>
>
>
> The other thing I get from this, though, is that it’s recommended to have
> at least L bytes for an HMAC key (L = 32 for SHA-256). I think we should
> reflect this recommendation. We could do it either with a “SHOULD” or
> “MUST” be at least the output hash length (not set the minimum at 0). I see
> no reason not to upgrade that to a MUST for Babel, if we want. [It’s always
> ok to be stricter than a referenced spec (e.g., change SHOULD to MUST) –
> it’s just not ok to do or allow something that violates a requirement from
> the spec (e.g., change MUST to SHOULD).] I think at least a MUST be at
> least 8 bytes” with a “SHOULD be at least the output hash length” would be
> good for HMAC. It’s also ok for the information model to be stricter than
> the babel-hmac implementation.
>
>
>
> Blake2s does specifically allow zero-length keys – though I don’t know how
> advisable that is in a Babel usage scenario. I don’t know when key length
> of 0 is useful. But there is definitely nothing that prevents us from being
> stricter, if we wanted to insist on a key longer than 0. Again, this
> strictness can be in info-model only and doesn’t have to be reflected in
> babel-hmac.
>
>
>
> I do need some maximum size on the parameter (independent of key
> algorithm) – so it won’t be unlimited length, anyway. I’m thinking 128
> bytes as an absolute upper limit at this time.
>
> Barbara
>
>
>
> According to RFC 7693, Blake2s keys must be of length kk where 0 <= kk <=
> 32. So having the info model dictate that keys MUST follow that is
> perfectly reasonable to me.
>
>
>
> However, according to RFC 6234, HMAC-SHA-256 allows all key lengths kk
> where 0 <= kk. I don't think the information model should express an
> opinion as to whether keys longer than 64 bytes are safe or not. If we
> choose to add that distinction we'll need to justify why we think the key
> hashing is unsafe, and I don't think there is an RFC we can cite for that.
>
>
>
> So going back to Juliusz's listed options in the other thread <
> https://mailarchive.ietf.org/arch/msg/babel/QlvsPB9yYFPTPwQxaLcWIN3Hl2Y
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__mailarchive.ietf.org_arch_msg_babel_QlvsPB9yYFPTPwQxaLcWIN3Hl2Y&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=LoGzhC-8sc8SY8Tq4vrfog&m=r4dKW0HNSrjNPXdXIdJ_3kGc3XrRIxdBac60Dua9F9Q&s=hcwi5QDwG7wq96cE5vUbJ6LYJ0mNn6p0iGstPoskzO8&e=>>,
> I would argue for option 3 "bureaucratic" because it follows the design
> principle "The Babel WG does not make security decisions, we follow what
> RFCs tell us".
>
>
>
> David
>
>
>
> On Thu, Aug 15, 2019 at 9:58 AM STARK, BARBARA H <bs7652@att.com> wrote:
>
> > > Is this suggesting that it's ok for info-model to provide babel-hmac
> > > with any value between 0 and 64 bytes in length for HMAC-SHA256 or
> > > between 0 and 32 bytes in length for Blake2s and babel-hmac can be
> > > expected to zero-pad? Or are you still expecting info-model to do the
> > > zero-padding before providing to babel-hmac?
> >
> > The former.  You give me anything between 0 and 32/64, and I deal with
> it.
>
> Cool. Then from a purely info-model perspective, it sounds like the
> key-value parameter length constraints are:
>
>   This value is of a length suitable for the associated
>   babel-mac-key-algorithm.  If the algorithm is based on the HMAC
>   construction, the length MUST be between 0 and the block size of the
>   underlying hash inclusive (where "HMAC-SHA256" block size is 64 bytes
>   as described in {{RFC4868}}).
>   If the algorithm is "BLAKE2s", the length MUST be between 0 and 32 bytes
>   inclusive, as described in {{RFC7693}}.
>
> Anything complying with info-model won't supply anything longer than the
> identified max length.
> A babel-hmac implementation may get something as short as zero length, but
> will be expected to deal with it. Info-model doesn't care and doesn't need
> to know what "deal with it" means.
> For HMAC and Blake2s algorithms, "deal with it" means hmac-babel will
> zero-pad shorter strings, because that's what the algorithm RFCs say to do
> (and not because babel-hmac has any extra requirements going beyond the
> algorithm specs).
> Info-model won't send strings longer than the indicated length. If there
> is a UI to info model that accepts a longer string, hashes it, and then
> info-model provides the hashed value, that is what it is. Neither
> info-model nor babel-hmac care or know or need to know about this.
> If a babel-hmac implementation does have special handling for longer
> strings, that's fine, too. But a value coming from info-model will never
> trigger this special code.
> Does that sound right?
> Barbara
>
> _______________________________________________
> babel mailing list
> babel@ietf.org
> https://www.ietf.org/mailman/listinfo/babel
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_babel&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=LoGzhC-8sc8SY8Tq4vrfog&m=r4dKW0HNSrjNPXdXIdJ_3kGc3XrRIxdBac60Dua9F9Q&s=5hUNj6-VdzK_NqcP_jOOoRJuQ_W388v5YT6Zl2RqxDg&e=>
>
>

v2.23.0 | Report a Bug | By Email