IETF Logo Mail Archive

Re: [babel] info-model: preparing -09 on github

Juliusz Chroboczek <jch@irif.fr> Fri, 16 August 2019 15:03 UTC

Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8461E12008D for <babel@ietfa.amsl.com>; Fri, 16 Aug 2019 08:03:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c25rJlxnvW-L for <babel@ietfa.amsl.com>; Fri, 16 Aug 2019 08:03:53 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3905E120047 for <babel@ietf.org>; Fri, 16 Aug 2019 08:03:53 -0700 (PDT)
Received: from potemkin.univ-paris7.fr (potemkin.univ-paris7.fr [IPv6:2001:660:3301:8000::1:1]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id x7GF2qwX029023 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 16 Aug 2019 17:02:52 +0200
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by potemkin.univ-paris7.fr (8.14.4/8.14.4/relay2/82085) with ESMTP id x7GF2p2s025221; Fri, 16 Aug 2019 17:02:52 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 786CD568A3; Fri, 16 Aug 2019 17:02:54 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id KWI4QiiX3L6c; Fri, 16 Aug 2019 17:02:53 +0200 (CEST)
Received: from pirx.irif.fr (82-64-141-196.subs.proxad.net [82.64.141.196]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id B2B08568A0; Fri, 16 Aug 2019 17:02:51 +0200 (CEST)
Date: Fri, 16 Aug 2019 17:02:51 +0200
Message-ID: <87pnl5i25g.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: David Schinazi <dschinazi.ietf@gmail.com>
Cc: "STARK, BARBARA H" <bs7652@att.com>, "babel@ietf.org" <babel@ietf.org>
In-Reply-To: <CAPDSy+4+46nUbUF=C-U1Jvw2QDZMRZ9-vXrRVwh71y8ne6e0Mg@mail.gmail.com>
References: <2D09D61DDFA73D4C884805CC7865E6114E2694DE@GAALPA1MSGUSRBF.ITServices.sbc.com> <87ftm3u0a6.wl-jch@irif.fr> <2D09D61DDFA73D4C884805CC7865E6114E269981@GAALPA1MSGUSRBF.ITServices.sbc.com> <87blwrtudx.wl-jch@irif.fr> <2D09D61DDFA73D4C884805CC7865E6114E275E65@GAALPA1MSGUSRBF.ITServices.sbc.com> <CAPDSy+4+46nUbUF=C-U1Jvw2QDZMRZ9-vXrRVwh71y8ne6e0Mg@mail.gmail.com>
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]); Fri, 16 Aug 2019 17:02:52 +0200 (CEST)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (potemkin.univ-paris7.fr [194.254.61.141]); Fri, 16 Aug 2019 17:02:52 +0200 (CEST)
X-Miltered: at korolev with ID 5D56C59C.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-Miltered: at potemkin with ID 5D56C59B.001 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5D56C59C.000 from potemkin.univ-paris7.fr/potemkin.univ-paris7.fr/null/potemkin.univ-paris7.fr/<jch@irif.fr>
X-j-chkmail-Enveloppe: 5D56C59B.001 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5D56C59C.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Score: MSGID : 5D56C59B.001 on potemkin.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/gBzpa220A49aGV3iiASiNzaEddg>
Subject: Re: [babel] info-model: preparing -09 on github
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2019 15:03:55 -0000

Barbara suggested:

> This value is of a length suitable for the associated
> babel-mac-key-algorithm.  If the algorithm is based on the HMAC
> construction, the length MUST be between 0 and the block size of the
> underlying hash inclusive (where "HMAC-SHA256" block size is 64 bytes as
> described in {{RFC4868}}).  If the algorithm is "BLAKE2s", the length
> MUST be between 0 and 32 bytes inclusive, as described in {{RFC7693}}.

I fully support this formulation.

David commented:

> However, according to RFC 6234, HMAC-SHA-256 allows all key lengths kk where 0
> <= kk. I don't think the information model should express an opinion as to
> whether keys longer than 64 bytes are safe or not.

What is suggested by 6234 is to hash longer keys.  By doing that, we'd be
implying that Babel-HMAC is suitable for use with a human-entered
keyphrase.  Since Babel-HMAC is trivially vulnerable to brute-force
attacks, this is not a good idea.  (I'll add a few words on this subject
to the security considerations of Babel-MAC.)

Ideally, Babel-HMAC should be used with a randomly drawn key.  In this
case, the person drawing the key can draw a key of arbitrary length, and
32 bytes is a good choice for both algorithms.  (Using a key larger than
the hash size, while technically possible, does not increase security to
my knowledge.)

If use of a passphrase is desired, then the key should be derived using
a KDF that makes brute-force attacks difficult, such as PBKDF2 or bcrypt.
In that case, the original passphrase should be kept on a secure host
(e.g. the network administator's carefully secured laptop), and only the
resulting key be communicated through the management interface.  Since key
derivation functions are parametrisable in the size of the output key, the
hashing procedure described for HMAC is not used.

Finally, our goal is to get these protocols deployed by real people; thus,
we should not forbid the use of short keys for testing.  A UI should
perhaps display a warning for a key with low entropy (either a short key
or a key that contains multiple repeated strings, e.g. 123412341234...),
but it should not prevent if from being used.

In conclusion, Barbara's formulation above suits me.  If you wish to
change it, please preserve the two following properties:

  - make it clear that it's a key, not a passphrase;
  - allow short keys.

-- Juliusz

v2.23.0 | Report a Bug | By Email