Re: [babel] info model: rehashing hashing

Toke Høiland-Jørgensen <toke@toke.dk> Tue, 02 March 2021 23:27 UTC

Return-Path: <toke@toke.dk>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FB4F3A1450 for <babel@ietfa.amsl.com>; Tue, 2 Mar 2021 15:27:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=toke.dk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z3PoMM7RUnz6 for <babel@ietfa.amsl.com>; Tue, 2 Mar 2021 15:27:51 -0800 (PST)
Received: from mail.toke.dk (mail.toke.dk [45.145.95.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A4813A142F for <babel@ietf.org>; Tue, 2 Mar 2021 15:27:51 -0800 (PST)
From: Toke Høiland-Jørgensen <toke@toke.dk>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1614727666; bh=xTdLIZmTL/kZ8nUH4W51vC7BXwXoPFrBS/OSbzceKRI=; h=From:To:Subject:In-Reply-To:References:Date:From; b=AMEE7nMDzkZWCGKnDWLRcVUUNPRSy62KLrYQyY5PDoTDZeyzp/W2eFrtH9SEPF9jE qlnoHp1QnxDt3L4gHturviIvFADy94XJ+rv68necCGu+PiAJ6e3W5IExeukmVMKm/x lEQQa/eK37KCtPXWqBULDwmk6x8AnvIH5YusrGR5z69ncLUrI1FzjWOTTOu2s7IgPx rMBZa8AEYY5wecC3k9HNMjxTWspf1lFefzYgn7OKOmMcg54LFl5y9AW3RdLh4u+s0B IYDylt1LCpB60sd4DBSb7xiuMJG/5s/ANn8itn1GJogLY1yYALqL/LpG/7yp/naB9i UL4WTJCvlhZoA==
To: "STARK, BARBARA H" <bs7652@att.com>, "'babel@ietf.org'" <babel@ietf.org>
In-Reply-To: <DM6PR02MB69245CB8DA35FC044907AF94C3999@DM6PR02MB6924.namprd02.prod.outlook.com>
References: <DM6PR02MB69245CB8DA35FC044907AF94C3999@DM6PR02MB6924.namprd02.prod.outlook.com>
Date: Wed, 03 Mar 2021 00:27:45 +0100
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID: <87h7ltt9u6.fsf@toke.dk>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/gP1SAV_JFHO43QgY4AG0VLA6P1A>
Subject: Re: [babel] info model: rehashing hashing
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 23:28:00 -0000

"STARK, BARBARA H" <bs7652@att.com> writes:

> Hi Babel,
>
> The WG had 2 extensive discussions around configuring keys for MAC
> algorithms. First in January 2019 and then in August 2019. The
> language in the info-model draft reflects the consensus we reached
> after the August 2019 discussion:
>
>    babel-mac-key-value:  ...  This
>       value is of a length suitable for the associated babel-mac-key-
>       algorithm.  If the algorithm is based on the HMAC construction
>       [RFC2104], the length MUST be between 0 and the block size of the
>       underlying hash inclusive (where "HMAC-SHA256" block size is 64
>       bytes as described in [RFC4868]).  If the algorithm is "BLAKE2s-
>       128", the length MUST be between 0 and 32 bytes inclusive, as
>       described in [RFC7693].
>
> Ben Kaduk is pushing back on this. I've included our conversation, at
> the bottom. 4 "> > > >" or a single ">" precede my comments and
> nothing, 2 "> >", or 5 "> > > > >" precede Ben's. But to summarize the
> comment that concerns me most, he says the restriction on keys for
> HMAC-based algorithms to be less than the block size will not be short
> enough to avoid the problem we saw with the Bird implementation using
> OSPF code (which calculates the cryptographic key for long
> "Authentication Key" per OSPF RFC 5709 and not HMAC RFC 2104).
>
> Here is that specific part of the conversation:
> -------------------------------------

Couple of comments on this:

>> The Bird (language) implementation of Babel used existing code for
>> OSPF. That code was designed according to RFC 5709, which will hash
>> any "Authentication Key" (K) longer than the length of the hash (L)
>> to create a cryptographic key (Ko) that is exactly L octets long.
>> 
>> What RFC 5709 describes is different than what RFC 2104 (HMAC)
>> describes. RFC 2104 says to create a hash of the authentication key
>> (K) if it is longer than the block size of the hashing algorithm (B).
>> For SHA-256, B != L. Therefore, using RFC 5709 will get a different
>> value for the cryptographic key than RFC 2104, for authentication key
>> length between L and B. This difference was noted in RFC5709 errata.
>> RFC 7166 updated RFC 6506 wrt this. But RFC 7166 didn't update RFC
>> 5709. RFC 7474 updated RFC 5709 and kept the L boundary. We looked at
>> the Bird library code which does indeed do the calculation according
>> to RFC 5709.

This is not accurate wrt the Bird code. The relevant bit is here:

https://gitlab.nic.cz/labs/bird/-/blob/master/lib/mac.c#L105

It's hashing keys longer than the block length, not the output length,
which is not what RFC5709 says (unless I'm misreading something).

>> Fortunately, there is great consistency among the various RFCs around
>> zero-padding short authentication keys.
>> 
>> Furthermore, the Bird implementation allowed the key to be provided
>> via a GUI that treated the input sequence of characters as ASCII.
>> This was, again, from code that already existed for OSPF. But note
>> there is no requirement in any RFC for support of an authentication
>> key entered in ASCII format.

The latest version of my Bird patch series lifts this restriction, BTW;
it is now possible to enter raw hex bytes as well as ASCII text when
specifying the key.

> Thanks; this is really helpful information to know (and pretty unfortunate
> about the OSPF situation).
> But if issues with how an existing Babel implementation handles input keys
> longer than the output length of the hash are what motivate the key length
> restrictions, shouldn't the length restrictions reflect the hash output
> length rather than the hash block size?
> -------------------------------------
>
> Does the parameter description have the right length limits? Please
> help! Thx,

I believe it does (see above). The Bird implementation is stricter,
though: it enforces exactly 32 bytes as the key size for Blake2s, and
between 32 and 64 bytes for HMAC-SHA256.

-Toke