Re: [babel] Babel-MAC: key size and digest size
Antonin Décimo <antonin.decimo@gmail.com> Sat, 28 December 2019 18:15 UTC
Return-Path: <antonin.decimo@gmail.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36FB912013C for <babel@ietfa.amsl.com>; Sat, 28 Dec 2019 10:15:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0m0CWnGJ_NLC for <babel@ietfa.amsl.com>; Sat, 28 Dec 2019 10:15:46 -0800 (PST)
Received: from mail-ot1-x32c.google.com (mail-ot1-x32c.google.com [IPv6:2607:f8b0:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B191912016E for <babel@ietf.org>; Sat, 28 Dec 2019 10:15:46 -0800 (PST)
Received: by mail-ot1-x32c.google.com with SMTP id p8so4222764oth.10 for <babel@ietf.org>; Sat, 28 Dec 2019 10:15:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=rKujk2YgnNvsrs5TKqt9nrxYo4z5/mPaW/QC+TZU/8A=; b=M09gqIX7/traArcY+ZKeREqMYEi53lF1dWkBmJEqJOgaEWn+QIRTPJxcECEkKfqrbp TMqPDpw///EEU8T8PRWjcA+zJuPTPywdoaQA3kEfpMq6qub1f8jT/C28uWNVRivOjxtb HAnhQl6Lt92cgsryK0Ahb6s0rHVPWGYSDe5sUm2uRQBayyojHTtHw7kXpwP5vV4ykH7d gb4hytxEK3/MdOEIIabNGKeLRQW41kDgpcL63mcIeUlVmle+7rkGJvB8uUrcrvhuXxea DDLOFqyMC3DOuwnkhQSVSdmMqwRuN5gELAe0re2rh46YPWgEEKkDoiP6+FkauSkkBxf4 Hzxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=rKujk2YgnNvsrs5TKqt9nrxYo4z5/mPaW/QC+TZU/8A=; b=V/hvaLFk2pdhliuX4H52UG693Yk4/oqg4cglSeN9ioIEo2aUqKGK3CcraKNKdimPxT 5aajygWO6qw13yigyCjydzeFjxMWUqmZHjBSC6wQKYL/f4fz7qr0s5h2A2t9R2/scMpF 9e/ncR2xCsyzAnxoDtzFFINUdlA50hbXKqTtn5viBPxG21Oqfgr2K9LU24VwBCOBlK1r 7ugg8nEY94RN10IXXj4lTeoJjzwPK13tR4FFK91k9zdRQQsg1iG+GioZ+rCzhAtmsCGF FxrhtCBk44Q/WQiGju0yIBFpxX08NH+2XLjsJYcWLj0SpyaqIpXi2Tqv1RMOgytHEQID 9scQ==
X-Gm-Message-State: APjAAAXzZyaWcAKHLCHkG5mDJXZqZa2f3IQCJVYNNY0ETz5syuCyVc/Y 023xMx71KsxstOyzVGzp93sTdO+IjffNiSAKDV+8ZIP9
X-Google-Smtp-Source: APXvYqy3OaDRkQWRDuM9BIPSMWQkCIy8Qa6Urb6NNI/LKr2uWer+OLHktEGB8ee2uL/6e/XUatwH6IxOygXhyN56UE4=
X-Received: by 2002:a05:6830:1f89:: with SMTP id v9mr60809426otr.90.1577556945890; Sat, 28 Dec 2019 10:15:45 -0800 (PST)
MIME-Version: 1.0
References: <CAC=54BL7Be5joBChiO1e=1nB7QpY8Ozx3qwDMUzEpDp2noWD3A@mail.gmail.com>
In-Reply-To: <CAC=54BL7Be5joBChiO1e=1nB7QpY8Ozx3qwDMUzEpDp2noWD3A@mail.gmail.com>
From: Antonin Décimo <antonin.decimo@gmail.com>
Date: Sat, 28 Dec 2019 19:15:54 +0100
Message-ID: <CAC=54BLsU5e4iY8T=NX0_5gt3A7=nZb0qnyGeVA5YnGu7knVHQ@mail.gmail.com>
To: Babel at IETF <babel@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/r3p4Db8Eye1fD8ScbLk0jQIFOQo>
Subject: Re: [babel] Babel-MAC: key size and digest size
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Dec 2019 18:15:48 -0000
Hello again, I'm keeping in mind that (§7): > Every implementation MUST implement HMAC-SHA256 as defined in > [RFC6234] and Section 2 of [RFC2104] , SHOULD implement keyed > BLAKE2s [RFC7693] , and MAY implement other MAC algorithms. 1. Key length This is the change I'm proposing in §7: Keys must be chosen in a manner that makes them difficult to guess. -Ideally, they should have a length of 32 octets (both for HMAC-SHA256 -and Blake2s), and be chosen randomly. +Ideally, they should be chosen randomly, and have the maximum key +length supported by the MAC algorithm (32 octets for keyed BLAKE2S) +or no less than the block size of the MAC algorithm (64 octets for +HMAC-SHA256). 2. Digest length After a bit of sleep, I realised that reading the length of the MAC TLV in order to compute a MAC of this length is not compliant with the protocol (§4.3) since MACs are computed without looking into the packet. > Then, for each key configured on the receiving interface, the > receiver computes the MAC of the packet. It then compares every > generated MAC against every MAC included in the packet; Still, it was an error I was almost going to make. I propose the following change to ensure that we're always using the maximum digest length of the MAC algorithm. This is the change I'm proposing in §4.1: implementation MUST implement HMAC-SHA256 as defined in <xref target="RFC6234"/> and Section 2 of <xref target="RFC2104"/>, SHOULD implement keyed BLAKE2s <xref target="RFC7693"/>, and MAY implement other MAC algorithms. +The length of the MAC MUST be the maximum MAC length computable by +the MAC algorithm (32 octets for both HMAC-SHA256 and keyed +BLAKE2S). 3. Lazy computation With the idea that computing a MAC is more costly than comparing MACs, and that there's a very limited amount of MACs to check, I propose we lazily compute MACs. Instead of computing the MAC for every key on packet reception, we compute the MAC with the first key, then check it against the MACs carried by the packet. If there's a match, the packet is immediately accepted. If there's no match, we the proceed to the next key until all keys are exhausted, and the packet is rejected. This is the change I'm proposing in §4.3: -Then, for each key configured on the receiving interface, the -receiver computes the MAC of the packet. It then compares every -generated MAC against every MAC included in the packet; if there is -at least one match, the packet passes the MAC test; if there is none, -the packet MUST be silently dropped and processing stops at this -point. +Then, for each key configured on the receiving interface, the +receiver computes the MAC of the packet and compares it against every +MAC included in the packet; if there is at least one match, the +packet passes the MAC test; if there is none, the receiver proceeds +with the next key. If none of the MAC matched, the packet MUST be +silently dropped and processing stops at this point. Cheers! -- Antonin
- [babel] Babel-MAC: key size and digest size Antonin Décimo
- Re: [babel] Babel-MAC: key size and digest size Antonin Décimo
- Re: [babel] Babel-MAC: key size and digest size Donald Eastlake