Re: [babel] MAC and key size
Antonin Décimo <antonin.decimo@gmail.com> Tue, 09 March 2021 17:44 UTC
Return-Path: <antonin.decimo@gmail.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1633F3A1176 for <babel@ietfa.amsl.com>; Tue, 9 Mar 2021 09:44:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IojOBlDvGYEL for <babel@ietfa.amsl.com>; Tue, 9 Mar 2021 09:44:00 -0800 (PST)
Received: from mail-oo1-xc35.google.com (mail-oo1-xc35.google.com [IPv6:2607:f8b0:4864:20::c35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B1A33A111E for <babel@ietf.org>; Tue, 9 Mar 2021 09:44:00 -0800 (PST)
Received: by mail-oo1-xc35.google.com with SMTP id h38so3235271ooi.8 for <babel@ietf.org>; Tue, 09 Mar 2021 09:44:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EDcwicxRWr65sHcmd3Ji0umW7x0w/eXLyMBpsbbee1Y=; b=W1MZVg+iWg2e/MrBHhH/Uwm3NCxlUyybwFvTCyrEOTAN7AIUc74tOgxiwehtplc4YB qcYVnPOQcedjmKAk7VscvNA3dfEWvEQc9PvrBXrUjznSGTqPw4FRhKSbnGypZgzw+QnQ tSnAEVPiD67VYWSqLXZJR1CC9UwBJI9aJ+HRC4Uwi7Lp75BjGqG0oVoOKaGcDt0mrRCm GpcZJrLkc/+c68FZC2Rv5k5VRs860aUpN2fN8bxuH2SgQfQVVCTcIuaxnY/pboezqzQV FF0rfsY/PYyUnnP5ZytlopA4U6V70JMXU6buIb73okgWfLbb56y44FJvSpKsOZUVGikT iECw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EDcwicxRWr65sHcmd3Ji0umW7x0w/eXLyMBpsbbee1Y=; b=sD/X88mmyI67xBwofvslMPaUhMoBGQo5Ah126P8/W0fHoArbs7uYx84YteHOw7m6Md 84JLrJakLtjykwXSEVVXAItbzqqIeuvBWAjmdOq29I2Ys21pQ4qlcDtSfkontNsvlkNG 6VjWQZHOpbkntm2Qs2nY86jpOnF8ZqnPKs1pPUamQdAHjDbH6JPa/LYgHJ+x2LR9K0Z0 vkJFRLRV26AI9zKvL9DcMt0DHdIJDnTL6p7pYBi2IiQTO26q15pUe3xqzq6+XhVWlwgt f42jykoPE5fURtplQ/e5YNA6fFdipHuPVx9VrfeGtO3tzdUcnGc5A/fbGvvCDHuSOifE U7NQ==
X-Gm-Message-State: AOAM530tMO0INPvuV3qMiyhlMs5YoL3E8KwReSpcZf53N8Ig2adInWzr O4qjUpSLfmdwdBN0Xwd1IecR39Plm84hodPVi34svVHTGJ8=
X-Google-Smtp-Source: ABdhPJwEAzG3wUctbPXXPNjgm/8cfR3LRyLDGSZ9R6WkeBeQko8osyS60yIVSd2Syrqa1ysEJm0kdJqFMzlMjWYpsps=
X-Received: by 2002:a4a:858c:: with SMTP id t12mr23264500ooh.20.1615311838498; Tue, 09 Mar 2021 09:43:58 -0800 (PST)
MIME-Version: 1.0
References: <875z20tjmj.wl-jch@irif.fr>
In-Reply-To: <875z20tjmj.wl-jch@irif.fr>
From: Antonin Décimo <antonin.decimo@gmail.com>
Date: Tue, 09 Mar 2021 18:43:47 +0100
Message-ID: <CAC=54B+ZQ33ECaR+Y5+7t8+wvfO1tLDWqffXtPWgQNzBogMjVw@mail.gmail.com>
To: Juliusz Chroboczek <jch@irif.fr>
Cc: Babel at IETF <babel@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/ssR0EGhJD2rCXa5Irn5wX4HgjHY>
Subject: Re: [babel] MAC and key size
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2021 17:44:02 -0000
There is indeed confusion in OSPF RFCs about the upper bound for the key in HMAC after which to start hashing. RFC 4634, 6234, Wikipedia, Bird (quoting Toke), and babeld use the block size. Babel-MAC links to RFC 6234. We are safe from that issue. > HMAC is defined using two keys: > - K' = H(K) if |K| > block size HMAC and blake2s are slightly different, in particular blake2s *limits* the maximum size of the key and doesn't pre-hash it. > Ben wants it to be K, while I would prefer it to be K', and any > hashing should be done before the key is inserted into the > management interface. Note that reference implementations of hash algorithms take K as parameter. But there's not much to worry about: for hmac-sha256 it doesn't matter whether they are pre-hashed or not because of the HMAC construct, and for blake2s it doesn't matter because the key isn't hashed (and a pad is trivial). I expect the user to be a bit confused to see the hashed key. If the management delivers the hashed key, it also means that the key derivation function is in the management interface. That would simplify a bit a Babel implementation. > the key SHOULD be no larger than the underlying hash's block size, For blake2s the key cannot be larger than half the hash's block size. I'd be in favor of using the limits enforced by the hashing algorithm if they exist (the case of blake2s). If they don't, then use this SHOULD, although for hmac-sha256 we've already accepted that keys longer than 32 bytes (half the hash's block size) give no additional security. But does it really matter, as HMAC already handles arbitrary-sized keys? > it SHOULD be at least the digest size Seems like a good recommendation, but I think we're just guessing here. What matters most and where we had troubles was the digest size to use: it can be configured with blake2s, or generally the output can be truncated. Implementations using the same hashing algorithm must agree on a digest size beforehand, or verifying the signature of a packet simply will fail (and you don't want to check if digests are prefixes of each other). We are safe from that issue in Babel-MAC. Regarding the input format of a key, I've seen a mail exchange that flew a bit over my head, but remember that a key is just a big number, and we're looking for a practical symbolic representation of that number. An hexadecimal string seems to me the easiest human and machine wise. I don't see babeld accepting a raw binary sequence as a key (but I could be wrong). Currently in babeld I enforce 32 bytes keys for both hmac-sha256 and blake2s, but that could be relaxed. Babeld only understands hexadecimal strings. -- Antonin
- [babel] MAC and key size Juliusz Chroboczek
- Re: [babel] MAC and key size Antonin Décimo
- Re: [babel] MAC and key size STARK, BARBARA H
- Re: [babel] MAC and key size STARK, BARBARA H