Re: [babel] info-model: preparing -09 on github
"STARK, BARBARA H" <bs7652@att.com> Thu, 15 August 2019 21:46 UTC
Return-Path: <bs7652@att.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEE4F1200EC for <babel@ietfa.amsl.com>; Thu, 15 Aug 2019 14:46:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Level:
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TlcUSWrq-tAt for <babel@ietfa.amsl.com>; Thu, 15 Aug 2019 14:46:12 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68EEB1200DB for <babel@ietf.org>; Thu, 15 Aug 2019 14:46:12 -0700 (PDT)
Received: from pps.filterd (m0083689.ppops.net [127.0.0.1]) by m0083689.ppops.net-00191d01. (8.16.0.27/8.16.0.27) with SMTP id x7FLcKCR003939; Thu, 15 Aug 2019 17:46:08 -0400
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0083689.ppops.net-00191d01. with ESMTP id 2udffkr6a8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 15 Aug 2019 17:46:08 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x7FLk6H0019682; Thu, 15 Aug 2019 17:46:07 -0400
Received: from zlp30486.vci.att.com (zlp30486.vci.att.com [135.47.91.177]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x7FLk2kP019531 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 15 Aug 2019 17:46:02 -0400
Received: from zlp30486.vci.att.com (zlp30486.vci.att.com [127.0.0.1]) by zlp30486.vci.att.com (Service) with ESMTP id 95EF44009E83; Thu, 15 Aug 2019 21:46:02 +0000 (GMT)
Received: from GAALPA1MSGHUBAG.ITServices.sbc.com (unknown [130.8.218.156]) by zlp30486.vci.att.com (Service) with ESMTPS id 7CC584009E7E; Thu, 15 Aug 2019 21:46:02 +0000 (GMT)
Received: from GAALPA1MSGUSRBF.ITServices.sbc.com ([169.254.5.177]) by GAALPA1MSGHUBAG.ITServices.sbc.com ([130.8.218.156]) with mapi id 14.03.0439.000; Thu, 15 Aug 2019 17:46:02 -0400
From: "STARK, BARBARA H" <bs7652@att.com>
To: 'David Schinazi' <dschinazi.ietf@gmail.com>
CC: "'babel@ietf.org'" <babel@ietf.org>, 'Juliusz Chroboczek' <jch@irif.fr>
Thread-Topic: [babel] info-model: preparing -09 on github
Thread-Index: AdVSswKr0W4Y1vOsQfS00DtIY7BoYgAM83CAAAdXLCD//+jbAP//C3uggAKFBgCAAC70cA==
Date: Thu, 15 Aug 2019 21:46:01 +0000
Message-ID: <2D09D61DDFA73D4C884805CC7865E6114E27796E@GAALPA1MSGUSRBF.ITServices.sbc.com>
References: <2D09D61DDFA73D4C884805CC7865E6114E2694DE@GAALPA1MSGUSRBF.ITServices.sbc.com> <87ftm3u0a6.wl-jch@irif.fr> <2D09D61DDFA73D4C884805CC7865E6114E269981@GAALPA1MSGUSRBF.ITServices.sbc.com> <87blwrtudx.wl-jch@irif.fr> <2D09D61DDFA73D4C884805CC7865E6114E275E65@GAALPA1MSGUSRBF.ITServices.sbc.com> <CAPDSy+4+46nUbUF=C-U1Jvw2QDZMRZ9-vXrRVwh71y8ne6e0Mg@mail.gmail.com>
In-Reply-To: <CAPDSy+4+46nUbUF=C-U1Jvw2QDZMRZ9-vXrRVwh71y8ne6e0Mg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.70.196.183]
Content-Type: multipart/alternative; boundary="_000_2D09D61DDFA73D4C884805CC7865E6114E27796EGAALPA1MSGUSRBF_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-08-15_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1908150202
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/x_g9RA640SLqtpvAHnKWVd8-Otw>
Subject: Re: [babel] info-model: preparing -09 on github
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2019 21:46:17 -0000
I disagree.
The HMAC specs (RFC2104) says:
Applications that use keys longer
than B [block size] bytes will first hash the key using H and then use the
resultant L [hash output size] byte string as the actual key to HMAC. In any case the
minimal recommended length for K is L bytes (as the hash output
length). See section 3 for more information on keys.
and from section 3
The key for HMAC can be of any length (keys longer than B bytes are
first hashed using H). However, less than L bytes is strongly
discouraged as it would decrease the security strength of the
function. Keys longer than L bytes are acceptable but the extra
length would not significantly increase the function strength. (A
longer key may be advisable if the randomness of the key is
considered weak.)
In this language, there is no requirement for applications using HMAC to accept (or be able to use) keys longer than B bytes. The two statements do say what must happen *if* a key longer than B bytes is provided. But if Babel wants to restrict keys to no more than B bytes, that is well within Babel’s purview to do so. RFC2106 very clearly tells applications get to decide what to use.
The other thing I get from this, though, is that it’s recommended to have at least L bytes for an HMAC key (L = 32 for SHA-256). I think we should reflect this recommendation. We could do it either with a “SHOULD” or “MUST” be at least the output hash length (not set the minimum at 0). I see no reason not to upgrade that to a MUST for Babel, if we want. [It’s always ok to be stricter than a referenced spec (e.g., change SHOULD to MUST) – it’s just not ok to do or allow something that violates a requirement from the spec (e.g., change MUST to SHOULD).] I think at least a MUST be at least 8 bytes” with a “SHOULD be at least the output hash length” would be good for HMAC. It’s also ok for the information model to be stricter than the babel-hmac implementation.
Blake2s does specifically allow zero-length keys – though I don’t know how advisable that is in a Babel usage scenario. I don’t know when key length of 0 is useful. But there is definitely nothing that prevents us from being stricter, if we wanted to insist on a key longer than 0. Again, this strictness can be in info-model only and doesn’t have to be reflected in babel-hmac.
I do need some maximum size on the parameter (independent of key algorithm) – so it won’t be unlimited length, anyway. I’m thinking 128 bytes as an absolute upper limit at this time.
Barbara
According to RFC 7693, Blake2s keys must be of length kk where 0 <= kk <= 32. So having the info model dictate that keys MUST follow that is perfectly reasonable to me.
However, according to RFC 6234, HMAC-SHA-256 allows all key lengths kk where 0 <= kk. I don't think the information model should express an opinion as to whether keys longer than 64 bytes are safe or not. If we choose to add that distinction we'll need to justify why we think the key hashing is unsafe, and I don't think there is an RFC we can cite for that.
So going back to Juliusz's listed options in the other thread <https://mailarchive.ietf.org/arch/msg/babel/QlvsPB9yYFPTPwQxaLcWIN3Hl2Y<https://urldefense.proofpoint.com/v2/url?u=https-3A__mailarchive.ietf.org_arch_msg_babel_QlvsPB9yYFPTPwQxaLcWIN3Hl2Y&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=LoGzhC-8sc8SY8Tq4vrfog&m=r4dKW0HNSrjNPXdXIdJ_3kGc3XrRIxdBac60Dua9F9Q&s=hcwi5QDwG7wq96cE5vUbJ6LYJ0mNn6p0iGstPoskzO8&e=>>, I would argue for option 3 "bureaucratic" because it follows the design principle "The Babel WG does not make security decisions, we follow what RFCs tell us".
David
On Thu, Aug 15, 2019 at 9:58 AM STARK, BARBARA H <bs7652@att.com<mailto:bs7652@att.com>> wrote:
> > Is this suggesting that it's ok for info-model to provide babel-hmac
> > with any value between 0 and 64 bytes in length for HMAC-SHA256 or
> > between 0 and 32 bytes in length for Blake2s and babel-hmac can be
> > expected to zero-pad? Or are you still expecting info-model to do the
> > zero-padding before providing to babel-hmac?
>
> The former. You give me anything between 0 and 32/64, and I deal with it.
Cool. Then from a purely info-model perspective, it sounds like the key-value parameter length constraints are:
This value is of a length suitable for the associated
babel-mac-key-algorithm. If the algorithm is based on the HMAC
construction, the length MUST be between 0 and the block size of the
underlying hash inclusive (where "HMAC-SHA256" block size is 64 bytes
as described in {{RFC4868}}).
If the algorithm is "BLAKE2s", the length MUST be between 0 and 32 bytes
inclusive, as described in {{RFC7693}}.
Anything complying with info-model won't supply anything longer than the identified max length.
A babel-hmac implementation may get something as short as zero length, but will be expected to deal with it. Info-model doesn't care and doesn't need to know what "deal with it" means.
For HMAC and Blake2s algorithms, "deal with it" means hmac-babel will zero-pad shorter strings, because that's what the algorithm RFCs say to do (and not because babel-hmac has any extra requirements going beyond the algorithm specs).
Info-model won't send strings longer than the indicated length. If there is a UI to info model that accepts a longer string, hashes it, and then info-model provides the hashed value, that is what it is. Neither info-model nor babel-hmac care or know or need to know about this.
If a babel-hmac implementation does have special handling for longer strings, that's fine, too. But a value coming from info-model will never trigger this special code.
Does that sound right?
Barbara
_______________________________________________
babel mailing list
babel@ietf.org<mailto:babel@ietf.org>
https://www.ietf.org/mailman/listinfo/babel<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_babel&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=LoGzhC-8sc8SY8Tq4vrfog&m=r4dKW0HNSrjNPXdXIdJ_3kGc3XrRIxdBac60Dua9F9Q&s=5hUNj6-VdzK_NqcP_jOOoRJuQ_W388v5YT6Zl2RqxDg&e=>
- [babel] info-model: preparing -09 on github STARK, BARBARA H
- Re: [babel] info-model: preparing -09 on github Juliusz Chroboczek
- Re: [babel] info-model: preparing -09 on github STARK, BARBARA H
- Re: [babel] info-model: preparing -09 on github Juliusz Chroboczek
- Re: [babel] info-model: preparing -09 on github Mahesh Jethanandani
- Re: [babel] info-model: preparing -09 on github STARK, BARBARA H
- Re: [babel] info-model: preparing -09 on github STARK, BARBARA H
- Re: [babel] info-model: preparing -09 on github David Schinazi
- Re: [babel] info-model: preparing -09 on github STARK, BARBARA H
- Re: [babel] info-model: preparing -09 on github David Schinazi
- Re: [babel] info-model: preparing -09 on github David Schinazi
- Re: [babel] info-model: preparing -09 on github STARK, BARBARA H
- Re: [babel] info-model: preparing -09 on github STARK, BARBARA H
- Re: [babel] info-model: preparing -09 on github David Schinazi
- Re: [babel] info-model: preparing -09 on github STARK, BARBARA H
- Re: [babel] info-model: preparing -09 on github Juliusz Chroboczek
- Re: [babel] info-model: preparing -09 on github Juliusz Chroboczek
- Re: [babel] info-model: preparing -09 on github STARK, BARBARA H
- Re: [babel] info-model: preparing -09 on github David Schinazi
- Re: [babel] info-model: preparing -09 on github STARK, BARBARA H