Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ...
David Jacobson <dmjacobson@sbcglobal.net> Fri, 10 February 2017 15:50 UTC
Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82BBF1299EB for <cfrg@ietfa.amsl.com>; Fri, 10 Feb 2017 07:50:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sbcglobal.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vEsD59e3D2_7 for <cfrg@ietfa.amsl.com>; Fri, 10 Feb 2017 07:50:09 -0800 (PST)
Received: from nm3-vm3.access.bullet.mail.bf1.yahoo.com (nm3-vm3.access.bullet.mail.bf1.yahoo.com [216.109.114.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8FCD1299D0 for <cfrg@ietf.org>; Fri, 10 Feb 2017 07:50:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s2048; t=1486741808; bh=t8lixResoAIVemV/XVmViUPTZC3MLRHc3D/RdBaM57M=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From:Subject; b=tPiPcy+zI6fwY6+BFPxDiRXCpnlzrp942G5CD/kYi1DDYzfynrnUUKNr8C3pGx8XlwodbqAdbZ4y5KwWZtdrKcL0leAW6DHrktoXegVWtamHmYSOoDLGfd8xwSm0Es4ePdP9n1Y5ajOaGFA2WvWCPgw98npz/AYioONb1oQSSxEL1yJzPpc8m1cJX+ZTUuVgE2pYClsx0dlgdqgMoaBW9UUxfZ2tXxjOqllcITh6qqYKmvzRipClZiAHPAMiS2c9xEYmGAch6SGLWLLlzHZnlytRxuT3xW3t2Lci7dLSFo5hDYqi30L0vvbnkAOiAYQlmdySiL35+jEm0oWHKqp4/A==
Received: from [66.196.81.163] by nm3.access.bullet.mail.bf1.yahoo.com with NNFMP; 10 Feb 2017 15:50:08 -0000
Received: from [98.138.226.243] by tm9.access.bullet.mail.bf1.yahoo.com with NNFMP; 10 Feb 2017 15:50:07 -0000
Received: from [127.0.0.1] by smtp114.sbc.mail.ne1.yahoo.com with NNFMP; 10 Feb 2017 15:50:07 -0000
X-Yahoo-Newman-Id: 730902.2625.bm@smtp114.sbc.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: 8u7.ihYVM1nxg5h8lGl1JbRE5aa15lB5uYIS4q8wupPDv7T gLAQZ2lJ3BpzAw1cPlF.SGTx2hqGyvuP1HFf1Wq9.P.MgBgoUkNijUJqDfOS E_oQCE0ipq6wYfCAzHHL_AFFbHeSR05NbiwoBxr0_PCcHmJdPo5Tyj8v1.vS NyLmHI_8k.fVs6ryuj8fJ3C9DGe3h6RH4IVq6U3U_ah9XoE5atm8IbJwBQ7v X10bF4jClGJ59dmN39RVPelA6GP651iN2_2jybx6M4EXh6QyUqGiPz1RRzVN 7uKrhIIea5sjaYpYznT7RbY4pjN3GwKVl0BHFyQzaAMQdZDdqxtWUfStod8V FGLgQrxOa106jyoa4sP7zHEAolF4VhmEyMoQzJ44bsvOMtyBVQi01pRL6t7. jpHXaobuHZaQIn_2NtCcv4ysP7mGNLa4ylawvMglT.FDNfG_jpqS4Ld2TDOc UdnDnHQyXYZLe_G02gfHRcVhjyzn9qh..YrTHJi7V0tyMbf8YKTRB5twVPr4 yifYGkxUopvQ0vViXX7zLEi7Qhvx3vlRnbgUNo1SpoIgCs1X7mcTFJKgNabv QA44pIg--
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
To: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>, Randal Atkinson <randal.atkinson.ctr@nrl.navy.mil>, Michael StJohns <msj@nthpermutation.com>, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
References: <F2C52E74-6FF0-4F72-BFD0-56D39031B4D9@nrl.navy.mil> <CY4PR09MB1464F9936D5C07DF16D29403F3420@CY4PR09MB1464.namprd09.prod.outlook.com> <59d04ca7-aed8-e0e1-bf06-fdd44ccba697@sbcglobal.net> <D4C323A1.2F5E8%qdang@nist.gov>
From: David Jacobson <dmjacobson@sbcglobal.net>
Message-ID: <0d9948b3-074a-ab89-9154-6f2c0c96b464@sbcglobal.net>
Date: Fri, 10 Feb 2017 07:50:05 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <D4C323A1.2F5E8%qdang@nist.gov>
Content-Type: multipart/alternative; boundary="------------0A9D27E40B1CFD9C8CA4B06F"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/35_MeuhCbWTT1Uo2nRzHYZcu9cU>
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ...
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 15:50:13 -0000
In engineering, we like to be able to think of things as black boxes
with specifications. If you follow the rules in the specification, it
works properly.
The problem here is that HMAC fails to do this. If you use HMAC with a
key larger that the input block size (allowed), and you reveal the hash
of the key (a la original /etc/password), you can lose security.
My suggestion would be to add wording to the specification that says (
a) that use of keys larger than the input block size is discouraged, and
(b) if the keys larger than the input block size are used, the H(K) is
also sensitive and must be protected with the same diligence as the key
would be protected.
--David Jacobson
On 2/10/17 5:23 AM, Dang, Quynh (Fed) wrote:
> See my discussion below.
>
> From: David Jacobson <dmjacobson@sbcglobal.net
> <mailto:dmjacobson@sbcglobal.net>>
> Date: Friday, February 10, 2017 at 12:27 AM
> To: 'Quynh' <Quynh.Dang@nist.gov <mailto:Quynh.Dang@nist.gov>>, Randal
> Atkinson <randal.atkinson.ctr@nrl.navy.mil
> <mailto:randal.atkinson.ctr@nrl.navy.mil>>, Michael StJohns
> <msj@nthpermutation.com <mailto:msj@nthpermutation.com>>, "Paterson,
> Kenny" <Kenny.Paterson@rhul.ac.uk <mailto:Kenny.Paterson@rhul.ac.uk>>
> Cc: "cfrg@ietf.org <mailto:cfrg@ietf.org>" <cfrg@ietf.org
> <mailto:cfrg@ietf.org>>
> Subject: Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ...
>
> See interleaved comment.
>
> On 2/8/17 5:31 AM, Dang, Quynh (Fed) wrote:
>>
>> Randal, Michael and many others,
>>
>>
>> Thank you for your suggestions.
>>
>>
>> Kenny,
>>
>>
>> Thank you for your discussion email.
>>
>>
>> We are thinking about what would be the best option for HMAC.
>> Some technical possibilities are below.
>>
>>
>> 1) Don't change the HMAC spec.
>>
>>
>> Ask a HMAC key always to have a fixed length such as HMAC-SHA256
>> having 256-bit key. Which means that all protocols using
>> HMAC-SHA256 use 256-bit keys.
>>
>> If each protocol uses a different key length, then the issue
>> would still exist across protocols. I don't know if this is a
>> practical security problem, but it seems like a problem that
>> should be avoided.
>>
>> Should ask HMAC keys to be processed/produced by a hash function
>> or another PRF always.
>
> I don't see the need or even desirability for this, assuming you
> ask each protocol to use a fixed (for that protocol) key length.
> (That was the line above.)
>
> For an attacker to find two messages with the same HMAC, not
> knowing the key, he would have to find a collision in the first
> stage, not knowing the first block. And if you add an extra hash,
> you are only making it easier. He has to get a collision in the
> pre-hash, where he knows everything.
>
>
> Of course, the hash function must be a collision-resistant one.
>
> The reason for hashing the key or the key is produced by a good hash
> function or a PRF is to make the key become more of a "random key" as
> you know HMAC is a PRF as keys are selected randomly, not selectively.
>
> Quynh.
>
>
>
>
>
> --David Jacobson
>>
>> This option does not break interoperability of the current HMAC
>> implementations.
>>
>> 2) Change the HMAC Spec.
>>
>> a) Always hash the key regardless of its length, then perform
>> step 3 in FIPS 198.
>> b) Use a hash-based KDF (not HKDF) to produce B bits from the
>> key, then go to step 4 in the FIPS. (bad for performance).
>> c) Require key < B, then do multi-rate padding 10* to make the
>> key B bits, then go to step 4 in the FIPS. (good for performance).
>>
>> We recommend the use of KMAC in SP 800-185. KMAC's security is
>> solid and proven, and it has great performance. Code to implement
>> KMAC can be reused to implement many other
>> Keccak-derived symmetric-key crypto functions.
>>
>> Regards,
>> Quynh.
>> ------------------------------------------------------------------------
>> *From:* Randal Atkinson <randal.atkinson.ctr@nrl.navy.mil>
>> *Sent:* Tuesday, February 7, 2017 12:34 PM
>> *To:* Dang, Quynh (Fed)
>> *Cc:* Randal Atkinson
>> *Subject:* Aside Re: [CFRG] erratum for hmac ...
>>
>> One option available to NIST would be for NIST to open comments
>> on updating FIPS 198-1, even if opening comments on that now/soon
>> would be earlier than NIST ordinarily would do so.
>>
>> Given how long it takes to move from an approved FIPS revision
>> to widespread US Government deployment, if data exists from
>> Kenny P and/or others that merits an update, then starting sooner
>> would not be a bad thing for the USG.
>>
>> Cheers,
>>
>> Ran Atkinson
>>
>> --------------------------------
>> Randal Atkinson, PhD
>> Cheltenham Research for NRL 5520
>> randal.atkinson.ctr@nrl.navy.mil
>>
>>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.orghttps://www.irtf.org/mailman/listinfo/cfrg
>
>
- Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ... Dang, Quynh (Fed)
- Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ... David Jacobson
- Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ... David Jacobson
- Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ... Taylor R Campbell
- Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ... Taylor R Campbell
- Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ... Dang, Quynh (Fed)
- Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ... David Jacobson
- Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ... Dang, Quynh (Fed)