Re: [Cfrg] HIP Help (I hope!)
"Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu> Thu, 14 June 2012 15:12 UTC
Return-Path: <prvs=75126a4a1d=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66FAD21F86BD for <cfrg@ietfa.amsl.com>; Thu, 14 Jun 2012 08:12:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.201
X-Spam-Level:
X-Spam-Status: No, score=-5.201 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8+oV-srMIYLy for <cfrg@ietfa.amsl.com>; Thu, 14 Jun 2012 08:12:46 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id 5E0D721F86B9 for <cfrg@irtf.org>; Thu, 14 Jun 2012 08:12:46 -0700 (PDT)
Received: from LLE2K7-HUB02.mitll.ad.local (LLE2K7-HUB02.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id q5EFCb3w007940; Thu, 14 Jun 2012 11:12:37 -0400
From: "Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu>
To: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>, "'Igoe, Kevin M.'" <kmigoe@nsa.gov>, "cfrg@irtf.org" <cfrg@irtf.org>
Date: Thu, 14 Jun 2012 11:12:32 -0400
Thread-Topic: [Cfrg] HIP Help (I hope!)
Thread-Index: Ac1KQCEZKsWUFmHtQtGmNwhu60BAcw==
Message-ID: <CBFF6170.D4CA%uri@ll.mit.edu>
In-Reply-To: <758141CC3D829043A8C3164DD3D593EA1BD324E07D@XCH-NW-16V.nw.nos.boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.12.0.110505
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3422517153_124503962"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.7.7855, 1.0.260, 0.0.0000 definitions=2012-06-14_04:2012-06-14, 2012-06-14, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=2 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=6.0.2-1203120001 definitions=main-1206140131
Cc: 'Robert Moskowitz' <rgm@htt-consult.com>
Subject: Re: [Cfrg] HIP Help (I hope!)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2012 15:12:49 -0000
> Kevin and all, .. > For the keys used in HIP themselves (used for signing/authentication), HIP > specifies these types: > DSA 3 [RFC2536 <http://tools.ietf.org/html/rfc2536> ] > (RECOMMENDED) Considering Suite B, I am not sure I'd still recommend DSA. > RSA 5 [RFC3110 <http://tools.ietf.org/html/rfc3110> ] > (REQUIRED) Well, I'd move from RSA, but I recognize the reality megatons of already-deployed RSA code and certs > ECDSA 7 [RFC4754 <http://tools.ietf.org/html/rfc4754> ] > (RECOMMENDED) Yes, and I'd consider elevating ECDSA to REQUIRED, to facilitate and encourage the move. > ECDSA_LOW 9 [SECG > <http://tools.ietf.org/html/draft-ietf-hip-rfc5201-bis-08#ref-SECG> ] > (RECOMMENDED) I would drop ECDSA_LOW altogether. > The feedback that I received was to follow NIST 800-131A on key strength > regarding all of these key types, and to consider not using ECDSA_LOW. We'd > like to retain ECDSA_LOW, suitably caveated ("defined for devices with low > computational capabilities"). For DSA, we could replace the existing > reference to a reference to FIPS 186-3 and also reference RFC 5114 2.3 with > 2048-bit subgroups for use with SHA2-256. At the very least. SHA3 should come out some time this year do you care to wait? > The hash used for RSA and DSA signature is SHA-256, so I don't think any > change is needed there. It should be sufficient, based on what we currently know. > For RSA signature padding, the RSAASA-PSS [RFC3447] should replace the > reference to RFC3110 above, and explicitly state that PSS instead of PKCS1.5 > padding is used. I am not sure whether we need to state anything about > padding for other signature types (guidance here would be helpful). I'll let others comment on this. > Regarding OAEP, currently HIP specifies these ciphers for use in the > ENCRYPTED parameter (used to encrypt small blocks of data): > AES-128-CBC 2 ([RFC3602]) required > 3DES-CBC 3 ([RFC2451]) > AES-256-CBC 4 ([RFC3602]) > > I believe that we are being asked to also support RSA-OAEP here (RFC 4055). > Would specifing an additional (non-required) option for RSAES-OAEP ([RFC4055]) > suffice, or is OAEP a preferred technique for encrypting parameters over > AES-128-CBC? RSA-OAEP as a preferred technique to encrypt what? For passing along AES and other cryptographic keys sure, it's a great mechanism. To encrypt data chunks (large or small) if/when you already have an AES key established between the parties no way. To infrequently send small things when you don't have a symmetric key established if you want to be 10% stateless, then yes, RSA-OAEP would do the job; but if you can afford setting up a symmetric channel and/or plan on exchanging a whole bunch of these small things you're better off not using RSA-OAEP for data transfer... > Also, I understand that we ought to consider clarifying that 3DES-CBC is the > three-key variant (NIST 800-131A), or removing it altogether (which I think is > what you advocated below). I would just remove it, as I see no purpose in carrying 3DES over. > Regarding encryption padding, the current draft specifies to use whatever > padding is specified by the encryption algorithm, citing PKCS5 for AES, and > not mentioning 3DES-CBC padding (in practice, our implementation also pads > this according to PKCS5). Why not :) From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of Igoe, Kevin M. Sent: Monday, May 14, 2012 11:55 AM To: Igoe, Kevin M.; cfrg@irtf.org Subject: Re: [Cfrg] HIP Help (I hope!) I did some double checking with some certificate guru¹s & they agree that RSA-OAEP is precisely what you should be using. If you have a hammer, the whole world starts looking like a nail. :) I¹ve also had some discussions about HIP¹s use of 3DES. It will be difficult to uproot once it has been fielded, so it might be prudent to remove it now. The same applies to DSA SHA1/2048 and ECDSA_low. I concur.
- [Cfrg] HIP Help (I hope!) Igoe, Kevin M.
- Re: [Cfrg] HIP Help (I hope!) Igoe, Kevin M.
- Re: [Cfrg] HIP Help (I hope!) Henderson, Thomas R
- Re: [Cfrg] HIP Help (I hope!) Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] HIP Help (I hope!) Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] HIP Help (I hope!) Henderson, Thomas R