Re: [Cfrg] HIP Help (I hope!)
"Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu> Thu, 14 June 2012 15:12 UTC
Return-Path: <prvs=75126a4a1d=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66FAD21F86BD for <cfrg@ietfa.amsl.com>; Thu, 14 Jun 2012 08:12:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.201
X-Spam-Level:
X-Spam-Status: No, score=-5.201 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8+oV-srMIYLy for <cfrg@ietfa.amsl.com>; Thu, 14 Jun 2012 08:12:46 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id 5E0D721F86B9 for <cfrg@irtf.org>; Thu, 14 Jun 2012 08:12:46 -0700 (PDT)
Received: from LLE2K7-HUB02.mitll.ad.local (LLE2K7-HUB02.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id q5EFCb3w007940; Thu, 14 Jun 2012 11:12:37 -0400
From: "Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu>
To: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>, "'Igoe, Kevin M.'" <kmigoe@nsa.gov>, "cfrg@irtf.org" <cfrg@irtf.org>
Date: Thu, 14 Jun 2012 11:12:32 -0400
Thread-Topic: [Cfrg] HIP Help (I hope!)
Thread-Index: Ac1KQCEZKsWUFmHtQtGmNwhu60BAcw==
Message-ID: <CBFF6170.D4CA%uri@ll.mit.edu>
In-Reply-To: <758141CC3D829043A8C3164DD3D593EA1BD324E07D@XCH-NW-16V.nw.nos.boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.12.0.110505
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3422517153_124503962"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.7.7855, 1.0.260, 0.0.0000 definitions=2012-06-14_04:2012-06-14, 2012-06-14, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=2 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=6.0.2-1203120001 definitions=main-1206140131
Cc: 'Robert Moskowitz' <rgm@htt-consult.com>
Subject: Re: [Cfrg] HIP Help (I hope!)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2012 15:12:49 -0000
> Kevin and all, ..
> For the keys used in HIP themselves (used for signing/authentication), HIP
> specifies these types:
> DSA 3 [RFC2536 <http://tools.ietf.org/html/rfc2536> ]
> (RECOMMENDED)
Considering Suite B, I am not sure I'd still recommend DSA.
> RSA 5 [RFC3110 <http://tools.ietf.org/html/rfc3110> ]
> (REQUIRED)
Well, I'd move from RSA, but I recognize the reality megatons of
already-deployed RSA code and certs
> ECDSA 7 [RFC4754 <http://tools.ietf.org/html/rfc4754> ]
> (RECOMMENDED)
Yes, and I'd consider elevating ECDSA to REQUIRED, to facilitate and
encourage the move.
> ECDSA_LOW 9 [SECG
> <http://tools.ietf.org/html/draft-ietf-hip-rfc5201-bis-08#ref-SECG> ]
> (RECOMMENDED)
I would drop ECDSA_LOW altogether.
> The feedback that I received was to follow NIST 800-131A on key strength
> regarding all of these key types, and to consider not using ECDSA_LOW. We'd
> like to retain ECDSA_LOW, suitably caveated ("defined for devices with low
> computational capabilities"). For DSA, we could replace the existing
> reference to a reference to FIPS 186-3 and also reference RFC 5114 2.3 with
> 2048-bit subgroups for use with SHA2-256.
At the very least. SHA3 should come out some time this year do you care to
wait?
> The hash used for RSA and DSA signature is SHA-256, so I don't think any
> change is needed there.
It should be sufficient, based on what we currently know.
> For RSA signature padding, the RSAASA-PSS [RFC3447] should replace the
> reference to RFC3110 above, and explicitly state that PSS instead of PKCS1.5
> padding is used. I am not sure whether we need to state anything about
> padding for other signature types (guidance here would be helpful).
I'll let others comment on this.
> Regarding OAEP, currently HIP specifies these ciphers for use in the
> ENCRYPTED parameter (used to encrypt small blocks of data):
> AES-128-CBC 2 ([RFC3602]) required
> 3DES-CBC 3 ([RFC2451])
> AES-256-CBC 4 ([RFC3602])
>
> I believe that we are being asked to also support RSA-OAEP here (RFC 4055).
> Would specifing an additional (non-required) option for RSAES-OAEP ([RFC4055])
> suffice, or is OAEP a preferred technique for encrypting parameters over
> AES-128-CBC?
RSA-OAEP as a preferred technique to encrypt what? For passing along AES and
other cryptographic keys sure, it's a great mechanism. To encrypt data
chunks (large or small) if/when you already have an AES key established
between the parties no way. To infrequently send small things when you
don't have a symmetric key established if you want to be 10% stateless,
then yes, RSA-OAEP would do the job; but if you can afford setting up a
symmetric channel and/or plan on exchanging a whole bunch of these small
things you're better off not using RSA-OAEP for data transfer...
> Also, I understand that we ought to consider clarifying that 3DES-CBC is the
> three-key variant (NIST 800-131A), or removing it altogether (which I think is
> what you advocated below).
I would just remove it, as I see no purpose in carrying 3DES over.
> Regarding encryption padding, the current draft specifies to use whatever
> padding is specified by the encryption algorithm, citing PKCS5 for AES, and
> not mentioning 3DES-CBC padding (in practice, our implementation also pads
> this according to PKCS5).
Why not :)
From: cfrg-bounces@irtf.org [mailto:cfrg-bounces@irtf.org] On Behalf Of
Igoe, Kevin M.
Sent: Monday, May 14, 2012 11:55 AM
To: Igoe, Kevin M.; cfrg@irtf.org
Subject: Re: [Cfrg] HIP Help (I hope!)
I did some double checking with some certificate guru¹s & they agree that
RSA-OAEP is precisely what you should be using.
If you have a hammer, the whole world starts looking like a nail. :)
I¹ve also had some discussions about HIP¹s use of 3DES. It will be
difficult to uproot once it has been fielded, so it might be prudent to
remove it now. The same applies to DSA SHA1/2048 and ECDSA_low.
I concur.
- [Cfrg] HIP Help (I hope!) Igoe, Kevin M.
- Re: [Cfrg] HIP Help (I hope!) Igoe, Kevin M.
- Re: [Cfrg] HIP Help (I hope!) Henderson, Thomas R
- Re: [Cfrg] HIP Help (I hope!) Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] HIP Help (I hope!) Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] HIP Help (I hope!) Henderson, Thomas R