Re: [Cfrg] [secdir] ISE seeks help with some crypto drafts

Paul Wouters <paul@nohats.ca> Fri, 08 March 2019 17:52 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B93F1313FB for <cfrg@ietfa.amsl.com>; Fri, 8 Mar 2019 09:52:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8_yEBq2zoEp1 for <cfrg@ietfa.amsl.com>; Fri, 8 Mar 2019 09:52:34 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48E6C1313EC for <cfrg@irtf.org>; Fri, 8 Mar 2019 09:52:34 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 44GFSv4Tmlz3FX; Fri, 8 Mar 2019 18:52:31 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1552067551; bh=vkHYbBtHSCZRc+1fHDomfSZ+nogu/C5BTd6Or9UuxCc=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=kzTCpDwg6kq+JKG6GS/1ForAzwtiujZpGvj1SOhC+gN0ztu0OlsRaLcKnoeDByfk9 9Fxu9nTvWwtIQuxv3b8dq1PiAnqGggw41AC7zjitZFLAAana4xCKR3gvxh0nxkgnww CLKQSJjNKVXbaThFbnZXDsMjShWhmFpPzXG6P8Ms=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id fGgMdu0jpCce; Fri, 8 Mar 2019 18:52:28 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 8 Mar 2019 18:52:27 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id A18425C856; Fri, 8 Mar 2019 12:52:26 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca A18425C856
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 99A42411602B; Fri, 8 Mar 2019 12:52:26 -0500 (EST)
Date: Fri, 8 Mar 2019 12:52:26 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: "RFC ISE (Adrian Farrel)" <rfc-ise@rfc-editor.org>
cc: cfrg@irtf.org, secdir <secdir@ietf.org>
In-Reply-To: <1d8de489fc976b63a911573300a431d4.squirrel@www.amsl.com>
Message-ID: <alpine.LRH.2.21.1903081227200.30421@bofh.nohats.ca>
References: <1d8de489fc976b63a911573300a431d4.squirrel@www.amsl.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/AWK32U7Yd0Xaxc0Lc5h__qGUKaQ>
Subject: Re: [Cfrg] [secdir] ISE seeks help with some crypto drafts
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2019 17:52:38 -0000

On Fri, 8 Mar 2019, RFC ISE (Adrian Farrel) wrote:

> Hi CFRG and SecDir,
>
> Ted Krovetz has asked for publication of ...
>
> https://datatracker.ietf.org/doc/draft-krovetz-ocb-wideblock/
> ....and...
> https://datatracker.ietf.org/doc/draft-krovetz-rc6-rc5-vectors/
>
> ....in the Independent Stream.
>
> These are both currently in expired state, but available in the archive.
>
> At this stage I am looking to know whether anyone feels that publication
> would be a bad thing:
> - at this stage
> - ever

I have strong reservations about the ocb draft. Rogaway has patents
on OCB, and has put constrains on its use and there is no generic IPR
statement that the IETF normally likes to see for work published as
RFC. Until such a time, I do not think publishing RFC's with OCB is
advised. A few years ago I asked the TLS OCB authors about extending
their allowed usage to IKE/IPsec and they told me this use was not
covered by Rogaway's license to them. While this has since changed a bit,
and there is no longer a specific TLS-only license, other constrains are
still in place.  Specifying OCB documents that cannot be implemented or
deployed indiscriminatory is troublesome.

Patents:
http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm#patent:phil

 	"I license OCB under fair, reasonable, and non-discriminatory terms,
 	 with licensees paying a modest one-time fee."

 	"I freely license OCB for most (but not all) settings."

And just before that, discriminatory terms are cited for current use:

 	"there is one license grant for open-source software; one for
 	 non-military software; and a third done just for OpenSSL."


See also http://web.cs.ucdavis.edu/~rogaway/ocb/offer.htm

Second, I'm not a cryptographer, but it seems OCB has recently seen some
attacks that might impact the security of OCB:

Cryptanalysis of OCB2
https://eprint.iacr.org/2018/1040

Breaking the confidentiality of OCB2
https://eprint.iacr.org/2018/1087

Plaintext Recovery Attack of OCB2
https://eprint.iacr.org/2018/1090

Note these publications are newer than the publication date of the
draft, so it would be good to discuss this with the draft author or
with CFRG to see how applicable these attacks are to the draft document.

I have no specific remarks about the rc5-rc6 document. It seems useful
to have test vectors, but I am not aware of any IETF protocol using
RC5 or RC6, in which case it might not make sense for the IETF to publish
these test vectors and another standards body might be more appropriate.

Paul