IETF Logo Mail Archive

Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ...

"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Fri, 10 February 2017 18:44 UTC

Return-Path: <quynh.dang@nist.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DED63129A8C for <cfrg@ietfa.amsl.com>; Fri, 10 Feb 2017 10:44:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vkUkQOwv6Z0b for <cfrg@ietfa.amsl.com>; Fri, 10 Feb 2017 10:44:52 -0800 (PST)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0130.outbound.protection.outlook.com [23.103.200.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB53112958B for <cfrg@ietf.org>; Fri, 10 Feb 2017 10:44:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1z9z6J/cc0t+QHnziI91nfIQXdVXNsXdr1zFm4w/Bx0=; b=wwcNd9aZ0nPI6T79Pz4PaM2I8D4KsVuW6SW3kGu8/qobNyd7YQaxicCLB2U3y1OCpXe9Z4dJ0i1s9LPbtOL6kFEW6AdOmjZmf3gMcye28fQqVbpRIzgCK7IV88PyuyASr80gueuGWLa4ISAlxW8mzjveYWpEEacKdB4/fnJW5l4=
Received: from CY4PR09MB1464.namprd09.prod.outlook.com (10.173.191.22) by CY4PR09MB1461.namprd09.prod.outlook.com (10.173.191.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Fri, 10 Feb 2017 18:44:51 +0000
Received: from CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) by CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) with mapi id 15.01.0888.026; Fri, 10 Feb 2017 18:44:50 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: David Jacobson <dmjacobson@sbcglobal.net>, "Dang, Quynh (Fed)" <quynh.dang@nist.gov>, Randal Atkinson <randal.atkinson.ctr@nrl.navy.mil>, Michael StJohns <msj@nthpermutation.com>, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Thread-Topic: [Cfrg] Aside Re: [CFRG] erratum for hmac ...
Thread-Index: AQHSgWiX/QOHsp+cqk6PweDPw/SKDKFfEXKkgAKodACAADEvAIAAfMuA///c/wA=
Date: Fri, 10 Feb 2017 18:44:50 +0000
Message-ID: <D4C372FD.2F83A%qdang@nist.gov>
References: <F2C52E74-6FF0-4F72-BFD0-56D39031B4D9@nrl.navy.mil> <CY4PR09MB1464F9936D5C07DF16D29403F3420@CY4PR09MB1464.namprd09.prod.outlook.com> <59d04ca7-aed8-e0e1-bf06-fdd44ccba697@sbcglobal.net> <D4C323A1.2F5E8%qdang@nist.gov> <0d9948b3-074a-ab89-9154-6f2c0c96b464@sbcglobal.net>
In-Reply-To: <0d9948b3-074a-ab89-9154-6f2c0c96b464@sbcglobal.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.105.150]
x-microsoft-exchange-diagnostics: 1; CY4PR09MB1461; 7:TrR1/p9fUGz1ga6TNNyD4MMyoXLjsQy2IhuUKbpm2Rwh1y0dSlhlYsvphAhTpHIpXKBQVZbcaEoZaaZ5OBSqdyiR5MTIKviA0UWqn2y/nGegPRMZqOUUVutixglYsHc3XJOkf6XKkt/BAdr4eo9S4X+NLiEt2p/rnxvSoWM1GYekkoyq1bHpxBSIgagJ7BtRApMQHF65qi4jlSUeDwx9aw0p0bKnTri+Ez0ADJeylhJDf51YlPHpIiCICZIwkFyy3cfEzZY0LdSbUoCO/u0OFIGvr/D9yfcO+4T4LPKDd0K+RZxFFDLqODhRYRG/NNGIKmEEP1dDT3bi3G7hRDp0jxZtdA7dKM9L0qNjjiXQZsG+CvFhwAdiqAJQfgNrICEFTeox+XH5fVD0xPfcVaALhSx0yzEfd5NUa5uOYn+xwnUEVO/QEcPF1SMG5ZmvDz4No2ye8+ni0vovLqbH+Q8MJj4fsJ+ORT3n3K5eM+fmEl7hlIx74zblma3FoLcJRT64GoBa1JYqoqz8LlMN2QmyBw==
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10019020)(7916002)(39450400003)(39840400002)(39410400002)(39850400002)(39860400002)(199003)(24454002)(377454003)(189002)(6486002)(86362001)(122556002)(4001350100001)(50986999)(66066001)(54356999)(3280700002)(189998001)(76176999)(3660700001)(68736007)(2906002)(2900100001)(4326007)(81166006)(81156014)(7906003)(38730400002)(8936002)(83506001)(8676002)(7736002)(106356001)(105586002)(6246003)(53546003)(106116001)(36756003)(19627405001)(3846002)(92566002)(345774005)(77096006)(229853002)(6436002)(2950100002)(551544002)(5660300001)(99286003)(102836003)(93886004)(6512007)(97736004)(101416001)(236005)(606005)(8656002)(54896002)(25786008)(6116002)(6506006)(53936002)(6306002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR09MB1461; H:CY4PR09MB1464.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
x-ms-office365-filtering-correlation-id: f58eb8ab-f5ec-41a0-de0d-08d451e4e55c
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR09MB1461;
x-microsoft-antispam-prvs: <CY4PR09MB1461D4ADDAFA081AB57B9DADF3440@CY4PR09MB1461.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(192374486261705)(189930954265078)(13052087078022)(4659246709749)(112561432440764);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(20161123564025)(20161123560025)(20161123562025)(20161123558025)(20161123555025)(6072148); SRVR:CY4PR09MB1461; BCL:0; PCL:0; RULEID:; SRVR:CY4PR09MB1461;
x-forefront-prvs: 0214EB3F68
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_D4C372FD2F83Aqdangnistgov_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2017 18:44:50.6753 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR09MB1461
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/LD-wpVSn0Fp9Tygu3VHT281qpJY>
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ...
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 18:44:57 -0000


From: David Jacobson <dmjacobson@sbcglobal.net<mailto:dmjacobson@sbcglobal.net>>
Date: Friday, February 10, 2017 at 10:50 AM
To: 'Quynh' <Quynh.Dang@nist.gov<mailto:Quynh.Dang@nist.gov>>, Randal Atkinson <randal.atkinson.ctr@nrl.navy.mil<mailto:randal.atkinson.ctr@nrl.navy.mil>>, Michael StJohns <msj@nthpermutation.com<mailto:msj@nthpermutation.com>>, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk<mailto:Kenny.Paterson@rhul.ac.uk>>
Cc: "cfrg@ietf.org<mailto:cfrg@ietf.org>" <cfrg@ietf.org<mailto:cfrg@ietf.org>>
Subject: Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ...

In engineering, we like to be able to think of things as black boxes with specifications.  If you follow the rules in the specification, it works properly.

The problem here is that HMAC fails to do this.  If you use HMAC with a key larger that the input block size (allowed), and you reveal the hash of the key (a la original /etc/password), you can lose security.

In our guildlines, we require to keep K0 as secret key.



My suggestion would be to add wording to the specification that says ( a) that use of keys larger than the input block size is discouraged, and (b) if the keys larger than the input block size are used, the H(K) is also sensitive and must be protected with the same diligence as the key would be protected.

    --David Jacobson


Thank you,
Quynh.




On 2/10/17 5:23 AM, Dang, Quynh (Fed) wrote:
See my discussion below.

From: David Jacobson <dmjacobson@sbcglobal.net<mailto:dmjacobson@sbcglobal.net>>
Date: Friday, February 10, 2017 at 12:27 AM
To: 'Quynh' <Quynh.Dang@nist.gov<mailto:Quynh.Dang@nist.gov>>, Randal Atkinson <randal.atkinson.ctr@nrl.navy.mil<mailto:randal.atkinson.ctr@nrl.navy.mil>>, Michael StJohns <msj@nthpermutation.com<mailto:msj@nthpermutation.com>>, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk<mailto:Kenny.Paterson@rhul.ac.uk>>
Cc: "cfrg@ietf.org<mailto:cfrg@ietf.org>" <cfrg@ietf.org<mailto:cfrg@ietf.org>>
Subject: Re: [Cfrg] Aside Re: [CFRG] erratum for hmac ...

See interleaved comment.

On 2/8/17 5:31 AM, Dang, Quynh (Fed) wrote:

Randal, Michael and many others,


Thank you for your suggestions.


Kenny,


Thank you for your discussion email.


We are thinking about what would be the best option for HMAC.  Some technical possibilities are below.


1) Don't change the HMAC spec.

Ask a HMAC key always to have a fixed length such as HMAC-SHA256 having 256-bit key. Which means that all protocols using HMAC-SHA256 use 256-bit keys.

If each protocol uses a different key length, then the issue would still exist across protocols. I don't know if this is a practical security problem, but it seems like a problem that should be avoided.

Should ask HMAC keys to be processed/produced by a hash function or another PRF always.

I don't see the need or even desirability for this, assuming you ask each protocol to use a fixed (for that protocol) key length.  (That was the line above.)

For an attacker to find two messages with the same HMAC, not knowing the key, he would have to find a collision in the first stage, not knowing the first block.  And if you add an extra hash, you are only making it easier.  He has to get a collision in the pre-hash, where he knows everything.

Of course, the hash function must be a collision-resistant one.

The reason for hashing the key or the key is produced by a good hash function or a PRF is to make the key become more of a "random key" as you know HMAC is a PRF as keys are selected randomly, not selectively.

Quynh.





   --David Jacobson

This option does not break interoperability of  the current HMAC implementations.

2) Change the HMAC Spec.

a) Always hash the key regardless of its length, then perform step 3 in FIPS 198.
b) Use a hash-based KDF (not HKDF) to produce B bits from the key, then go to step 4 in the FIPS. (bad for performance).
c) Require key < B, then do multi-rate padding 10* to make the key B bits, then go to step 4 in the FIPS. (good for performance).

We recommend the use of KMAC in SP 800-185. KMAC's security is solid and proven, and it has great performance. Code to implement KMAC can be reused to implement many other Keccak-derived symmetric-key crypto functions.

Regards,
Quynh.
________________________________
From: Randal Atkinson <randal.atkinson.ctr@nrl.navy.mil><mailto:randal.atkinson.ctr@nrl.navy.mil>
Sent: Tuesday, February 7, 2017 12:34 PM
To: Dang, Quynh (Fed)
Cc: Randal Atkinson
Subject: Aside Re: [CFRG] erratum for hmac ...


One option available to NIST would be for NIST to open comments
on updating FIPS 198-1, even if opening comments on that now/soon
would be earlier than NIST ordinarily would do so.

Given how long it takes to move from an approved FIPS revision
to widespread US Government deployment, if data exists from
Kenny P and/or others that merits an update, then starting sooner
would not be a bad thing for the USG.

Cheers,

Ran Atkinson

--------------------------------
Randal Atkinson, PhD
Cheltenham Research for NRL 5520
randal.atkinson.ctr@nrl.navy.mil<mailto:randal.atkinson.ctr@nrl.navy.mil>




_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email