Re: [Cfrg] HIP Help (I hope!)
"Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu> Thu, 14 June 2012 15:21 UTC
Return-Path: <prvs=75126a4a1d=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CC6321F86E8 for <cfrg@ietfa.amsl.com>; Thu, 14 Jun 2012 08:21:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.201
X-Spam-Level:
X-Spam-Status: No, score=-5.201 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0rn61wZItKJQ for <cfrg@ietfa.amsl.com>; Thu, 14 Jun 2012 08:21:01 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id 4AF8E21F86DB for <cfrg@irtf.org>; Thu, 14 Jun 2012 08:21:01 -0700 (PDT)
Received: from LLE2K7-HUB02.mitll.ad.local (LLE2K7-HUB02.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id q5EFKmiZ013077; Thu, 14 Jun 2012 11:20:49 -0400
From: "Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu>
To: "Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu>, "Henderson, Thomas R" <thomas.r.henderson@boeing.com>, "'Igoe, Kevin M.'" <kmigoe@nsa.gov>, "cfrg@irtf.org" <cfrg@irtf.org>
Date: Thu, 14 Jun 2012 11:20:45 -0400
Thread-Topic: [Cfrg] HIP Help (I hope!)
Thread-Index: Ac1KQUaKUXuLcxqISOyYU+PSEwQiMA==
Message-ID: <CBFF78AB.D4DF%uri@ll.mit.edu>
In-Reply-To: <CBFF6170.D4CA%uri@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.12.0.110505
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3422517645_124514339"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.7.7855, 1.0.260, 0.0.0000 definitions=2012-06-14_04:2012-06-14, 2012-06-14, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=2 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=6.0.2-1203120001 definitions=main-1206140131
Cc: 'Robert Moskowitz' <rgm@htt-consult.com>
Subject: Re: [Cfrg] HIP Help (I hope!)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2012 15:21:04 -0000
Oops, just noticed that this seems to be about transporting the keys. Sorry! Yes, RSA-OAEP is very good for that (though my argument about not using RSA if you already have a symmetric key established still holds). You may also consider ECIES instead of or in addition to RSA, to support Elliptic Curve suite. -- Regards, Uri Blumenthal Voice: (781) 981-1638 >> Kevin and all, .. >> For the keys used in HIP themselves (used for signing/authentication), HIP >> specifies these types: >> DSA 3 [RFC2536 <http://tools.ietf.org/html/rfc2536> ] >> (RECOMMENDED) > Considering Suite B, I am not sure I'd still recommend DSA. >> RSA 5 [RFC3110 <http://tools.ietf.org/html/rfc3110> ] >> (REQUIRED) > Well, I'd move from RSA, but I recognize the reality megatons of > already-deployed RSA code and certs >> ECDSA 7 [RFC4754 <http://tools.ietf.org/html/rfc4754> ] >> (RECOMMENDED) > Yes, and I'd consider elevating ECDSA to REQUIRED, to facilitate and encourage > the move. >> ECDSA_LOW 9 [SECG >> <http://tools.ietf.org/html/draft-ietf-hip-rfc5201-bis-08#ref-SECG> ] >> (RECOMMENDED) > I would drop ECDSA_LOW altogether. > >> The feedback that I received was to follow NIST 800-131A on key strength >> regarding all of these key types, and to consider not using ECDSA_LOW. We'd >> like to retain ECDSA_LOW, suitably caveated ("defined for devices with low >> computational capabilities"). For DSA, we could replace the existing >> reference to a reference to FIPS 186-3 and also reference RFC 5114 2.3 with >> 2048-bit subgroups for use with SHA2-256. > At the very least. SHA3 should come out some time this year do you care to > wait? > >> The hash used for RSA and DSA signature is SHA-256, so I don't think any >> change is needed there. > It should be sufficient, based on what we currently know. > >> For RSA signature padding, the RSAASA-PSS [RFC3447] should replace the >> reference to RFC3110 above, and explicitly state that PSS instead of PKCS1.5 >> padding is used. I am not sure whether we need to state anything about >> padding for other signature types (guidance here would be helpful). > I'll let others comment on this. > >> Regarding OAEP, currently HIP specifies these ciphers for use in the >> ENCRYPTED parameter (used to encrypt small blocks of data): >> AES-128-CBC 2 ([RFC3602]) required >> 3DES-CBC 3 ([RFC2451]) >> AES-256-CBC 4 ([RFC3602]) >> >> I believe that we are being asked to also support RSA-OAEP here (RFC 4055). >> Would specifing an additional (non-required) option for RSAES-OAEP >> ([RFC4055]) suffice, or is OAEP a preferred technique for encrypting >> parameters over AES-128-CBC? > RSA-OAEP as a preferred technique to encrypt what? For passing along AES and > other cryptographic keys sure, it's a great mechanism. To encrypt data > chunks (large or small) if/when you already have an AES key established > between the parties no way. To infrequently send small things when you don't > have a symmetric key established if you want to be 10% stateless, then yes, > RSA-OAEP would do the job; but if you can afford setting up a symmetric > channel and/or plan on exchanging a whole bunch of these small things you're > better off not using RSA-OAEP for data transfer... >> Also, I understand that we ought to consider clarifying that 3DES-CBC is >> the three-key variant (NIST 800-131A), or removing it altogether (which I >> think is what you advocated below). > I would just remove it, as I see no purpose in carrying 3DES over. > >> Regarding encryption padding, the current draft specifies to use whatever >> padding is specified by the encryption algorithm, citing PKCS5 for AES, and >> not mentioning 3DES-CBC padding (in practice, our implementation also pads >> this according to PKCS5). > Why not :)
- [Cfrg] HIP Help (I hope!) Igoe, Kevin M.
- Re: [Cfrg] HIP Help (I hope!) Igoe, Kevin M.
- Re: [Cfrg] HIP Help (I hope!) Henderson, Thomas R
- Re: [Cfrg] HIP Help (I hope!) Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] HIP Help (I hope!) Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] HIP Help (I hope!) Henderson, Thomas R