IETF Logo Mail Archive

Re: [Cfrg] New Version Notification for draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt

"Manger, James" <James.H.Manger@team.telstra.com> Fri, 14 February 2014 02:44 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42F9E1A007D for <cfrg@ietfa.amsl.com>; Thu, 13 Feb 2014 18:44:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.202
X-Spam-Level:
X-Spam-Status: No, score=-0.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RCVD_IN_DNSWL_NONE=-0.0001, RELAY_IS_203=0.994] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10YZWq8nFwbz for <cfrg@ietfa.amsl.com>; Thu, 13 Feb 2014 18:44:44 -0800 (PST)
Received: from ipxbno.tcif.telstra.com.au (ipxbno.tcif.telstra.com.au [203.35.82.204]) by ietfa.amsl.com (Postfix) with ESMTP id 55BAB1A0051 for <cfrg@irtf.org>; Thu, 13 Feb 2014 18:44:43 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.95,842,1384261200"; d="scan'208";a="172850681"
Received: from unknown (HELO ipcbni.tcif.telstra.com.au) ([10.97.216.204]) by ipobni.tcif.telstra.com.au with ESMTP; 14 Feb 2014 13:44:40 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,7348"; a="198021766"
Received: from wsmsg3751.srv.dir.telstra.com ([172.49.40.172]) by ipcbni.tcif.telstra.com.au with ESMTP; 14 Feb 2014 13:44:40 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3751.srv.dir.telstra.com ([172.49.40.172]) with mapi; Fri, 14 Feb 2014 13:44:39 +1100
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: David McGrew <mcgrew@cisco.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Date: Fri, 14 Feb 2014 13:44:38 +1100
Thread-Topic: [Cfrg] New Version Notification for draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt
Thread-Index: Ac8pHqNI7C6WHasXQHexaY5qHA+HIgACSmYQ
Message-ID: <255B9BB34FB7D647A506DC292726F6E1153B3DA948@WSMSG3153V.srv.dir.telstra.com>
References: <20140214004117.27381.4308.idtracker@ietfa.amsl.com> <52FD6815.70402@cisco.com>
In-Reply-To: <52FD6815.70402@cisco.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/fO9YucGcmCx5ZiQ9_1kKQI7i0Ug
Subject: Re: [Cfrg] New Version Notification for draft-mcgrew-aead-aes-cbc-hmac-sha2-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Feb 2014 02:44:46 -0000

> Title: Authenticated Encryption with AES-CBC and HMAC-SHA
> Htmlized:       http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-03


Section 2.1. "Encryption" adds:

  "The key MUST MUST be generated in a way that is uniformly random or pseudorandom"

This must be a doubly important requirement ;-)


Section 2.2 "Decryption" step 5 talks about removing the padding (1 byte of 0x01 to 16 bytes of 0x10). It requires an implementation to partially check the padding, but not completely. For instance, if the last byte is 0x22 then the operation fails and data is zeroized. Whereas if the last 2 bytes are 0x22 0x02 then decryption will probably succeed, removing those 2 bytes as padding. A better implementation is probably to infer the padding length from the last 4 bits. That can never fail.


Section 2.4 AEAD_AES_128_CBC_HMAC_SHA_256 has the wrong key length. The key length is mentioned twice. Both should be 32 octets. One was wrong in the previous draft, but now both are wrong! I guess a fixed was applied at the wrong point.


Typo: missing ) in section 2.4
   makes use of a random value (the IV described in Appendix A.

Typo: section 2.4
WRONG   ...(AES) [FIPS197] block cipher defined in CBC mode.
RIGHT   ...(AES) [FIPS197] block cipher in CBC mode.


Otherwise it looks great.

--
James Manger

v2.23.0 | Report a Bug | By Email