RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms
Sean Shuo Shen <sshen@huawei.com> Fri, 04 January 2008 07:23 UTC
Return-path: <cfrg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JAgta-0000D4-TC; Fri, 04 Jan 2008 02:23:10 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JAgtZ-0000Cx-Hs for cfrg@ietf.org; Fri, 04 Jan 2008 02:23:09 -0500
Received: from szxga01-in.huawei.com ([61.144.161.53]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1JAgtX-00085i-DM for cfrg@ietf.org; Fri, 04 Jan 2008 02:23:09 -0500
Received: from huawei.com (szxga01-in [172.24.2.3]) by szxga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0JU300HTCZ5CUO@szxga01-in.huawei.com> for cfrg@ietf.org; Fri, 04 Jan 2008 15:22:24 +0800 (CST)
Received: from huawei.com ([172.24.1.24]) by szxga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0JU300JQ4Z5BUV@szxga01-in.huawei.com> for cfrg@ietf.org; Fri, 04 Jan 2008 15:22:24 +0800 (CST)
Received: from s102542 ([10.111.12.53]) by szxml04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0JU300I73Z58JU@szxml04-in.huawei.com> for cfrg@ietf.org; Fri, 04 Jan 2008 15:22:23 +0800 (CST)
Date: Fri, 04 Jan 2008 15:22:20 +0800
From: Sean Shuo Shen <sshen@huawei.com>
Subject: RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms
In-reply-to: <477DC7BE.6010102@isi.edu>
To: 'Joe Touch' <touch@isi.edu>
Message-id: <006201c84ea2$8b12e940$350c6f0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
Thread-index: AchOlYIbI0SMXXrETkieNxZeh4c/2QABfqWQ
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Cc: saag@mit.edu, cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
>>> For these reasons, and because of the potential to constrain the >>> evolution of TCP, I would urge the MAC computation to treat the >>> non-zeroed TCP header and pseudoheader fields as opaque. > >> I also believe some other bits in TCP header might be different even if the >> TCP is retransmitting the same segment. But all of these changes can easily >> be included in the PRF input when the nonce is calculated (it won't be heavy >> work compared with the calculation of MAC) to make sure different nonces are >> used when the authenticated content changes. >Steve B. suggests not corrupting the FIPS boundary by using TCP header >info. The FIPS boundary does matter only if the use of TCP header info is cryptographic significant. For example, using seq num as a random seed definitely is not a good idea. However, in a calculation like: nonce=PRF(key, seqnum and other header info) The seqnum et.al. are to provide difference of input to get different output. It works like a index and totally allowed to be predictable (it can even be a counter just like the nonce processing part of umac: PRF(key, counter)). When we are not using a seqnum as a random source we don't have to worry it's not random enough. >I am suggesting not limiting TCP design by making assumptions >about the TCP header's uniqueness in each transmitted segment. In a tcp transmission, as long as the MAC protected content are different, there will be enough difference in tcp header (seq num et.al., actually, the possible difference in option field or other bits are also good to contribute difference here). This difference will be good enough for both sides to generate different nonce for MAC calculation. It's not to make any assumption here. >We thus have two reasons not to do this; I hope that's sufficient reason >to either have a shorter MAC coupled with an explicit nonce, a longer >overall option field, or to seek algorithms that avoid the need for nonces. The two ways mentioned above both have the advantage of simple implementation. But implicit nonce generated by both sides is also achievable, and the benefit of it will be: less bytes in MAC transmission, more randomness (from PRF key, not from seqnum), more variety. Sean _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Re: [saag] TCP-AO MAC algorithms mcgrew
- RE: [Cfrg] Re: [saag] TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- Re: [Cfrg] Re: [saag] TCP-AO MAC algorithms mcgrew
- Re: [saag] [Cfrg] Re: TCP-AO MAC algorithms Stephen Kent
- RE: [Cfrg] Re: [saag] TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- Re: [saag] [Cfrg] Re: TCP-AO MAC algorithms Steven M. Bellovin
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- Re: [saag] [Cfrg] Re: TCP-AO MAC algorithms Steven M. Bellovin
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Stephen Kent
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen
- RE: [saag] [Cfrg] Re: TCP-AO MAC algorithms Sean Shuo Shen