[Cfrg] advice about best current practices for HIP
"Henderson, Thomas R" <thomas.r.henderson@boeing.com> Wed, 25 April 2012 00:03 UTC
Return-Path: <thomas.r.henderson@boeing.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AD2421F8570 for <cfrg@ietfa.amsl.com>; Tue, 24 Apr 2012 17:03:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -108.599
X-Spam-Level:
X-Spam-Status: No, score=-108.599 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y5UfGHIiN7fa for <cfrg@ietfa.amsl.com>; Tue, 24 Apr 2012 17:03:17 -0700 (PDT)
Received: from stl-smtpout-01.boeing.com (stl-smtpout-01.boeing.com [130.76.96.56]) by ietfa.amsl.com (Postfix) with ESMTP id 03B7C21F8557 for <cfrg@irtf.org>; Tue, 24 Apr 2012 17:03:16 -0700 (PDT)
Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by stl-smtpout-01.ns.cs.boeing.com (8.14.4/8.14.4/8.14.4/SMTPOUT) with ESMTP id q3P04kwa024487 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 24 Apr 2012 19:04:51 -0500 (CDT)
Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_RELAY) with ESMTP id q3P03Snp017274; Tue, 24 Apr 2012 19:03:28 -0500 (CDT)
Received: from XCH-NWHT-02.nw.nos.boeing.com (xch-nwht-02.nw.nos.boeing.com [130.247.70.248]) by stl-av-01.boeing.com (8.14.4/8.14.4/UPSTREAM_RELAY) with ESMTP id q3P03SZv017258 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Tue, 24 Apr 2012 19:03:28 -0500 (CDT)
Received: from XCH-NW-16V.nw.nos.boeing.com ([130.247.25.240]) by XCH-NWHT-02.nw.nos.boeing.com ([130.247.70.248]) with mapi; Tue, 24 Apr 2012 17:02:52 -0700
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
To: "'cfrg@irtf.org'" <cfrg@irtf.org>
Date: Tue, 24 Apr 2012 17:02:52 -0700
Thread-Topic: advice about best current practices for HIP
Thread-Index: Ac0idsJYLzFbb+aKQea5f90FHsHniQ==
Message-ID: <758141CC3D829043A8C3164DD3D593EA1BD24C86F7@XCH-NW-16V.nw.nos.boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: 'Robert Moskowitz' <rgm@htt-consult.com>
Subject: [Cfrg] advice about best current practices for HIP
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Apr 2012 00:03:18 -0000
Hello, I'm one of the authors working on revising HIP [*], and I would like advice on how to respond to an IESG comment on RFC5201.
The IESG comment in the experimental specification for HIP reads as follows:
HIP defines the usage of RSA in signing and encrypting data. Current
recommendations propose usage of, for example, RSA OAEP/PSS for these
operations in new protocols. Changing the algorithms to more current
best practice should be considered.
This comment was made over four years ago, and I'm not an expert on cryptography, so I thought I'd check with the CFRG for advice on how to respond now.
1) signature padding
Presently, the HIP draft specifies these algorithms for keys (section 5.2.9 of the draft):
DSA 3 [RFC2536] (RECOMMENDED)
RSA 5 [RFC3110] (REQUIRED)
ECDSA 7 [RFC4754] (RECOMMENDED)
ECDSA_LOW 9 [SECG] (RECOMMENDED)
However, the specification of how to compute the signature is somewhat vague:
3. Compute the signature using the private key corresponding to the
Host Identifier (public key).
I believe that, in practice, whatever default padding was provided by OpenSSL RSA_sign() has been used (I believe it to be PKCS#1 v1.5). I'm wondering whether the way to address this comment is to mandate that, when signatures are computed, and RSA is the key type, the RSAASA-PSS [RFC3447] method of padding is required, and to replace the reference to RFC3110 above with RFC3447.
The above discussion is limited to RSA. Do we need signature specifications for all of these key types, or is it well implied for the other key types how to perform the signatures?
2) encryption padding
HIP uses a block cipher to generate ENCRYPTED parameters, using encryption keys generated by the Diffie Hellman exchange. In practice, the Host Identity (a public key) may be encrypted for privacy in the I2 message.
These ciphers are specified for HIP (section 5.2.8 of the draft):
AES-128-CBC 2 ([RFC3602])
3DES-CBC 3 ([RFC2451])
AES-256-CBC 4 ([RFC3602])
The draft specifies also to use whatever padding is specified by the encryption algorithm, citing PKCS5 for AES, and not mentioning 3DES-CBC padding (in practice, our implementation also pads this according to PKCS5).
I understand that RSAES-OAEP is a padding technique for key transport in particular. However, HIP does not specify RSA for encryption, and does not use 'key transport' mode but rather 'data encryption' mode. Does RSAES-OAEP apply in this case? Should HIP be considering another best practice algorithm for doing this?
In closing, an important consideration for our implementations is availability in OpenSSL, so required algorithms should be supported there.
Thanks,
Tom
[*] http://tools.ietf.org/html/draft-ietf-hip-rfc5201-bis-08
- [Cfrg] advice about best current practices for HIP Henderson, Thomas R
- Re: [Cfrg] advice about best current practices fo… Henderson, Thomas R