Re: [Cfrg] advice about best current practices for HIP
"Henderson, Thomas R" <thomas.r.henderson@boeing.com> Fri, 11 May 2012 14:29 UTC
Return-Path: <thomas.r.henderson@boeing.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 279BB21F8686 for <cfrg@ietfa.amsl.com>; Fri, 11 May 2012 07:29:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.932
X-Spam-Level:
X-Spam-Status: No, score=-104.932 tagged_above=-999 required=5 tests=[AWL=-2.333, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tb8t5lGdOAJw for <cfrg@ietfa.amsl.com>; Fri, 11 May 2012 07:29:52 -0700 (PDT)
Received: from slb-mbsout-01.boeing.com (slb-mbsout-01.boeing.com [130.76.64.128]) by ietfa.amsl.com (Postfix) with ESMTP id 7CA1221F860B for <cfrg@irtf.org>; Fri, 11 May 2012 07:29:48 -0700 (PDT)
Received: from slb-mbsout-01.boeing.com (localhost.localdomain [127.0.0.1]) by slb-mbsout-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with ESMTP id q4BETlv3023996 for <cfrg@irtf.org>; Fri, 11 May 2012 07:29:48 -0700
Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [130.247.228.54]) by slb-mbsout-01.boeing.com (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id q4BETkXv023967 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 11 May 2012 07:29:46 -0700
Received: from stl-av-01.boeing.com (localhost.localdomain [127.0.0.1]) by stl-av-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_RELAY) with ESMTP id q4BETjMA026283; Fri, 11 May 2012 09:29:46 -0500
Received: from XCH-NWHT-11.nw.nos.boeing.com (xch-nwht-11.nw.nos.boeing.com [130.247.25.114]) by stl-av-01.boeing.com (8.14.4/8.14.4/UPSTREAM_RELAY) with ESMTP id q4BETjAe026267 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Fri, 11 May 2012 09:29:45 -0500
Received: from XCH-NW-16V.nw.nos.boeing.com ([130.247.25.240]) by XCH-NWHT-11.nw.nos.boeing.com ([130.247.25.114]) with mapi; Fri, 11 May 2012 07:29:45 -0700
From: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
To: "'cfrg@irtf.org'" <cfrg@irtf.org>
Date: Fri, 11 May 2012 07:29:44 -0700
Thread-Topic: advice about best current practices for HIP
Thread-Index: Ac0idsJYLzFbb+aKQea5f90FHsHniQNC5QWw
Message-ID: <758141CC3D829043A8C3164DD3D593EA1BD24C87A1@XCH-NW-16V.nw.nos.boeing.com>
References: <758141CC3D829043A8C3164DD3D593EA1BD24C86F7@XCH-NW-16V.nw.nos.boeing.com>
In-Reply-To: <758141CC3D829043A8C3164DD3D593EA1BD24C86F7@XCH-NW-16V.nw.nos.boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: No
Cc: 'Robert Moskowitz' <rgm@htt-consult.com>
Subject: Re: [Cfrg] advice about best current practices for HIP
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2012 14:29:53 -0000
Hi, I was wondering if anyone was going to be able to respond to the below questions, or if we should proceed otherwise. - Tom > -----Original Message----- > From: Henderson, Thomas R > Sent: Tuesday, April 24, 2012 5:03 PM > To: 'cfrg@irtf.org' > Cc: 'Tobias Heer'; 'Robert Moskowitz' > Subject: advice about best current practices for HIP > > Hello, I'm one of the authors working on revising HIP [*], and I would > like advice on how to respond to an IESG comment on RFC5201. > > The IESG comment in the experimental specification for HIP reads as > follows: > > HIP defines the usage of RSA in signing and encrypting data. > Current > recommendations propose usage of, for example, RSA OAEP/PSS for > these > operations in new protocols. Changing the algorithms to more > current > best practice should be considered. > > This comment was made over four years ago, and I'm not an expert on > cryptography, so I thought I'd check with the CFRG for advice on how to > respond now. > > 1) signature padding > > Presently, the HIP draft specifies these algorithms for keys (section > 5.2.9 of the draft): > > DSA 3 [RFC2536] (RECOMMENDED) > RSA 5 [RFC3110] (REQUIRED) > ECDSA 7 [RFC4754] (RECOMMENDED) > ECDSA_LOW 9 [SECG] (RECOMMENDED) > > However, the specification of how to compute the signature is somewhat > vague: > > 3. Compute the signature using the private key corresponding to the > Host Identifier (public key). > > I believe that, in practice, whatever default padding was provided by > OpenSSL RSA_sign() has been used (I believe it to be PKCS#1 v1.5). I'm > wondering whether the way to address this comment is to mandate that, > when signatures are computed, and RSA is the key type, the RSAASA-PSS > [RFC3447] method of padding is required, and to replace the reference > to RFC3110 above with RFC3447. > > The above discussion is limited to RSA. Do we need signature > specifications for all of these key types, or is it well implied for > the other key types how to perform the signatures? > > 2) encryption padding > > HIP uses a block cipher to generate ENCRYPTED parameters, using > encryption keys generated by the Diffie Hellman exchange. In practice, > the Host Identity (a public key) may be encrypted for privacy in the I2 > message. > > These ciphers are specified for HIP (section 5.2.8 of the draft): > > AES-128-CBC 2 ([RFC3602]) > 3DES-CBC 3 ([RFC2451]) > AES-256-CBC 4 ([RFC3602]) > > The draft specifies also to use whatever padding is specified by the > encryption algorithm, citing PKCS5 for AES, and not mentioning 3DES-CBC > padding (in practice, our implementation also pads this according to > PKCS5). > > I understand that RSAES-OAEP is a padding technique for key transport > in particular. However, HIP does not specify RSA for encryption, and > does not use 'key transport' mode but rather 'data encryption' mode. > Does RSAES-OAEP apply in this case? Should HIP be considering another > best practice algorithm for doing this? > > In closing, an important consideration for our implementations is > availability in OpenSSL, so required algorithms should be supported > there. > > Thanks, > Tom > > [*] http://tools.ietf.org/html/draft-ietf-hip-rfc5201-bis-08
- [Cfrg] advice about best current practices for HIP Henderson, Thomas R
- Re: [Cfrg] advice about best current practices fo… Henderson, Thomas R