[COSE] Comments on SHAKE usage in draft-ietf-cose-hash-algs-09.txt
Robert Moskowitz <rgm-sec@htt-consult.com> Mon, 16 November 2020 21:21 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 772E93A1481
for <cose@ietfa.amsl.com>; Mon, 16 Nov 2020 13:21:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id bLiZYF-A9xKv for <cose@ietfa.amsl.com>;
Mon, 16 Nov 2020 13:21:22 -0800 (PST)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
bits)) (No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 007B13A147C
for <cose@ietf.org>; Mon, 16 Nov 2020 13:21:21 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
by z9m9z.htt-consult.com (Postfix) with ESMTP id 7150662653
for <cose@ietf.org>; Mon, 16 Nov 2020 16:21:20 -0500 (EST)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1])
by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id g506E01mTxvx for <cose@ietf.org>;
Mon, 16 Nov 2020 16:21:15 -0500 (EST)
Received: from lx140e.htt-consult.com (unknown [192.168.160.29])
(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 30450625F7
for <cose@ietf.org>; Mon, 16 Nov 2020 16:21:13 -0500 (EST)
To: cose@ietf.org
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Message-ID: <5d963e0b-e045-907e-426c-bdb0781d0a90@htt-consult.com>
Date: Mon, 16 Nov 2020 16:21:09 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/4EXQdhRgS8gAkW7pfs-rRnz3ZTk>
Subject: [COSE] Comments on SHAKE usage in draft-ietf-cose-hash-algs-09.txt
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>,
<mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>,
<mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2020 21:21:23 -0000
I appologize for only reviewing this draft now. My focus has been on DRIP where I have been using Keccak derived functions... Review and suggested editorial additions to sec 3.3: "The length of the hash value stored is 256-bits for SHAKE-128 and 512-bits for SHAKE-256." I am reading this as there is a field where the length of the hash output is carried, and it is 256 bits long for SHAKE-128 and 512-bits for SHAKE-256. This is extreme overkill and would only be justified in a protocol that is concerned about bits on the wire if these are the sizes of these fields for other algorithms. A length field of 8 bits would handle a hash length of 255 bits, so the max needed should only be 12 bits. But if this is what is used elsewhere and simplfies coding, I can see why it was specified this way, but it is a bad choice for bits on the wire, or the meaning of the text is wrong. Perhaps it should be: "The hash length of the hash value is stored in 256-bits for SHAKE-128 and 512-bits for SHAKE-256." If the meaning is this is the fixed SIZE of the hash outputs, I would clear up the text as follows: "Although SHAKE can create any length hash, here it is fixed. The fixed length of the hash value stored is 256-bits for SHAKE-128 and 512-bits for SHAKE-256." Obviously, I as an outside reader that has worked with Keccak functions is confused. What about readers that have not spent time with the various Keccak functions? Now if your intent is a variable length hash support, then the Security Considerations needs to reflect the warning in FIPS 202, Appendix A.1 and A.2: "The security strengths for SHAKE are provided in [FIPS 202], Appendix A.1, Table 4. Further, considering Appendix A.2, note that SHAKE has the potential for generating related outputs—a property that designers of security applications/protocols/systems may not expect of hash functions. This property is important to consider in the development of applications of SHAKE. If an attacker is able to induce one of the parties to use a different value for keylength, say 168 bits, but the same value for hashmaterial, then the two parties will end up with the following hashs: SHAKE128(hashmaterial, 112) = fg SHAKE128(hashmaterial, 168) = fgh, By incorporating the length of the output and/or other information with the message input to the hash, a disagreement or misunderstanding between two users of SHAKE about the length of the hash they are deriving would almost certainly not lead to related outputs." Thank you for your consideration. Robert Moskowitz
- [COSE] Comments on SHAKE usage in draft-ietf-cose… Robert Moskowitz
- Re: [COSE] Comments on SHAKE usage in draft-ietf-… Matthew Miller
- Re: [COSE] Comments on SHAKE usage in draft-ietf-… Robert Moskowitz
- Re: [COSE] Comments on SHAKE usage in draft-ietf-… Matthew Miller