Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecdh-new-curves-04.txt
Eric Rescorla <ekr@rtfm.com> Wed, 10 May 2017 00:00 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21D841298A1 for <curdle@ietfa.amsl.com>; Tue, 9 May 2017 17:00:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LgZkk_Xv1kis for <curdle@ietfa.amsl.com>; Tue, 9 May 2017 17:00:22 -0700 (PDT)
Received: from mail-yb0-x22b.google.com (mail-yb0-x22b.google.com [IPv6:2607:f8b0:4002:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7050D127078 for <curdle@ietf.org>; Tue, 9 May 2017 17:00:22 -0700 (PDT)
Received: by mail-yb0-x22b.google.com with SMTP id p143so4255835yba.2 for <curdle@ietf.org>; Tue, 09 May 2017 17:00:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OAAI4nqlKpfrEXY06lDImsIqz6V48zBkH8Zfu9Ps0vY=; b=XoguZFEd7iavdZbpIEHy7Y7dO2v84b6CJ5ZUDuwjgBbtc14Z+E3x1uXFiMUF3QwaX7 cRpJ+uMFoiCbbxtbcaj+gPcW62iP2aW/tzeS05Irp5KjCSyLCITO1BHT8S1gP5gZl0b/ CaM1T8S9NlVxa8h3ZFA5VoysVsswnm8WI1oEvTB04rEWVLG8/XDX3CrYsLq7MlewPC/m Qw51K5xtY87K+dQCQL/sIbQ1VwbCIe1sDpgdJIYnYIpBWZ2aRJq2JC4WNHNETwc5guNt oK1WogO2ZPiCsXneNSH2bexO1abEjuaPIXbmOliM4Xl1Apk0g0TkM/YvNtJN78TO1LAz rQmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OAAI4nqlKpfrEXY06lDImsIqz6V48zBkH8Zfu9Ps0vY=; b=CauV5WqSEzSX0SSxeTaup8wD42uvZAzG7V4I1pIJHIWa5DzWrTks/xVMnYoFNxRm6E VjC9W6WzWGJugdDUTAS/98e83BfOCAD26I7u4K9fmO76ERuOg8S7Gn7gGTa7yvHqTUc0 tpWmqh+SzSuc3VHH5SPu2FjRvARiepYCevF5UrZR5MVPzlGVfG3yV0oCF8m3li5JcUON yD5XmY/tsMItjk8Rwc84YWC7AcFbPoosrkpUR87mTeVTZjQ3KZ2pTYlN+1GvCRiTNCq9 IxCzyVO4U6boyguZCJNJZEParcC0L5403Vj5wftACees6n413Sp3Yut34n5RL0pYPSr+ 0GIA==
X-Gm-Message-State: AODbwcDy80jmTv6aEUQqRRxnBBgVp0F7Hi1PsxMRXmD+xElJkzxXPEgc YMdNYqoLrmKfXAFt9braD60zqadaJw==
X-Received: by 10.37.215.15 with SMTP id o15mr2599921ybg.119.1494374421655; Tue, 09 May 2017 17:00:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Tue, 9 May 2017 16:59:41 -0700 (PDT)
In-Reply-To: <111B20E8-5253-4A5A-A39E-6926D9350136@vigilsec.com>
References: <CABcZeBPCGj81Br-=C4G4PPhB+vVLGwqi94q-vH1aZVs=MTQzng@mail.gmail.com> <B61A14BA-39DD-4929-8E08-AF7BF0CB9DFE@vigilsec.com> <CABcZeBMMWbGd=SSPmtBHE6XOCRSG8q3NqtJdaMQcK5uxHsqqTA@mail.gmail.com> <5EEB2415-61EF-4B6E-91CA-EE2EB7C3E087@vigilsec.com> <013101d2c8ec$586cd450$09467cf0$@augustcellars.com> <30A1145E-F049-454C-93AB-1445767BA67C@vigilsec.com> <016801d2c901$5e299760$1a7cc620$@augustcellars.com> <1D0D6254-2E6E-4EDD-9FF6-385DA561013D@vigilsec.com> <CABcZeBPfHcku7Lk6=Up351=D+xMSO_pfuqqF4aTaW185As9oSg@mail.gmail.com> <111B20E8-5253-4A5A-A39E-6926D9350136@vigilsec.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 09 May 2017 16:59:41 -0700
Message-ID: <CABcZeBNA_SFR0AOZ3GXbRCpOuzZ_eAwY++OPPM6V4q74CQ00qg@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Jim Schaad <ietf@augustcellars.com>, curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c09dc3690f37a054f20281f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/-M939PBZEphaneP5HovQ857NlPw>
Subject: Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecdh-new-curves-04.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 May 2017 00:00:24 -0000
I guess I would focus on the uniqueness of the input, because the output's uniqueness is largely a function of: 1. Input uniqueness 2. The number of discrete inputs. So, I think I would say: "it MUST be selected in a manner that ensures it is unique with high probability" -Ekr On Tue, May 9, 2017 at 3:35 PM, Russ Housley <housley@vigilsec.com> wrote: > > On May 9, 2017, at 5:16 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > > On Tue, May 9, 2017 at 1:25 PM, Russ Housley <housley@vigilsec.com> wrote: > >> > The ECC-CMS-SharedInfo entityUInfo field optionally contains >> > additional keying material supplied by the sending agent. Note that >> > [CMS] requires implementations to accept a KeyAgreeRecipientInfo >> > SEQUENCE that includes the ukm field. If the ukm field is present, >> > the ukm is placed in the entityUInfo field. The ukm value need not >> > be longer than the key-encryption key that will be produced by the >> > KDF. >> > >> > Need not? Please clarify what the purpose is here. It seems like >> > it's to generate a unique KEK. In that case, the security bounds >> > are what, uniqueness? >> >> I suggest this wording: >> >> … There is no security benefit to using a ukm value that is >> longer than the key-encryption key that will be produced by >> the KDF. >> >> >> Hmm... I believe that this statement is true, but it also seems to be >> incomplete. I may be reasoning about this incorrectly, but it seems >> to me that the minimal security requirement is that the UKM be >> unique, but that can be achieved with a value much smaller than >> the KEK. For instance, it seems like if you have a 256-bit KEK, >> then you would still be OK with a randomly-generated 128-bit >> UKM. And if we're concerned about random collisions, then the >> usefulness bound is actually min(|KEK|, |hash compression function size|). >> >> >> Yes. The umm value needs to be different for each invocation of the KDF, >> otherwise it does not provide the assurance that different keying material >> will be produced. Of course, an implementation will generate the umm value >> using random number generator, not track the values that are used. Several >> years ago, there was a discussion about the size of the ukm needed. Some >> people were suggesting crazy large values, and the point was made that >> anything beyond the SIZEOF(KEK) did not improve security. >> >> Are you asking for a sentence saying that the ukm, if present, MUST be at >> least 128 bits? >> >> [JLS] I would disagree that the value has to be random, a counter will >> work as well. (An encrypted counter is better.) I not be happy with a >> fixed size requirement on this easier. There is no reason to make such a >> requirement that I can think of. A 64-bit counter is just as rational. It >> might make more sense to change this statement into something along the >> lines of >> >> * Any pair of static keys MUST NOT be used more times than the size of >> the key. I.e. if 128-bit KEKs may be used, then there is a 2^128 limit on >> the number of times the key pair can be used. >> * The size of the KEK is normally not longer than the length of the >> resulting KEK as that is the limit of unique values that can be generated >> in any event. >> >> >> Section 2 already says that the ephemeral key MUST be used for only one >> message. Thus, a UKM is not really needed. However, the CMS requires >> support for a UKM if the sender include it. For this reason, the document >> says how to handle it in the KDF if it is present. >> >> You are correct that a counter, encrypted counter, or random value will >> work, even if the originator uses the same ephemeral key for many >> messages. The text does not limit the choices in any way. >> >> The text already says that there is no security reason for a UKM value >> that is longer than the KEK. I think that EKR is asking for guidance on >> the minimum size too. >> >> [JLS] It’s kind of a stupid thing to do, but the minimum size would be >> one bit. Although this is not legal from an ASN.1 standpoint – so the >> minimum would be one byte. >> >> A single byte with all bits zero and two bytes with all bits zero are >> different ukm values because of the way that they are used in the >> ECC-CMS-SharedInfo structure. Note that this would not be the case if the >> ukm value was only used as a salt value to HKDF. I do not see any reason >> to specify a minimum length of this value. The only thing that is required >> is uniqueness, EKR is correct about saying this. >> >> >> I suggest: >> >> The ECC-CMS-SharedInfo entityUInfo field optionally contains >> additional keying material supplied by the sending agent. Note that >> [CMS] requires implementations to accept a KeyAgreeRecipientInfo >> SEQUENCE that includes the ukm field. If the ukm field is present, >> the ukm is placed in the entityUInfo field. When present, the ukm >> ensures that a different key-encryption key is generated, even when >> the originator ephemeral private key is improperly used more than >> once. Therefore, if the ukm field is present, it MUST be selected in >> a manner that ensures a unique KDF output; >> > > Is this actually possible? The KDF is basically a PRF, so there is some > chance that 0*128 and 1*128 produce the same output. > > > s/ensure/will with very high probability produce/ > > Russ > > >
- [Curdle] AD Review: draft-ietf-curdle-cms-ecdh-ne… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Jim Schaad
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Jim Schaad
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Jim Schaad
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley