Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecdh-new-curves-04.txt
Eric Rescorla <ekr@rtfm.com> Wed, 10 May 2017 22:07 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D98EF1293E8 for <curdle@ietfa.amsl.com>; Wed, 10 May 2017 15:07:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9QzJQeM5zqV2 for <curdle@ietfa.amsl.com>; Wed, 10 May 2017 15:07:34 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 156051292C5 for <curdle@ietf.org>; Wed, 10 May 2017 15:07:34 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id b68so4620202ywe.3 for <curdle@ietf.org>; Wed, 10 May 2017 15:07:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ic+ufQODi+fXwusZ+hdUJrLMplGzjd9ZDaelVcjRtn0=; b=s2PXtk947+SLeeR28AmNDajV7AueV7WhJTMDc7voeHGXgb/Cd17/nxFMeGuh/Jlxqo I1/eUbDKhU8udelplOGF4SfoEefNA6zBb/6+PGqInXMNvp2RysP4kr47nzqh6IJMin9m ajcs8d8n3nziTFGVt2hqe6dMnHZ77L9xm+IkARQdbOvkdefD5IZ3op8+bH8MlTK5gf/Q lWDZTINtcXaXQLvuAwrm7/22R0Dkn4QFUpG/hV5frlQzV3/Fdk9HXZeYDBjVv3N451Uo 0dtY/VKL5b9qve2n47LLMh2F+XON5T+I65+CacBoZ01b0pQu+JMdbN4RnViqR2iS5T8U /LBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ic+ufQODi+fXwusZ+hdUJrLMplGzjd9ZDaelVcjRtn0=; b=lgjNGQ2xch+ovoWmjdpSmpkJjJnFgsz4XVW720UxStf+PvA3VcWBmo6vDt8SqFKAXW K11o2Cdw75pyYhPHKossgy2rVfhxRGxmQjjyIA12qX3XirREStfFELZWkz0egYTluNKO rAbuUmlrykVOGpWvQdPn93YDFZyHSsSnvaWpMak2ISrFlPR6Y1zDMc8J7a2dZi9cpHLr H6NvlVqBx3And2VkCNOQmPg1/oHGP0s9N7jXJRQD3dluc1eRXV0LtytNK1IQqfBXnbPk WEAJtdcJmJEyUxKTngAyRNan1qKxGFoSPhImo944uv/eU7gufbkX0V/05rGQpYgDEhRs kzGg==
X-Gm-Message-State: AODbwcBEU52/JBem05YpjzgmPfEo/r3bTanGEpQmkieRdY6N8Y3uzbu8 QC9mQOwtA3vRL7CmiU2rF+MDSVH1F7rjtlw=
X-Received: by 10.13.255.199 with SMTP id p190mr6530668ywf.312.1494454053237; Wed, 10 May 2017 15:07:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Wed, 10 May 2017 15:06:52 -0700 (PDT)
In-Reply-To: <14BFAE56-7FA4-454D-9447-F7DB6492CB28@vigilsec.com>
References: <CABcZeBPCGj81Br-=C4G4PPhB+vVLGwqi94q-vH1aZVs=MTQzng@mail.gmail.com> <B61A14BA-39DD-4929-8E08-AF7BF0CB9DFE@vigilsec.com> <CABcZeBMMWbGd=SSPmtBHE6XOCRSG8q3NqtJdaMQcK5uxHsqqTA@mail.gmail.com> <5EEB2415-61EF-4B6E-91CA-EE2EB7C3E087@vigilsec.com> <013101d2c8ec$586cd450$09467cf0$@augustcellars.com> <30A1145E-F049-454C-93AB-1445767BA67C@vigilsec.com> <016801d2c901$5e299760$1a7cc620$@augustcellars.com> <1D0D6254-2E6E-4EDD-9FF6-385DA561013D@vigilsec.com> <CABcZeBPfHcku7Lk6=Up351=D+xMSO_pfuqqF4aTaW185As9oSg@mail.gmail.com> <111B20E8-5253-4A5A-A39E-6926D9350136@vigilsec.com> <CABcZeBNA_SFR0AOZ3GXbRCpOuzZ_eAwY++OPPM6V4q74CQ00qg@mail.gmail.com> <14BFAE56-7FA4-454D-9447-F7DB6492CB28@vigilsec.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 10 May 2017 15:06:52 -0700
Message-ID: <CABcZeBOqOr2tXg-0rfqUSPQcfLnY3htspSWkm6Wf60cEU76k2g@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Jim Schaad <ietf@augustcellars.com>, curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c087eeafa1fa1054f32b214"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/-lrTPwarVaf1A_uMYivlIGGwXKo>
Subject: Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecdh-new-curves-04.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 May 2017 22:07:37 -0000
I apologize but I just took a look at the language around invalid points. I would suggest you use the same language as TLS here: For X25519 and X448, implementations SHOULD use the approach specified in [RFC7748] to calculate the Diffie-Hellman shared secret. Implementations MUST check whether the computed Diffie-Hellman shared secret is the all-zero value and abort if so, as described in Section 6 of [RFC7748]. If implementers use an alternative implementation of these elliptic curves, they SHOULD perform the additional checks specified in Section 7 of [RFC7748]. LMK what you think. Best, -Ekr On Wed, May 10, 2017 at 6:50 AM, Russ Housley <housley@vigilsec.com> wrote: > Yes, that works for me. I’ll post an updated I-D later today. > > Russ > > > On May 9, 2017, at 7:59 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > I guess I would focus on the uniqueness of the input, because the output's > uniqueness is largely a function of: > > 1. Input uniqueness > 2. The number of discrete inputs. > > So, I think I would say: > > "it MUST be selected in a manner that ensures it is unique with high > probability" > > -Ekr > > > > On Tue, May 9, 2017 at 3:35 PM, Russ Housley <housley@vigilsec.com> wrote: > >> >> On May 9, 2017, at 5:16 PM, Eric Rescorla <ekr@rtfm.com> wrote: >> >> >> On Tue, May 9, 2017 at 1:25 PM, Russ Housley <housley@vigilsec.com> >> wrote: >> >>> > The ECC-CMS-SharedInfo entityUInfo field optionally contains >>> > additional keying material supplied by the sending agent. Note that >>> > [CMS] requires implementations to accept a KeyAgreeRecipientInfo >>> > SEQUENCE that includes the ukm field. If the ukm field is present, >>> > the ukm is placed in the entityUInfo field. The ukm value need not >>> > be longer than the key-encryption key that will be produced by the >>> > KDF. >>> > >>> > Need not? Please clarify what the purpose is here. It seems like >>> > it's to generate a unique KEK. In that case, the security bounds >>> > are what, uniqueness? >>> >>> I suggest this wording: >>> >>> … There is no security benefit to using a ukm value that is >>> longer than the key-encryption key that will be produced by >>> the KDF. >>> >>> >>> Hmm... I believe that this statement is true, but it also seems to be >>> incomplete. I may be reasoning about this incorrectly, but it seems >>> to me that the minimal security requirement is that the UKM be >>> unique, but that can be achieved with a value much smaller than >>> the KEK. For instance, it seems like if you have a 256-bit KEK, >>> then you would still be OK with a randomly-generated 128-bit >>> UKM. And if we're concerned about random collisions, then the >>> usefulness bound is actually min(|KEK|, |hash compression function >>> size|). >>> >>> >>> Yes. The umm value needs to be different for each invocation of the KDF, >>> otherwise it does not provide the assurance that different keying material >>> will be produced. Of course, an implementation will generate the umm value >>> using random number generator, not track the values that are used. Several >>> years ago, there was a discussion about the size of the ukm needed. Some >>> people were suggesting crazy large values, and the point was made that >>> anything beyond the SIZEOF(KEK) did not improve security. >>> >>> Are you asking for a sentence saying that the ukm, if present, MUST be >>> at least 128 bits? >>> >>> [JLS] I would disagree that the value has to be random, a counter will >>> work as well. (An encrypted counter is better.) I not be happy with a >>> fixed size requirement on this easier. There is no reason to make such a >>> requirement that I can think of. A 64-bit counter is just as rational. It >>> might make more sense to change this statement into something along the >>> lines of >>> >>> * Any pair of static keys MUST NOT be used more times than the size of >>> the key. I.e. if 128-bit KEKs may be used, then there is a 2^128 limit on >>> the number of times the key pair can be used. >>> * The size of the KEK is normally not longer than the length of the >>> resulting KEK as that is the limit of unique values that can be generated >>> in any event. >>> >>> >>> Section 2 already says that the ephemeral key MUST be used for only one >>> message. Thus, a UKM is not really needed. However, the CMS requires >>> support for a UKM if the sender include it. For this reason, the document >>> says how to handle it in the KDF if it is present. >>> >>> You are correct that a counter, encrypted counter, or random value will >>> work, even if the originator uses the same ephemeral key for many >>> messages. The text does not limit the choices in any way. >>> >>> The text already says that there is no security reason for a UKM value >>> that is longer than the KEK. I think that EKR is asking for guidance on >>> the minimum size too. >>> >>> [JLS] It’s kind of a stupid thing to do, but the minimum size would be >>> one bit. Although this is not legal from an ASN.1 standpoint – so the >>> minimum would be one byte. >>> >>> A single byte with all bits zero and two bytes with all bits zero are >>> different ukm values because of the way that they are used in the >>> ECC-CMS-SharedInfo structure. Note that this would not be the case if the >>> ukm value was only used as a salt value to HKDF. I do not see any reason >>> to specify a minimum length of this value. The only thing that is required >>> is uniqueness, EKR is correct about saying this. >>> >>> >>> I suggest: >>> >>> The ECC-CMS-SharedInfo entityUInfo field optionally contains >>> additional keying material supplied by the sending agent. Note that >>> [CMS] requires implementations to accept a KeyAgreeRecipientInfo >>> SEQUENCE that includes the ukm field. If the ukm field is present, >>> the ukm is placed in the entityUInfo field. When present, the ukm >>> ensures that a different key-encryption key is generated, even when >>> the originator ephemeral private key is improperly used more than >>> once. Therefore, if the ukm field is present, it MUST be selected in >>> a manner that ensures a unique KDF output; >>> >> >> Is this actually possible? The KDF is basically a PRF, so there is some >> chance that 0*128 and 1*128 produce the same output. >> >> >> s/ensure/will with very high probability produce/ >> >> Russ >> >> >> > >
- [Curdle] AD Review: draft-ietf-curdle-cms-ecdh-ne… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Jim Schaad
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Jim Schaad
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Jim Schaad
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley