IETF Logo Mail Archive

Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecdh-new-curves-04.txt

Eric Rescorla <ekr@rtfm.com> Wed, 10 May 2017 22:07 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D98EF1293E8 for <curdle@ietfa.amsl.com>; Wed, 10 May 2017 15:07:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9QzJQeM5zqV2 for <curdle@ietfa.amsl.com>; Wed, 10 May 2017 15:07:34 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 156051292C5 for <curdle@ietf.org>; Wed, 10 May 2017 15:07:34 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id b68so4620202ywe.3 for <curdle@ietf.org>; Wed, 10 May 2017 15:07:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ic+ufQODi+fXwusZ+hdUJrLMplGzjd9ZDaelVcjRtn0=; b=s2PXtk947+SLeeR28AmNDajV7AueV7WhJTMDc7voeHGXgb/Cd17/nxFMeGuh/Jlxqo I1/eUbDKhU8udelplOGF4SfoEefNA6zBb/6+PGqInXMNvp2RysP4kr47nzqh6IJMin9m ajcs8d8n3nziTFGVt2hqe6dMnHZ77L9xm+IkARQdbOvkdefD5IZ3op8+bH8MlTK5gf/Q lWDZTINtcXaXQLvuAwrm7/22R0Dkn4QFUpG/hV5frlQzV3/Fdk9HXZeYDBjVv3N451Uo 0dtY/VKL5b9qve2n47LLMh2F+XON5T+I65+CacBoZ01b0pQu+JMdbN4RnViqR2iS5T8U /LBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ic+ufQODi+fXwusZ+hdUJrLMplGzjd9ZDaelVcjRtn0=; b=lgjNGQ2xch+ovoWmjdpSmpkJjJnFgsz4XVW720UxStf+PvA3VcWBmo6vDt8SqFKAXW K11o2Cdw75pyYhPHKossgy2rVfhxRGxmQjjyIA12qX3XirREStfFELZWkz0egYTluNKO rAbuUmlrykVOGpWvQdPn93YDFZyHSsSnvaWpMak2ISrFlPR6Y1zDMc8J7a2dZi9cpHLr H6NvlVqBx3And2VkCNOQmPg1/oHGP0s9N7jXJRQD3dluc1eRXV0LtytNK1IQqfBXnbPk WEAJtdcJmJEyUxKTngAyRNan1qKxGFoSPhImo944uv/eU7gufbkX0V/05rGQpYgDEhRs kzGg==
X-Gm-Message-State: AODbwcBEU52/JBem05YpjzgmPfEo/r3bTanGEpQmkieRdY6N8Y3uzbu8 QC9mQOwtA3vRL7CmiU2rF+MDSVH1F7rjtlw=
X-Received: by 10.13.255.199 with SMTP id p190mr6530668ywf.312.1494454053237; Wed, 10 May 2017 15:07:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Wed, 10 May 2017 15:06:52 -0700 (PDT)
In-Reply-To: <14BFAE56-7FA4-454D-9447-F7DB6492CB28@vigilsec.com>
References: <CABcZeBPCGj81Br-=C4G4PPhB+vVLGwqi94q-vH1aZVs=MTQzng@mail.gmail.com> <B61A14BA-39DD-4929-8E08-AF7BF0CB9DFE@vigilsec.com> <CABcZeBMMWbGd=SSPmtBHE6XOCRSG8q3NqtJdaMQcK5uxHsqqTA@mail.gmail.com> <5EEB2415-61EF-4B6E-91CA-EE2EB7C3E087@vigilsec.com> <013101d2c8ec$586cd450$09467cf0$@augustcellars.com> <30A1145E-F049-454C-93AB-1445767BA67C@vigilsec.com> <016801d2c901$5e299760$1a7cc620$@augustcellars.com> <1D0D6254-2E6E-4EDD-9FF6-385DA561013D@vigilsec.com> <CABcZeBPfHcku7Lk6=Up351=D+xMSO_pfuqqF4aTaW185As9oSg@mail.gmail.com> <111B20E8-5253-4A5A-A39E-6926D9350136@vigilsec.com> <CABcZeBNA_SFR0AOZ3GXbRCpOuzZ_eAwY++OPPM6V4q74CQ00qg@mail.gmail.com> <14BFAE56-7FA4-454D-9447-F7DB6492CB28@vigilsec.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 10 May 2017 15:06:52 -0700
Message-ID: <CABcZeBOqOr2tXg-0rfqUSPQcfLnY3htspSWkm6Wf60cEU76k2g@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Jim Schaad <ietf@augustcellars.com>, curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c087eeafa1fa1054f32b214"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/-lrTPwarVaf1A_uMYivlIGGwXKo>
Subject: Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecdh-new-curves-04.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 May 2017 22:07:37 -0000

I apologize but I just took a look at the language around invalid points. I
would suggest
you use the same language as TLS here:

   For X25519 and X448, implementations SHOULD use the approach
   specified in [RFC7748] to calculate the Diffie-Hellman shared secret.
   Implementations MUST check whether the computed Diffie-Hellman shared
   secret is the all-zero value and abort if so, as described in
   Section 6 of [RFC7748].  If implementers use an alternative
   implementation of these elliptic curves, they SHOULD perform the
   additional checks specified in Section 7 of [RFC7748].

LMK what you think.

Best,
-Ekr


On Wed, May 10, 2017 at 6:50 AM, Russ Housley <housley@vigilsec.com> wrote:

> Yes, that works for me.  I’ll post an updated I-D later today.
>
> Russ
>
>
> On May 9, 2017, at 7:59 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
> I guess I would focus on the uniqueness of the input, because the output's
> uniqueness is largely a function of:
>
> 1. Input uniqueness
> 2. The number of discrete inputs.
>
> So, I think I would say:
>
> "it MUST be selected in a manner that ensures it is unique with high
> probability"
>
> -Ekr
>
>
>
> On Tue, May 9, 2017 at 3:35 PM, Russ Housley <housley@vigilsec.com> wrote:
>
>>
>> On May 9, 2017, at 5:16 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>
>> On Tue, May 9, 2017 at 1:25 PM, Russ Housley <housley@vigilsec.com>
>> wrote:
>>
>>> >    The ECC-CMS-SharedInfo entityUInfo field optionally contains
>>> >    additional keying material supplied by the sending agent.  Note that
>>> >    [CMS] requires implementations to accept a KeyAgreeRecipientInfo
>>> >    SEQUENCE that includes the ukm field.  If the ukm field is present,
>>> >    the ukm is placed in the entityUInfo field.  The ukm value need not
>>> >    be longer than the key-encryption key that will be produced by the
>>> >    KDF.
>>> >
>>> > Need not? Please clarify what the purpose is here. It seems like
>>> > it's to generate a unique KEK. In that case, the security bounds
>>> > are what, uniqueness?
>>>
>>> I suggest this wording:
>>>
>>>    … There is no security benefit to using a ukm value that is
>>>    longer than the key-encryption key that will be produced by
>>>    the KDF.
>>>
>>>
>>> Hmm... I believe that this statement is true, but it also seems to be
>>> incomplete. I may be reasoning about this incorrectly, but it seems
>>> to me that the minimal security requirement is that the UKM be
>>> unique, but that can be achieved with a value much smaller than
>>> the KEK. For instance, it seems like if you have a 256-bit KEK,
>>> then you would still be OK with a randomly-generated 128-bit
>>> UKM. And if we're concerned about random collisions, then the
>>> usefulness bound is actually min(|KEK|, |hash compression function
>>> size|).
>>>
>>>
>>> Yes. The umm value needs to be different for each invocation of the KDF,
>>> otherwise it does not provide the assurance that different keying material
>>> will be produced.  Of course, an implementation will generate the umm value
>>> using random number generator, not track the values that are used.  Several
>>> years ago, there was a discussion about the size of the ukm needed.  Some
>>> people were suggesting crazy large values, and the point was made that
>>> anything beyond the SIZEOF(KEK) did not improve security.
>>>
>>> Are you asking for a sentence saying that the ukm, if present, MUST be
>>> at least 128 bits?
>>>
>>> [JLS] I would disagree that the value has to be random, a counter will
>>> work as well.  (An encrypted counter is better.)  I not be happy with a
>>> fixed size requirement on this easier.  There is no reason to make such a
>>> requirement that I can think of.  A 64-bit counter is just as rational.  It
>>> might make more sense to change this statement into something along the
>>> lines of
>>>
>>> * Any pair of static keys MUST NOT be used more times than the size of
>>> the key.  I.e. if 128-bit KEKs may be used, then there is a 2^128 limit on
>>> the number of times the key pair can be used.
>>> * The size of the KEK is normally not longer than the length of the
>>> resulting KEK as that is the limit of unique values that can be generated
>>> in any event.
>>>
>>>
>>> Section 2 already says that the ephemeral key MUST be used for only one
>>> message.  Thus, a UKM is not really needed.  However, the CMS requires
>>> support for a UKM if the sender include it.  For this reason, the document
>>> says how to handle it in the KDF if it is present.
>>>
>>> You are correct that a counter, encrypted counter, or random value will
>>> work, even if the originator uses the same ephemeral key for many
>>> messages.  The text does not limit the choices in any way.
>>>
>>> The text already says that there is no security reason for a UKM value
>>> that is longer than the KEK.  I think that EKR is asking for guidance on
>>> the minimum size too.
>>>
>>> [JLS] It’s kind of a stupid thing to do, but the minimum size would be
>>> one bit.  Although this is not legal from an ASN.1 standpoint – so the
>>> minimum would be one byte.
>>>
>>> A single byte with all bits zero and two bytes with all bits zero are
>>> different ukm values because of the way that they are used in the
>>> ECC-CMS-SharedInfo structure.  Note that this would not be the case if the
>>> ukm value was only used as a salt value to HKDF.  I do not see any reason
>>> to specify a minimum length of this value.  The only thing that is required
>>> is uniqueness, EKR is correct about saying this.
>>>
>>>
>>> I suggest:
>>>
>>>    The ECC-CMS-SharedInfo entityUInfo field optionally contains
>>>    additional keying material supplied by the sending agent.  Note that
>>>    [CMS] requires implementations to accept a KeyAgreeRecipientInfo
>>>    SEQUENCE that includes the ukm field.  If the ukm field is present,
>>>    the ukm is placed in the entityUInfo field.  When present, the ukm
>>>    ensures that a different key-encryption key is generated, even when
>>>    the originator ephemeral private key is improperly used more than
>>>    once.  Therefore, if the ukm field is present, it MUST be selected in
>>>    a manner that ensures a unique KDF output;
>>>
>>
>> Is this actually possible? The KDF is basically a PRF, so there is some
>> chance that 0*128 and 1*128 produce the same output.
>>
>>
>> s/ensure/will with very high probability produce/
>>
>> Russ
>>
>>
>>
>
>

v2.23.0 | Report a Bug | By Email