[Curdle] AD Review: draft-ietf-curdle-cms-ecdh-new-curves-04.txt
Eric Rescorla <ekr@rtfm.com> Fri, 05 May 2017 20:07 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3968912869B for <curdle@ietfa.amsl.com>; Fri, 5 May 2017 13:07:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id edIuGvJZccQU for <curdle@ietfa.amsl.com>; Fri, 5 May 2017 13:07:30 -0700 (PDT)
Received: from mail-yb0-x22e.google.com (mail-yb0-x22e.google.com [IPv6:2607:f8b0:4002:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1905C124217 for <curdle@ietf.org>; Fri, 5 May 2017 13:07:30 -0700 (PDT)
Received: by mail-yb0-x22e.google.com with SMTP id s22so449042ybe.3 for <curdle@ietf.org>; Fri, 05 May 2017 13:07:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=klgsCdcXaxqoJUH+mOrbJ+K2lW7dYL/Yzz09WlyqBUY=; b=akF7Yn/oJT2d2HFQlFJ02XsGxiDQwWd9BuUatqLrdL45wwqV1JONz2XtodFHvDhOyQ VILiaE86vnUPU6rVo8vmJWh0zukNd++CJdSQdZMknrgJ0y2XO30aSYNg43Rb4wI5tKeJ Aw0qX8wi9KNtiPZ/NAFxkrLO+OPDPTo8CiaqmkdubQAZDe2HltNR3kdwAyAwCj7vxSUa 0PSpdLDfmDWcylmEcYg4VfTI1XpnVb2QvdbZ4MiGvYv9S91isUdhSlZWsId4GMvQxb3q XwOEhynkO7bSU5qhdxSlRGOTxb7VVxANao/nt6RCZ1CmpdCUftZwPP8hkMK0M9mZr2ia JnXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=klgsCdcXaxqoJUH+mOrbJ+K2lW7dYL/Yzz09WlyqBUY=; b=Z7GFnwJJPZe7IiLF9iO+9GvaaM7IpyXhcD/9fL8MaHfk5F+/kdo895ItXrBHdVwKPZ TnGwp081dFwhc/jPH7TYmKfE1wn2J5AQ3ggHVhMp0UXY3b11cvMa3GQts/dCKe4dyXXv r07e6Tj1KUdiVXY6rg6Wvj3dBBOKRHv6eD/j3pdsIhMq6ChI7wTadtUuZ/I7lKXzFGXG CXCGiT1ucajJvPMIvjsznWDPifU6RTukQXVIDzyUA8sTAaXEqLSptckGG87lrKWcAC55 pp+DP+jCplW+k0YA4p2lS+2ta1Kk55N+LUA0DTgbGV0mJFyyVtgVPozclyy5Fd7xp9j6 KKog==
X-Gm-Message-State: AODbwcC5pmk4zxCKsGrjADLklQXgMbNVRt0NhQWbAW68gwi3LokLWPf6 Alp3UYGD2QHcMOkI73q3ahQ/RXNM0NnywEI=
X-Received: by 10.37.173.21 with SMTP id y21mr344891ybi.52.1494014849081; Fri, 05 May 2017 13:07:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Fri, 5 May 2017 13:06:48 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 05 May 2017 13:06:48 -0700
Message-ID: <CABcZeBPCGj81Br-=C4G4PPhB+vVLGwqi94q-vH1aZVs=MTQzng@mail.gmail.com>
To: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="f403045db94e5e7f8c054ecc70d9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/0eJYOG4NgNFosJ7pV4_mVlxdpRQ>
Subject: [Curdle] AD Review: draft-ietf-curdle-cms-ecdh-new-curves-04.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2017 20:07:31 -0000
OVERALL I see a bunch of quasi-normative text here, e.g., [CURVES]. Those other curves are not deprecated, but support for curve25519 and curve448 is encouraged. Can you use RFC 2119 language here? TECHNICAL S 2. X25519 is described in Section 6.1 of [CURVES], and X448 is described in Section 6.2 of [CURVES]. Since curve25519 and curve448 have cofactors of 8 and 4, respectively, an input point of small order will eliminate any contribution from the other party’s private key. As described in Section 7 of [CURVES], implementations SHOULD detect this situation by checking for the all-zero output. Why are you not requiring this check? SSH and TLS both do. The ECC-CMS-SharedInfo keyInfo field contains the object identifier of the key-encryption algorithm and associated parameters. This algorithm will be used to wrap the content-encryption key. For example, the AES Key Wrap algorithm [AESKW] does not need parameters, so the algorithm identifier parameters are absent. It's important that this be clear. Is it required to be absent? Must I check? The ECC-CMS-SharedInfo entityUInfo field optionally contains additional keying material supplied by the sending agent. Note that [CMS] requires implementations to accept a KeyAgreeRecipientInfo SEQUENCE that includes the ukm field. If the ukm field is present, the ukm is placed in the entityUInfo field. The ukm value need not be longer than the key-encryption key that will be produced by the KDF. Need not? Please clarify what the purpose is here. It seems like it's to generate a unique KEK. In that case, the security bounds are what, uniqueness? S 2.2. if ukm is provided, then salt = ukm, else salt = zero zero in this case is "all zeros"? In any case, HKDF already knows how to deal with salt not provided, to that would be easier to specify. S 8. Don't forget to fill in these values. I assume you will do so once IANA registers your code points? S 9. This section is kinda diffident about whether the sender's ephemeral is truly ephemeral. Is this a MUST? If so, please say so. Appendix: How many people have checked this ASN.1 module? EDITORIAL S 2. Please put KEK in parentheses in your first use. S 3. It would be easier to put this above the key derivation stage. Please provide some sort of reference or cross-reference for "kari" KeyAgreeRecipientInfo ukm is optional. Note that [CMS] requires implementations to accept a KeyAgreeRecipientInfo SEQUENCE that includes the ukm field. If present, the ukm is placed in the entityUInfo field of the ECC-CMS-SharedInfo as input to the KDF. The ukm value need not be longer than the key-encryption key produced by the KDF. This seems to be duplicated. S 5. This also seems to be largely duplicated. Can you refactor out the common stuff. -Ekr
- [Curdle] AD Review: draft-ietf-curdle-cms-ecdh-ne… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Jim Schaad
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Jim Schaad
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Jim Schaad
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Eric Rescorla
- Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecd… Russ Housley