IETF Logo Mail Archive

Re: [Curdle] AD review of draft-ietf-curdle-cms-chacha20-poly1305-03

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 29 November 2016 12:09 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E497B129B9A for <curdle@ietfa.amsl.com>; Tue, 29 Nov 2016 04:09:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.798
X-Spam-Level:
X-Spam-Status: No, score=-5.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRP56JO8nGRF for <curdle@ietfa.amsl.com>; Tue, 29 Nov 2016 04:09:24 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29415129B76 for <curdle@ietf.org>; Tue, 29 Nov 2016 04:03:29 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id B4B85BE58; Tue, 29 Nov 2016 12:03:26 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nIhy-0McFbQR; Tue, 29 Nov 2016 12:03:22 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 5ECC8BE4C; Tue, 29 Nov 2016 12:03:22 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1480421002; bh=dfVo/MF3RGVr9EMNy/aeTOjJ3C8HrolfKzBJPNvjW/I=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=Fd7cSNihqhIyfJXRf1xNK9uoIBxivbpShrAVNn3t07NtTyL9vwdnEmD0TFXNyT8+N mJVuZmdE4CUzqEpYv0yBuhIzeBzFtFTjIL1KqQOdYIw+Em6b2kdKD1FhXZrsGrCNzo tbTFCoZ9NWJn12B1JLqk/KzOTFFTPiPYDPSVahXs=
To: Russ Housley <housley@vigilsec.com>
References: <b27e8b77-5025-23f0-e71f-9c10af0b2265@cs.tcd.ie> <6E89FD59-D2DA-4697-AF37-5041B09F2035@vigilsec.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <f04798d8-6d68-e909-7a82-b29320eb79e7@cs.tcd.ie>
Date: Tue, 29 Nov 2016 12:03:22 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <6E89FD59-D2DA-4697-AF37-5041B09F2035@vigilsec.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms010408050002030703020705"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/Uo7ITIUlMmfXHjpFiDZ6ANPOusQ>
Cc: "curdle@ietf.org" <curdle@ietf.org>
Subject: Re: [Curdle] AD review of draft-ietf-curdle-cms-chacha20-poly1305-03
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2016 12:09:27 -0000

Hi Russ,

On 28/11/16 22:56, Russ Housley wrote:
> Stephen:
> 
>> My AD review of this draft is below. I think a revised I-D is
>> needed before IETF LC for at least section 4, but please argue with
>> me if I'm wrong about that.
> 
> I do not think the changes are very big.  

Agreed. The only change that I think is really needed is
to fix section 4 so that people have something to review
at IETF LC.

> However, I’m pleased to
> make them before IETF Last Call, assuming you agree with the
> direction laid out below.
> 
> 
>> (1) section 2: Is it correct to say that BCP107 is a MUST the way
>> you do? I think you need to say that implementations MUST support
>> some form(s) of AKM, but I don't think you can say "MUST use" as I
>> can't see how that could be enforced at this level of the code.  If
>> it can't be enforced, then it's not worth the MUST you have here.
> 
> I do not see this concern.  The specification does not allow for the
> AEAD_CHACHA20_POLY1305 key (that is, the
> content-authenticated-encryption key) to be used for more that one
> CMS object.  A fresh one must be established, and there are four ways
> that can be used to do so:
> 
> Key Transport:  the content-authenticated-encryption key is encrypted
> in the recipient's public key;
> 
> Key Agreement:  the recipient's public key and the sender's private
> key are used to generate a pairwise symmetric key, then the
> content-authenticated-encryption key is encrypted in the pairwise
> symmetric key;
> 
> Symmetric Key-Encryption Keys:  the content-authenticated- encryption
> key is encrypted in a previously distributed symmetric key-encryption
> key; and
> 
> Passwords:  the content-authenticated-encryption key is encrypted in
> a key-encryption key that is derived from a password or other shared
> secret value.

Sure, that's all fine. My point though is that the person
implementing this will likely not be in a position to try
to enforce BCP107 in that same code base. And maybe they
actually ought not try enforce that BCP while adding this.
I think the current MUST is indicative of a layering
violation and will be ignored, if it's not already satisfied
by the overall system to which this construct is being
added.

To be clear, I'm fine that this not block LC.

> 
> 
>> (2) section 3: What does "content authenticated encryption" mean
>> exactly? You use that phrase a lot, and I don't know what it means
>> and it does not occur in [CMS]. Do we need a better term?
>> (Apologies if I'm forgetting the WG discussing that.)
> 
> RFC 5083 uses the term "content-authenticated-encryption keys”.  I
> can add the hyphens id that improves clarity.

Personally, I think that term lacks clarity and adds confusion.
I don't see why it's better than just saying "key" when you
mean that, and "key+nonce" when that's meant.

> 
> 
>> (3) section 4: this is clearly not ready for publication - why not
>> allocate the OID? But you at least need to write the text or get
>> rid of the section.
> 
> Other S/MIME Capabilities just include the hex values of the
> attribute, which is simply the DER encoding of the OID.  I can put
> the words there, but the hex string cannot be provided until the OID
> is assigned.

Please. A section containing one TBD string is fine. An
entirely blank section I think asks too much from folks
reading this. (Separately, why not allocate the OID now?
We can do early allocations.)

> 
> 
>> (4) I hope I remember to add the downref to the IETF LC:-)
> 
> For which document?

RFC 7539. That's an action on me for the LC text though,
nothing there for you to do.

> 
> 
>> nits...

One comment below, otherwise what you say about all of
these is fine.

>> 
>> - Is 1.1 really useful to have here? That text is basically part of
>> [1] which is what an implementer would need to read anyway. So it 
>> may be better to omit 1.1 and just point at [1].
>> 
>> [1] https://tools.ietf.org/html/rfc7539#section-2.8
> 
> Sure.  It can be reduced to a simple paragraph that contains a
> pointer, much like the pointer to ASN.1 In section 1.3.
> 
>> - section 2: "...destroys the security guarantees." That would be
>> better with a reference to some paper that describes the issues.
> 
> This is explained in RFC 7539.  It says:
> 
> Consequences of repeating a nonce: If a nonce is repeated, then both 
> the one-time Poly1305 key and the keystream are identical between
> the messages.  This reveals the XOR of the plaintexts, because the
> XOR of the plaintexts is equal to the XOR of the ciphertexts.
> 
> I’m pleased to point to that.
> 
> 
>> - typo: "I can be extremely..."
>> 
>> - typo: "There is one algorithm identifiers...”
> 
> I’m pleased to correct those.
> 
> 
>> - section 3: I'm not clear what is done with the "AuthEnvelopedData
>> mac field" here.  Given we've an AEAD, there's no real need for a 
>> separate MAC, so I find the text confusing. Can you explain?
> 
> RFC 7539 says:
> 
> chacha20_aead_encrypt(aad, key, iv, constant, plaintext): nonce =
> constant | iv otk = poly1305_key_gen(key, nonce) ciphertext =
> chacha20_encrypt(key, 1, nonce, plaintext) mac_data = aad |
> pad16(aad) mac_data |= ciphertext | pad16(ciphertext) mac_data |=
> num_to_4_le_bytes(aad.length) mac_data |=
> num_to_4_le_bytes(ciphertext.length) tag = poly1305_mac(mac_data,
> otk) return (ciphertext, tag)
> 
> This is where the authentication tag is carried.  Authentication tag
> is really another name for MAC.
> 
> 
>> - section 6: This says "When using AEAD_CHACHA20_POLY1305, the
>> resulting ciphertext is always the same size as the original
>> plaintext. " What about the extra 128 bit authentication tag?
> 
> As above, the authentication tag is carried in the AuthEnvelopedData
> mac field.

I'd say adding a note to that effect somewhere would help
the reader. (Though an implementer will get it right I
guess.)

Cheers,
S.

> 
> Russ
>

v2.23.0 | Report a Bug | By Email