IETF Logo Mail Archive

Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecdh-new-curves-04.txt

Russ Housley <housley@vigilsec.com> Tue, 09 May 2017 20:25 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9868012EB18 for <curdle@ietfa.amsl.com>; Tue, 9 May 2017 13:25:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HAjG_9_e-L5y for <curdle@ietfa.amsl.com>; Tue, 9 May 2017 13:25:46 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD5CF127871 for <curdle@ietf.org>; Tue, 9 May 2017 13:25:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 524DD30050D for <curdle@ietf.org>; Tue, 9 May 2017 16:25:45 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 7-0cVtRBc10K for <curdle@ietf.org>; Tue, 9 May 2017 16:25:42 -0400 (EDT)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 427063004D8; Tue, 9 May 2017 16:25:42 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <1D0D6254-2E6E-4EDD-9FF6-385DA561013D@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2223C508-17EC-4536-B737-3364BD5A14BE"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 09 May 2017 16:25:45 -0400
In-Reply-To: <016801d2c901$5e299760$1a7cc620$@augustcellars.com>
Cc: curdle <curdle@ietf.org>
To: Jim Schaad <ietf@augustcellars.com>, Eric Rescorla <ekr@rtfm.com>
References: <CABcZeBPCGj81Br-=C4G4PPhB+vVLGwqi94q-vH1aZVs=MTQzng@mail.gmail.com> <B61A14BA-39DD-4929-8E08-AF7BF0CB9DFE@vigilsec.com> <CABcZeBMMWbGd=SSPmtBHE6XOCRSG8q3NqtJdaMQcK5uxHsqqTA@mail.gmail.com> <5EEB2415-61EF-4B6E-91CA-EE2EB7C3E087@vigilsec.com> <013101d2c8ec$586cd450$09467cf0$@augustcellars.com> <30A1145E-F049-454C-93AB-1445767BA67C@vigilsec.com> <016801d2c901$5e299760$1a7cc620$@augustcellars.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/jFe_95Kcx_LBvVl9e9TuvjhH7oQ>
Subject: Re: [Curdle] AD Review: draft-ietf-curdle-cms-ecdh-new-curves-04.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 May 2017 20:25:47 -0000

>>>> >    The ECC-CMS-SharedInfo entityUInfo field optionally contains
>>>> >    additional keying material supplied by the sending agent.  Note that
>>>> >    [CMS] requires implementations to accept a KeyAgreeRecipientInfo
>>>> >    SEQUENCE that includes the ukm field.  If the ukm field is present,
>>>> >    the ukm is placed in the entityUInfo field.  The ukm value need not
>>>> >    be longer than the key-encryption key that will be produced by the
>>>> >    KDF.
>>>> >
>>>> > Need not? Please clarify what the purpose is here. It seems like
>>>> > it's to generate a unique KEK. In that case, the security bounds
>>>> > are what, uniqueness?
>>>> 
>>>> I suggest this wording:
>>>> 
>>>>    … There is no security benefit to using a ukm value that is
>>>>    longer than the key-encryption key that will be produced by
>>>>    the KDF.
>>>  
>>> Hmm... I believe that this statement is true, but it also seems to be
>>> incomplete. I may be reasoning about this incorrectly, but it seems
>>> to me that the minimal security requirement is that the UKM be
>>> unique, but that can be achieved with a value much smaller than
>>> the KEK. For instance, it seems like if you have a 256-bit KEK,
>>> then you would still be OK with a randomly-generated 128-bit
>>> UKM. And if we're concerned about random collisions, then the
>>> usefulness bound is actually min(|KEK|, |hash compression function size|).
>>  
>> Yes. The umm value needs to be different for each invocation of the KDF, otherwise it does not provide the assurance that different keying material will be produced.  Of course, an implementation will generate the umm value using random number generator, not track the values that are used.  Several years ago, there was a discussion about the size of the ukm needed.  Some people were suggesting crazy large values, and the point was made that anything beyond the SIZEOF(KEK) did not improve security.
>>  
>> Are you asking for a sentence saying that the ukm, if present, MUST be at least 128 bits?
>>  
>> [JLS] I would disagree that the value has to be random, a counter will work as well.  (An encrypted counter is better.)  I not be happy with a fixed size requirement on this easier.  There is no reason to make such a requirement that I can think of.  A 64-bit counter is just as rational.  It might make more sense to change this statement into something along the lines of 
>>  
>> * Any pair of static keys MUST NOT be used more times than the size of the key.  I.e. if 128-bit KEKs may be used, then there is a 2^128 limit on the number of times the key pair can be used.
>> * The size of the KEK is normally not longer than the length of the resulting KEK as that is the limit of unique values that can be generated in any event.
>  
> Section 2 already says that the ephemeral key MUST be used for only one message.  Thus, a UKM is not really needed.  However, the CMS requires support for a UKM if the sender include it.  For this reason, the document says how to handle it in the KDF if it is present.
>  
> You are correct that a counter, encrypted counter, or random value will work, even if the originator uses the same ephemeral key for many messages.  The text does not limit the choices in any way.
>  
> The text already says that there is no security reason for a UKM value that is longer than the KEK.  I think that EKR is asking for guidance on the minimum size too.
>  
> [JLS] It’s kind of a stupid thing to do, but the minimum size would be one bit.  Although this is not legal from an ASN.1 standpoint – so the minimum would be one byte. 
>  
> A single byte with all bits zero and two bytes with all bits zero are different ukm values because of the way that they are used in the ECC-CMS-SharedInfo structure.  Note that this would not be the case if the ukm value was only used as a salt value to HKDF.  I do not see any reason to specify a minimum length of this value.  The only thing that is required is uniqueness, EKR is correct about saying this. 

I suggest:

   The ECC-CMS-SharedInfo entityUInfo field optionally contains
   additional keying material supplied by the sending agent.  Note that
   [CMS] requires implementations to accept a KeyAgreeRecipientInfo
   SEQUENCE that includes the ukm field.  If the ukm field is present,
   the ukm is placed in the entityUInfo field.  When present, the ukm
   ensures that a different key-encryption key is generated, even when
   the originator ephemeral private key is improperly used more than
   once.  Therefore, if the ukm field is present, it MUST be selected in
   a manner that ensures a unique KDF output; however, there is no
   security benefit to using a ukm value that is longer than the key-
   encryption key that will be produced by the KDF.

Russ

v2.23.0 | Report a Bug | By Email