IETF Logo Mail Archive

Re: [Curdle] Review of draft-ietf-curdle-cms-chacha20-poly1305-04

Russ Housley <housley@vigilsec.com> Mon, 12 December 2016 21:51 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F62B129D15 for <curdle@ietfa.amsl.com>; Mon, 12 Dec 2016 13:51:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m6hYD-qbqdH5 for <curdle@ietfa.amsl.com>; Mon, 12 Dec 2016 13:51:48 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0565129DA9 for <curdle@ietf.org>; Mon, 12 Dec 2016 13:51:48 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 581EE300293 for <curdle@ietf.org>; Mon, 12 Dec 2016 16:41:31 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Y7opA-pcsshY for <curdle@ietf.org>; Mon, 12 Dec 2016 16:41:29 -0500 (EST)
Received: from [192.168.2.100] (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 1395B300093; Mon, 12 Dec 2016 16:41:29 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <148146205925.29990.2056127161677925002.idtracker@ietfa.amsl.com>
Date: Mon, 12 Dec 2016 16:51:56 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <112F7397-2F82-4573-B552-B7BE69E2F24C@vigilsec.com>
References: <148146205925.29990.2056127161677925002.idtracker@ietfa.amsl.com>
To: Yoav Nir <ynir.ietf@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/v8QJXznMPTAQm_pjCwHK7Lk5PEg>
Cc: curdle@ietf.org, draft-ietf-curdle-cms-chacha20-poly1305.all@ietf.org, IETF SecDir <secdir@ietf.org>
Subject: Re: [Curdle] Review of draft-ietf-curdle-cms-chacha20-poly1305-04
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2016 21:51:53 -0000

Yoav:

Thanks for the review.  The document will be more clear about the handling of AAD because you reviewed it.

> Reviewer: Yoav Nir
> Review result: Has Nits
> 
> Hi,
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> Summary: Ready with nits.
> 
> Introduction
>   ChaCha20 is the 20-round variant of ChaCha; it requires a 256-bit key
>   and a 96-bit nonce.  ChaCha20 is described in [FORIETF].
> 
> ChaCha20 is described in DJB's paper. RFC 7539 just repeats the
> definition with more detail, examples and test vectors. Same for
> Poly1305 in the next paragraph.

The point of RFC 7539, I believe, is a reference that is readily available to the Internet community.  Does this rewording resolve your concern?

[FORIETF] provides a detailed algorithm description, examples, and test vectors of ChaCha20.

[FORIETF] also provides a detailed algorithm description, examples, and test vectors of Poly1305.


> Section 3 describes how to use AEAD_CHACHA20_POLY1305 with
> AuthEnvelopedData. The algorithm, as stated in section 1.1 has four
> inputs: a 256-bit key, a 96-bit nonce, an arbitrary length plaintext,
> and an arbitrary length additional authenticated data (AAD). The key
> is generated by one of the methods in section 2 (Key Management); the
> nonce is generated by the sender. The text requires that it be unique,
> but does not mandate of suggest a way of doing this. This is fine. The
> plaintext according to section 3 is "the content located in the
> AuthEnvelopedData EncryptedContentInfo encryptedContent field". and
> the tag is stored in the AuthEnvelopedData mac field.
> 
> What's missing is the AAD. I could not find what goes into the AAD.
> This is described in section 2.2 of RFC 5083, but it should be either
> repeated here or referenced. It's jarring that the other inputs are
> described while this one is omitted.

I suggest the following replacement for the third paragraph in Section 3.

   The AEAD_CHACHA20_POLY1305 algorithm is used to authenticate the
   attributes located in the AuthEnvelopedData authAttrs field, if any
   are present, encipher the content located in the AuthEnvelopedData
   EncryptedContentInfo encryptedContent field, and to provide the
   message authentication code (MAC) located in the AuthEnvelopedData
   mac field.  The authenticated attributes are DER encoded to produce
   the AAD input value to the AEAD_CHACHA20_POLY1305 algorithm.  The
   ciphertext and the MAC are the two outputs of the
   AEAD_CHACHA20_POLY1305 algorithm.  Note that the MAC, which is called
   the authentication tag in [FORIETF], provides integrity protection
   for both the AuthEnvelopedData authAttrs and the AuthEnvelopedData
   EncryptedContentInfo encryptedContent.

Thanks,
  Russ

v2.23.0 | Report a Bug | By Email