Re: [Curdle] AD review of draft-ietf-curdle-cms-chacha20-poly1305-03
Russ Housley <housley@vigilsec.com> Mon, 28 November 2016 22:57 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3A7712A0BE for <curdle@ietfa.amsl.com>; Mon, 28 Nov 2016 14:57:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HzKoQw2gJJPW for <curdle@ietfa.amsl.com>; Mon, 28 Nov 2016 14:57:58 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F148012A0D9 for <curdle@ietf.org>; Mon, 28 Nov 2016 14:56:32 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 48F2A300AFD for <curdle@ietf.org>; Mon, 28 Nov 2016 17:46:15 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id SbT4mxRmSFZB for <curdle@ietf.org>; Mon, 28 Nov 2016 17:46:13 -0500 (EST)
Received: from [192.168.2.100] (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id 53E2B300687; Mon, 28 Nov 2016 17:46:13 -0500 (EST)
Content-Type: multipart/signed; boundary="Apple-Mail=_545C7A49-E8FD-4371-AA6D-26D396E6BB86"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <b27e8b77-5025-23f0-e71f-9c10af0b2265@cs.tcd.ie>
Date: Mon, 28 Nov 2016 17:56:29 -0500
Message-Id: <6E89FD59-D2DA-4697-AF37-5041B09F2035@vigilsec.com>
References: <b27e8b77-5025-23f0-e71f-9c10af0b2265@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/wvWvIIo77M8bFkWKPw-7XNEDcZw>
Cc: "curdle@ietf.org" <curdle@ietf.org>
Subject: Re: [Curdle] AD review of draft-ietf-curdle-cms-chacha20-poly1305-03
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2016 22:58:00 -0000
Stephen:
> My AD review of this draft is below. I think
> a revised I-D is needed before IETF LC for at
> least section 4, but please argue with me if
> I'm wrong about that.
I do not think the changes are very big. However, I’m pleased to make them before IETF Last Call, assuming you agree with the direction laid out below.
> (1) section 2: Is it correct to say that BCP107
> is a MUST the way you do? I think you need to
> say that implementations MUST support some
> form(s) of AKM, but I don't think you can say
> "MUST use" as I can't see how that could be
> enforced at this level of the code. If it
> can't be enforced, then it's not worth the
> MUST you have here.
I do not see this concern. The specification does not allow for the AEAD_CHACHA20_POLY1305 key (that is, the content-authenticated-encryption key) to be used for more that one CMS object. A fresh one must be established, and there are four ways that can be used to do so:
Key Transport: the content-authenticated-encryption key is
encrypted in the recipient's public key;
Key Agreement: the recipient's public key and the sender's
private key are used to generate a pairwise symmetric key, then
the content-authenticated-encryption key is encrypted in the
pairwise symmetric key;
Symmetric Key-Encryption Keys: the content-authenticated-
encryption key is encrypted in a previously distributed
symmetric key-encryption key; and
Passwords: the content-authenticated-encryption key is encrypted
in a key-encryption key that is derived from a password or
other shared secret value.
> (2) section 3: What does "content authenticated
> encryption" mean exactly? You use that phrase
> a lot, and I don't know what it means and it
> does not occur in [CMS]. Do we need a better
> term? (Apologies if I'm forgetting the WG
> discussing that.)
RFC 5083 uses the term "content-authenticated-encryption keys”. I can add the hyphens id that improves clarity.
> (3) section 4: this is clearly not ready for
> publication - why not allocate the OID? But
> you at least need to write the text or get rid
> of the section.
Other S/MIME Capabilities just include the hex values of the attribute, which is simply the DER encoding of the OID. I can put the words there, but the hex string cannot be provided until the OID is assigned.
> (4) I hope I remember to add the downref to
> the IETF LC:-)
For which document?
> nits...
>
> - Is 1.1 really useful to have here? That text
> is basically part of [1] which is what an
> implementer would need to read anyway. So it
> may be better to omit 1.1 and just point
> at [1].
>
> [1] https://tools.ietf.org/html/rfc7539#section-2.8
Sure. It can be reduced to a simple paragraph that contains a pointer, much like the pointer to ASN.1 In section 1.3.
> - section 2: "...destroys the security
> guarantees." That would be better with a
> reference to some paper that describes the
> issues.
This is explained in RFC 7539. It says:
Consequences of repeating a nonce: If a nonce is repeated, then both
the one-time Poly1305 key and the keystream are identical between the
messages. This reveals the XOR of the plaintexts, because the XOR of
the plaintexts is equal to the XOR of the ciphertexts.
I’m pleased to point to that.
> - typo: "I can be extremely..."
>
> - typo: "There is one algorithm identifiers...”
I’m pleased to correct those.
> - section 3: I'm not clear what is done with
> the "AuthEnvelopedData mac field" here. Given
> we've an AEAD, there's no real need for a
> separate MAC, so I find the text confusing.
> Can you explain?
RFC 7539 says:
chacha20_aead_encrypt(aad, key, iv, constant, plaintext):
nonce = constant | iv
otk = poly1305_key_gen(key, nonce)
ciphertext = chacha20_encrypt(key, 1, nonce, plaintext)
mac_data = aad | pad16(aad)
mac_data |= ciphertext | pad16(ciphertext)
mac_data |= num_to_4_le_bytes(aad.length)
mac_data |= num_to_4_le_bytes(ciphertext.length)
tag = poly1305_mac(mac_data, otk)
return (ciphertext, tag)
This is where the authentication tag is carried. Authentication tag is really another name for MAC.
> - section 6: This says "When using
> AEAD_CHACHA20_POLY1305, the resulting
> ciphertext is always the same size as the
> original plaintext. " What about the extra 128
> bit authentication tag?
As above, the authentication tag is carried in the AuthEnvelopedData mac field.
Russ
- [Curdle] AD review of draft-ietf-curdle-cms-chach… Stephen Farrell
- Re: [Curdle] AD review of draft-ietf-curdle-cms-c… Russ Housley
- Re: [Curdle] AD review of draft-ietf-curdle-cms-c… Stephen Farrell
- Re: [Curdle] AD review of draft-ietf-curdle-cms-c… Russ Housley
- Re: [Curdle] AD review of draft-ietf-curdle-cms-c… Russ Housley
- Re: [Curdle] AD review of draft-ietf-curdle-cms-c… Stephen Farrell