Re: [dtn] [EXT] Secdir last call review of draft-ietf-dtn-bpsec-default-sc-07
"Birrane, Edward J." <Edward.Birrane@jhuapl.edu> Wed, 09 June 2021 14:17 UTC
Return-Path: <Edward.Birrane@jhuapl.edu>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0031A3A18CB; Wed, 9 Jun 2021 07:17:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.389
X-Spam-Level:
X-Spam-Status: No, score=-4.389 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jhuapl.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z5noXct-7Jp7; Wed, 9 Jun 2021 07:17:21 -0700 (PDT)
Received: from aplegw01.jhuapl.edu (aplegw01.jhuapl.edu [128.244.251.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6FE43A18C9; Wed, 9 Jun 2021 07:17:12 -0700 (PDT)
Received: from pps.filterd (aplegw01.jhuapl.edu [127.0.0.1]) by aplegw01.jhuapl.edu (8.16.0.43/8.16.0.43) with SMTP id 159EGxlL071119; Wed, 9 Jun 2021 10:17:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhuapl.edu; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=JHUAPLDec2018; bh=I3SYfSrYGk6Bi44IkVkyNJgh7hD7NkF/JZjcnbpy0bs=; b=pH4O5RhymB1CIOdGwJVrPSGgC9vlDGPag8f2yuLuGGc/NovA/JAK0Z681LLL+47UKhMy IBg3Z0ubAsdKHQ9M0oY9yeZH+jgrnF0Mmo6VC96vX2hDTJHurW5C+d1SeUeVqugqe/Mo ci8+RBy+CvYDHJvteKhXyMEjPzu6ur2GgxTFGrFnWhObCeH5qC96vftkFyFLFFBXaOyi sLiOaKyBKhQ+36aLPmQnKNRUG1ttt7j6L2+cZHXVD87rfg63YzyXZtVIKfv4bOzX7NUT MoG+VfZEfoce+w3SpzSNTEuySZQkE8gdSsaJIGXjew1VkO4XDNRaM3a9JbXPmDZBLL+w iw==
Received: from aplex02.dom1.jhuapl.edu (aplex02.dom1.jhuapl.edu [128.244.198.6]) by aplegw01.jhuapl.edu with ESMTP id 391y9a99cp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 09 Jun 2021 10:17:09 -0400
X-CrossPremisesHeadersFilteredBySendConnector: aplex02.dom1.jhuapl.edu
Received: from aplex01.dom1.jhuapl.edu (128.244.198.5) by aplex02.dom1.jhuapl.edu (128.244.198.6) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Wed, 9 Jun 2021 10:17:08 -0400
Received: from aplex01.dom1.jhuapl.edu ([fe80::19f5:dcc5:c696:1a50]) by aplex01.dom1.jhuapl.edu ([fe80::19f5:dcc5:c696:1a50%25]) with mapi id 15.00.1497.018; Wed, 9 Jun 2021 10:17:08 -0400
From: "Birrane, Edward J." <Edward.Birrane@jhuapl.edu>
To: Christian Huitema <huitema@huitema.net>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-dtn-bpsec-default-sc.all@ietf.org" <draft-ietf-dtn-bpsec-default-sc.all@ietf.org>, "dtn@ietf.org" <dtn@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: [EXT] Secdir last call review of draft-ietf-dtn-bpsec-default-sc-07
Thread-Index: AQHXU+6UBlgxk74+pESA6s7S8RVd1qsLxdJg
Date: Wed, 09 Jun 2021 14:17:08 +0000
Message-ID: <5c607c5d7cf64b998a8bd2e057770ca0@aplex01.dom1.jhuapl.edu>
References: <162222621650.3936.204909667434697510@ietfa.amsl.com>
In-Reply-To: <162222621650.3936.204909667434697510@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [128.244.198.168]
Content-Type: multipart/alternative; boundary="_000_5c607c5d7cf64b998a8bd2e057770ca0aplex01dom1jhuapledu_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: aplex02.dom1.jhuapl.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-06-09_04:2021-06-04, 2021-06-09 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/J5--68SOdFvVvRdK_mKpxQ-ko3I>
Subject: Re: [dtn] [EXT] Secdir last call review of draft-ietf-dtn-bpsec-default-sc-07
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jun 2021 14:17:27 -0000
Christian, Thank you for this updated review. I understand and agree with your additional comments on AEAD and have produced a -08 which I hope clarifies options around the handling of the authentication tag. Three quick observations: - The BCB-AES-GCM security context will always be documented for the GCM mode of AES so, as you say, managing this complexity for AES-GCM is workable. But also agree that for DTN at large, as we work to incorporate newer encryption algorithms, new security context documents will be produced and authentication/encryption can be joined for those documents and algorithms in a less complex way. - We are still working with (some) aes-gcm libraries whose APIs separate the authentication tag. For example, the mbedtls (https://www.trustedfirmware.org/projects/mbed-tls/) API uses the function mbedtls_gcm_crypt_and_tag which takes the tag separately from the cipher text. For interoperability, pulling the tag into a security result is helpful. If a security source were to produce a blob that represented an unknown ordering of cipher text and authentication tag, then a security destination using mbedtls would not necessarily know where in that blob to pull the tag when constructing the call to mbedtls_gcm_crypt_and_tag. Preferring to extract the tag is clearly more complexity but it also may be helpful when working in networks that have deployed different AES-GCM implementations at different nodes. - There has been some discussion where having certain extension blocks be fixed-size would help with processing, which is what made the AES-GCM cipher suite attractive to those uses. Keeping the tag separate is a way to preserve that length constraint in the few cases where that is helpful. Again, thank you for your time; these reviews have made the default security context document much more complete and useful. -Ed --- Edward J. Birrane, III, Ph.D. Embedded Applications Group Supervisor Space Exploration Sector Johns Hopkins Applied Physics Laboratory (W) 443-778-7423 / (F) 443-228-3839 > -----Original Message----- > From: Christian Huitema via Datatracker <noreply@ietf.org> > Sent: Friday, May 28, 2021 2:24 PM > To: secdir@ietf.org > Cc: draft-ietf-dtn-bpsec-default-sc.all@ietf.org; dtn@ietf.org; last- > call@ietf.org > Subject: [EXT] Secdir last call review of draft-ietf-dtn-bpsec-default-sc-07 > > APL external email warning: Verify sender noreply@ietf.org<mailto:noreply@ietf.org> before clicking > links or attachments > > Reviewer: Christian Huitema > Review result: Ready > > I reviewed draft-ietf-dtn-bpsec-default-sc-02 as part of an early security > review requested by the transport AD. This is the follow-up last call review of > draft-ietf-dtn-bpsec-default-sc-07. > > The draft is ready, although I would prefer to see somechanges in the > encoding of AEAD tags as explained below. > > The changes in draft-07 address most of the points I made in the early > review. > The small nit concerning a reference in the table of BIB-HMAC-SHA2 Security > Parameters is fixed and the implementation of AEAD algorithms is easy to > read. > > I appreciate that the draft now contains an entire appendix describing > examples of messages, their clear-text encoding and the result of > authentication and encryption. This probably required significant effort, and > it does address my suggestion to add test vectors in order to manage > implementation complexity. > > I could just say that the draft is ready, except for one addition that I find a bit > spurious. > The description of AES-GCM states that "the authentication tag produced by > the GCM > mode of AES is not considered part of the cipher text itself", and that "the > > authentication tag is expected to be carried in the BCB-AES-GCM > security block". The > statement is not technically false, but the separation of message and tag > goes against the design of many AEAD implementations, in which the > application provides the crypto API with a clear text of some length, and > retrieves a cipher text of a different length, including the tag. Separating that > tag and moving it to a different location is yet another way to introduce > complexity. > > That complexity can probably still be managed for AES-GCM, but the general > trend is to implement encryption and authentication in a single operation. I > fully expect that new encryption algorithms will continue that trend, and may > well do away with the formal separation between ciphertext and tag. > Recognizing that encryption and authentication are not separable would > simplify the DTN bundle protocol. >
- [dtn] Secdir last call review of draft-ietf-dtn-b… Christian Huitema via Datatracker
- Re: [dtn] [EXT] Secdir last call review of draft-… Birrane, Edward J.