IETF Logo Mail Archive

Re: [Emu] TEAP errata 5770

Oleg Pekar <oleg.pekar.2017@gmail.com> Mon, 29 June 2020 14:09 UTC

Return-Path: <oleg.pekar.2017@gmail.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0E4A3A0E5C for <emu@ietfa.amsl.com>; Mon, 29 Jun 2020 07:09:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09zb1YmX7DLV for <emu@ietfa.amsl.com>; Mon, 29 Jun 2020 07:09:23 -0700 (PDT)
Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com [IPv6:2607:f8b0:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E12963A0941 for <emu@ietf.org>; Mon, 29 Jun 2020 07:09:22 -0700 (PDT)
Received: by mail-ot1-x32e.google.com with SMTP id t18so2804725otq.5 for <emu@ietf.org>; Mon, 29 Jun 2020 07:09:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2HNgmYiL51ci6/vLxFvFrVjB4kjVwvMozPx9wngZffs=; b=CMSSzmdJfXVK67rN4pdSaIpitxPBQebThWkD2G2A9M6HqCILn2jU8Qdoo8M5KZ2ZD6 grsx46BGQxVY9IRujkkCbUK6FRvz3ZdyaE3lPPfzQqhwlfl8ifPT6WKfLPoG7ZTMQx79 TM1YfMyej/BGcD7L/84GakXYRBTFAmVMMMgRKINHE3dRngLAlPzEDQVifildH7q9qMsg uf5xvgTE14JBmckXhwl9rq9XOEbT48xYs53YdwkQFYzgOBcnJSZobW55xliazczxBt4j 1kt2gz0oKvs32GZ96R2E1Mv7NpRE3zNP40rDN+MEQ+M4iF1bxCqXnho1s7bp0D+WmY53 z6zA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2HNgmYiL51ci6/vLxFvFrVjB4kjVwvMozPx9wngZffs=; b=MLi7ogDSdZHSqUtbQCt3VnUfuRRZHipb5IbPgkh3g1z8L0k1Y1RamDma7kOzqBt8Jz vfCDFL6qhONiY3lGuARu4eJDIxRSih+3VC30vLD6YgZRq8D8DWEfeR3PfrUSEMlfzckN EqSSI1krJHGEfKxmcWVjXjF4xa9K0R7VDxuREFW0eR9ooSRR6+rlxRVvAf6fKf8kJp/9 Drw7257OxxYkaplt/SFQulYYELpv2wFK9jSXp0zJYtA/UzGTtuXJy0UgwVuLgHmDzYbC ql28O92aKTqP4f75MxvEPLQ1J4uYb0UQs+tw2JsfwEhQiS9wvo62JFRIg30NZtoEZeES KRgQ==
X-Gm-Message-State: AOAM533kA7ZQB4EwuYw6EnbxdIJ578d1LLyEWkYff/8AbB/sfIcy4dYL rIQoCJHSmi9juQY6lVjxT4yS/q7AHbtah1ULEaU=
X-Google-Smtp-Source: ABdhPJxeVt8YRV2pRgBfDUlS9p+2BHRQSftpmgjOXcrIpvgjv2SdfBlSwi/1BlFLrl4vWsCJwSC6iDSIBKapK1bU2HQ=
X-Received: by 2002:a9d:3e57:: with SMTP id h23mr13369378otg.44.1593439762148; Mon, 29 Jun 2020 07:09:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoC3E9cTX7y-E4E-EY7VenhymT3jB+1=SYwV7XOWPCxqVA@mail.gmail.com> <4642013A-3A2E-42C8-8604-67031D78B757@cisco.com>
In-Reply-To: <4642013A-3A2E-42C8-8604-67031D78B757@cisco.com>
From: Oleg Pekar <oleg.pekar.2017@gmail.com>
Date: Mon, 29 Jun 2020 17:09:10 +0300
Message-ID: <CABXxEz_OVwnd2iENF_59o1otzPyGELdCBFNb8u8UkEsM45rgxw@mail.gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: Joseph Salowey <joe@salowey.net>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fe710705a9399abd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/TDgeuumtH0i2yH-Rt-jnI4O4Mos>
Subject: Re: [Emu] TEAP errata 5770
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2020 14:09:25 -0000

Joe, nice proposal. Few questions:
1. We have a case of Basic Password Authentication instead of inner method
thus we should also use Crypto-Binding TLV based on Zero-MSK after it
2. As Eliot mentioned, we have a case of no inner method at all - we should
use Crypto-Binding TLV based on Zero-MSK after it
3. Since it is not clear whether MSK or Zero-MSK is used - we should
introduce a new flag value for Crypto-Binding TLV: "0" - Zero-MSK
based Compound MAC is used in place of MSK Compound MAC field.
4. We have a TLS-PRF usage ambiguity here (Errata 5127 and 5128):
TLS 1.2 RFC 5246 in section "5.  HMAC and the Pseudorandom Function"
defines PRF(secret, label, seed) = P_<hash>(secret, label + seed)

TEAP RFC uses TLS-PRF several times:
* IMSK = First 32 octets of TLS-PRF(EMSK, "TEAPbindkey@ietf.org" | "\0" |
64)
  The call refers to RFC 5295 that defines USRK = KDF(EMSK, key label |
"\0" | optional data | length) but that RFC says "USRKs MUST be at least 64
octets in length" and IMSK is 32 octets
* IMCK[j] = TLS-PRF(S-IMCK[j-1], "Inner Methods Compound Keys", IMSK[j], 60)
* MSK  = TLS-PRF(S-IMCK[j], "Session Key Generating Function", 64) and
similar for EMSK

We can see that all three times the parameters are different and don't
exactly fit the definition and this creates some confusion.

In the other earlier thread you mentioned that truncation of 64-octets USRK
to 32 octet is valid. In yet another thread you mentioned that we should
define TLS-PRF function with the output size as a parameter and we should
just concatenate for all TLS-PRF calls all the parameters starting from the
second. Is that understanding correct? This should be also helpful when
mapping to TLS1.3 HKDF extract and expand functions.

Thanks
Oleg

On Thu, Oct 10, 2019 at 11:00 AM Eliot Lear <lear@cisco.com> wrote:

> Just one comment:
>
> TEAP does not *require* an inner method, and indeed for IoT it is not
> necessary.
>
> Eliot
>
> On 9 Oct 2019, at 07:46, Joseph Salowey <joe@salowey.net> wrote:
>
> Based on Jouni's analysis the derivation of the S-IMCKs is not well
> specified.  To me it looks like the solution to handle an arbitrary number
> of methods that may or may not make an EMSK available would be fairly
> complex.
>
> I think the most straight forward solution is to either always assume that
> for an EMSK generating method the EMSK is either always available or always
> unavailable.  It seems that it is safer to always assume that the EMSK is
> unavailable and will therefore never be used.  I think this has the
> following implications:
>
> -  The S-IMCK is always generated from the inner method MSK or the
> all-zero value if the method does not generate key material.
> -  The EMSK compound MAC is not used
> -  Implementations must have a policy that accepts MSK MACs
>
> It would appear that from a cryptographic analysis point of view the MSK
> and EMSK are equivalent since these keys will only be used in these
> TEAP calculations and not for other purposes..  There are documented
> drawbacks of using the MSK described in RFC7029 (
> https://tools.ietf.org/html/rfc7029#page-12).   If the properties of the
> EMSK binding are needed in the use cases currently under consideration then
> I think we could redefine the way the EMSK MAC to be computed from the EMSK
> of the inner method changing the above to
>
> -  The S-IMCK is always generated from the inner method MSK or the
> all-zero value if the method does not generate key material.
> - Compute EMSK MAC from the inner-method EMSK instead of the S-IMCK
>      Compound-MAC = MAC( EMSK[J], BUFFER )
> -  Implementations have a policy that prevents EMSK downgrade to MSK
>
> Hopefully there is a more elegant solution. Any ideas?
>
> Joe
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu
>
>
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu
>

v2.23.0 | Report a Bug | By Email