IETF Logo Mail Archive

Re: [Emu] Processing of TEWAP erratum 5127

Joseph Salowey <joe@salowey.net> Fri, 24 January 2020 05:05 UTC

Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4F86120041 for <emu@ietfa.amsl.com>; Thu, 23 Jan 2020 21:05:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E5NKqQxwhTTa for <emu@ietfa.amsl.com>; Thu, 23 Jan 2020 21:05:05 -0800 (PST)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57715120020 for <emu@ietf.org>; Thu, 23 Jan 2020 21:05:05 -0800 (PST)
Received: by mail-qk1-x732.google.com with SMTP id z76so944924qka.2 for <emu@ietf.org>; Thu, 23 Jan 2020 21:05:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NBMaa22kQlikZLhIaX2Q5P59VT3zaT9UxZrNX7RPxTQ=; b=Nu9L2a7MKau/QYkxgB/DiK4Y/dYd+901wwtokFu0SwOZCG4RrgIgCZ5wPVB9oDlLeQ iLycMycrvyrFYCyCD5UQaRaLYNzARhZrh7JqXHnT8aaMeGBuIQykZcuIXeqxE3Grf9n3 I7HdwxR6042YIvr9+CG9wSRpnXbwF0aKw+O1zQt/wuyXGZQqRZeq1ByU+SQ8gxwMay3m J51ROnKrb/29OzBG1dXCHUD2ZRbENniCPUIMjy0Oe4zHecYVCMX4CBowVrOb/asZ/Tbx Uqdt/IBHT6KFXHitTZl1Qs7yIKgeq3lXlmRNPzhUoqkZSufDQ43EU/ie1Tv9NcdprYAJ SuuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NBMaa22kQlikZLhIaX2Q5P59VT3zaT9UxZrNX7RPxTQ=; b=Zw6gplzbT745TFmGRbV5RpbhixSP8u9pUVqWIx7dTNGovNvtSaFbagWgrvfBYdQUpn YlBPJD81NirW4YTw9bPbmSWaoNrgtutJ1ROgdD19VdcoZ5BhQgF2BDdav5p1Z3Npd1xf TQH0PtWHOOqGmY77WHfXt9vvkjdVYhplfihEi4UBRxHmcjGxoePsLgCF8cRXF+YXfqxz 8M07+fcXScHmbJiojC2DYlp2egxuiAvxaHrWbxkvoMiNYFPZFn+26k8d3CxVafBE9cZ6 vyvMBj0RjnokFBqR3VN6GLJsh1tDLKEWUuTjqWz2/1YJhhICG2T11gILiZEm0RjZUs21 mOqg==
X-Gm-Message-State: APjAAAUq7XVkgm4f3hKg0tiZPpPWkia59gzaGNd58uqrjVyWDiGi5Mkd JcBtju82dJkHkANb+7FZTND3pziWZsq5reG1ggZECg==
X-Google-Smtp-Source: APXvYqxxXK2G6YPvyXyBSq2HGeycP7uYhmxexcsLgmG2H/bVzaDklnlq7cEfbTECxg7YjoX/m4zOXCuk7bkl+EuqzHQ=
X-Received: by 2002:a37:84a:: with SMTP id 71mr974000qki.138.1579842304338; Thu, 23 Jan 2020 21:05:04 -0800 (PST)
MIME-Version: 1.0
References: <7E638208-B23C-4740-B51D-96CDF959BC71@cisco.com> <20191124113142.GA4381@w1.fi> <B3A11009-A3E7-4C0C-A830-370596A57CD8@cisco.com>
In-Reply-To: <B3A11009-A3E7-4C0C-A830-370596A57CD8@cisco.com>
From: Joseph Salowey <joe@salowey.net>
Date: Thu, 23 Jan 2020 21:05:19 -0800
Message-ID: <CAOgPGoB-Wt1Bhwi3ukGtDA6Ajd4xZFBhZAbtNJQnUw+7_8YHEg@mail.gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: Jouni Malinen <j@w1.fi>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000059fd02059cdbb333"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/bGAHGfmeQyTrPH_rj75hKFdCNuM>
X-Mailman-Approved-At: Fri, 24 Jan 2020 06:24:43 -0800
Subject: Re: [Emu] Processing of TEWAP erratum 5127
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 05:05:10 -0000

On Mon, Nov 25, 2019 at 5:43 AM Eliot Lear <lear@cisco.com> wrote:

> Hi Juoni,
>
> Thanks for taking the time.  I suspect this will take a few iterations to
> get the actual text right, as I am drinking water from a fire hose here.
> Please bear with me.
>
> On 24 Nov 2019, at 12:31, Jouni Malinen <j@w1.fi> wrote:
>
> On Fri, Nov 22, 2019 at 05:21:10PM +0800, Eliot Lear wrote:
>
> I have been reviewing this erratum, and I think it is correct, but I have
> a question:
>
> Section 5.2. says:
>
> IMSK = First 32 octets of TLS-PRF(EMSK, "TEAPbindkey@ietf.org" |
>     "\0" | 64)
> It should say:
>
> IMSK = First 32 octets of TLS-PRF(EMSK, "TEAPbindkey@ietf.org" |
>     "\0", 64)
>
>
> Is that last parameter “seed” or “seed size”?  Confusedly yours.
>
>
> It's neither.. The main problem here is in RFC 7170 not defining
> TLS-PRF() properly. All it says is "TLS-PRF is the PRF negotiated as
> part of TLS handshake" while RFC 5246 does not define PRF as a function
> with arguments that would be compatible with even a single instance of
> TLS-PRF() use in RFC 7170..
>
>
>
[Joe] Looking at this again I do not think the errata is correct, but the
text is this section is confusing.

"If an inner method supports export of an Extended Master Session Key

   (EMSK), then the IMSK SHOULD be derived from the EMSK as defined in
   [RFC5295 <https://www.rfc-editor.org/rfc/rfc5295>]. "


RFC5295 specifies the KDF signature


"USRK = KDF(EMSK, key label | "\0" | optional data | length)"


The IMSK adds confusion by substituting the TLS 1.2 PRF for the KDF. I
believe the intent here is to map this to the following in RFC5246


IMSK = First 32 octets of P_<hash>(EMSK, "TEAPbindkey@ietf.org"| "\0"   |   64)


I don't think the errata text is correct.   It should either use the
existing text or the clarification using P_<hash> form 5246 above.


The other key derivation in the spec are ambiguous as Jouni indicates,
but I need to give my brain a rest before I tackle those.





>
> And the RFC 7170 uses are inconsistent with
> themselves like this erratum show, but this instance is not the only
> issue: TLS-PRF() is used with two, three, and even four arguments.
>
>
>
> Indeed.  So that we’re clear, here they are:
>
> Section 5.2:
>  IMSK = First 32 octets of TLS-PRF(EMSK, "TEAPbindkey@ietf.org" |
>      "\0" | 64)
>
>
> 2 args.
>
> Later, same section:
>
> IMCK[j] = TLS-PRF(S-IMCK[j-1], "Inner Methods Compound Keys",
>                 IMSK[j], 60)
>
> 4 args.
>
> And then further down:
>
>  MSK  = TLS-PRF(S-IMCK[j], "Session Key Generating Function", 64)
>  EMSK = TLS-PRF(S-IMCK[j],
>            "Extended Session Key Generating Function", 64)
>
>
> 3 args.
>
>
> And 5246 says:
>
> PRF(secret, label, seed) = P_<hash>(secret, label + seed)
>
> And so I agree with you that nowhere is there a length field for the
> return value in RFC 5246.
>
>
> This
> leaves the implementer guessing what exactly these maps to..
>
> RFC5246 The Transport Layer Security (TLS) Protocol Version 1.2
> 5. HMAC and the Pseudorandom Function
> "TLS's PRF is created by applying P_hash to the secret as:
> PRF(secret, label, seed) = P_<hash>(secret, label + seed)"
>
>
> So this PRF(secret, label, seed) is what is available and RFC 5246 does
> not define that 64 part in the example above as an argument. That 64 is
> the number of octets of output that is fetched from the PRF.
>
> In other words, RFC 7170 should have defined TLS-PRF(secret, label,
> seed, output-len-in-octets) as taking output-len-in-octets of octets
> from the output of RFC 5246 PRF(secret, label, seed). With this,
> following fixes would be needed for the users for TLS-PRF() in RFC 7170:
>
> IMSK:
> This could be one of following (last two having identical outcome):
> TLS-PRF(EMSK, "TEAPbindkey@ietf.org", "", 64)
> TLS-PRF(EMSK, "TEAPbindkey@ietf.org", "\0", 64)
> TLS-PRF(EMSK, "TEAPbindkey@ietf.org", "\0" | 0x00 | 0x40, 64)
> TLS-PRF(EMSK, "TEAPbindkey@ietf.org", 0x00 | 0x00 | 0x40, 64)
>
> However, this TLS-PRF() instance is more strange.. The "Optional data
> parameter is not used in the derivation" part does not make any sense
> since I think "optional data parameter" is a reference to the seed value
> going into PRF.
>
>
>
> Could it be that this text refers to RFC 5295:
>
>  If an inner method supports export of an Extended Master Session Key
>  (EMSK), then the IMSK SHOULD be derived from the EMSK as defined in
>  [*RFC5295*].  The usage label used is "TEAPbindkey@ietf.org", and the
>  length is 64 octets.  *Optional data parameter is not used in the*
> * derivation.*
>
>
> USRK = KDF(EMSK, key label | "\0" | optional data | length)
>
> Which perhaps is meant to translate to:
>
> IMSK = KDF(EMSK, “TEAPbindkey@ietf.org”, 64)
>
> But again, only when the inner method supports export of the EMSK.  Note
> the text below, by the way:
>
> USRKs MUST be at least 64 octets in length.
>
>
>
> However we interpret the text, it seems that either the argument count is
> wrong or the function is wrong.
>
> The following description is then clearly indicating
> that "\0" is 0x00 and length (that | 64) is "2-octet unsigned integer in
> network byte order".  That seems to be talking about some binary data
> and the seed is the only place where such byte order and field size
> discussion would apply. I'm actually implementing that last one because
> of that discussion in the RFC.
>
> It should also be noted that the "First 32 octets of TLS-PRF(..., 64)"
> does not make much sense since "TLS-PRF(..., 32)" would cover same. This
> would seem to imply that "First 32 octets of TLS-PRF" could actually be
> trying to address that PRF argument mismatch. Anyway, maybe this should
> simply say:
>
> IMSK = TLS-PRF(EMSK, "TEAPbindkey@ietf.org", 0x00 | 0x00 | 0x40, 32)
> (or with empty seed "" instead of that 3 octet seed)
>
>
> I’m really not sure what adding a known seed gets us at this point.
>
>
> The "and the length is 64 octets" part just above this is a bit
> confusing with this, though.
>
>
>
>
> IMCK[j] = TLS-PRF(S-IMCK[j-1], "Inner Methods Compound Keys", IMSK[j], 60)
>   (this is actually unchanged)
>
> MSK = TLS-PRF(S-IMCK[j], "Session Key Generating Function", "", 64)
>   (i.e., add the missing empty seed)
>
> EMSK = TLS-PRF(S-IMCK[j],
>           "Extended Session Key Generating Function", "", 64)
>   (i.e., add the missing empty seed)
>
>
>
> On the last two, entropy is thus borrowed from S-IMCK[j].  Correct?  I
> don’t have the full flow in my head, but are these indepedently generated
> on both sides, right?  If so, I don’t see any other alternative to what you
> are suggesting.
>
>



> Eliot
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu
>

v2.23.0 | Report a Bug | By Email