IETF Logo Mail Archive

Re: [Emu] Processing of TEWAP erratum 5127

Joseph Salowey <joe@salowey.net> Mon, 27 January 2020 04:46 UTC

Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1856F1200CC for <emu@ietfa.amsl.com>; Sun, 26 Jan 2020 20:46:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u976m8As9ow7 for <emu@ietfa.amsl.com>; Sun, 26 Jan 2020 20:46:08 -0800 (PST)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1023A12008A for <emu@ietf.org>; Sun, 26 Jan 2020 20:46:08 -0800 (PST)
Received: by mail-qk1-x729.google.com with SMTP id k6so8446322qki.5 for <emu@ietf.org>; Sun, 26 Jan 2020 20:46:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fWd49woUf3pwQfobdM14HCjVXrTuPufcCxHXdIbV22g=; b=Q2YxsZbiAlLaYczlLPddkhF7BuhpT9noNEbb2dJQXuMo/ok3RDk0SsdBBiMNstgSXm lYcZMlVCRD4ZWD2ebzdh+Q8IFIUsOW92GMga7VajeFyJr0i782QtkVglJQF14P3ocATl JnnL0z1CiWaxUrym1KhGr4Ohl2MsetyRCBWVUsOMyMtYiHoR/iS912+e1ztZkQVAtLIs V2vnV7ESUGJ+wmgD+uypW5zwaPhH1xDx7Jt1O4KjDF+FIrivoxRasAyBK3Jr8P979zFr 0DE9hg8ul3U/5tukzLAIkZM1+eoDmbR8QfoCldd4chzVKIYAPFedKnaGBbAgUbSCwWm9 LWng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fWd49woUf3pwQfobdM14HCjVXrTuPufcCxHXdIbV22g=; b=bOrZyFiMVQIMh11ZIK4YJIB7uUtST6nHYFOIGNuJJzqQ09/k6AVG18uM4H/MT0jHiN Gjr/ktbaCWu5n/9bzAIe+VrV481qaWZDgyNRnvirOQZXU4fsV3isiH1h3RtU0Pymr6Qh ag9Zz9BTDSkVCKcfSp+y+juaTrkK71WHNUzck6du+DJlavC95gObSy9kQssz4j1PaU9d gUXg81Jad7u6VZbY94bsu/WUF+0ywBZLYwJS2IQXKB4gKwDae4+NkQgcu5M+b6EATZeP 8+BWDCYtqNG0+hzkmAIrUYorOqDXFBKBPwAkiePHBg7W0pXGjBSQv+yw/f2dbfVLZLUX 8BXw==
X-Gm-Message-State: APjAAAVD2oyDGKIZlrbsiCbvsk3mk3gzLW2evIM8cwKDW/vLucVEDYbL YKDSHp92fQ10R4A5Cas6K4Xge77FhfRrYwVze1G0dhtox0KLFg==
X-Google-Smtp-Source: APXvYqySbZqii72XY7sv+my4EBG592Wi1+61vpj1Jkpw7sYZLepxrVm+dLi97KQW6VN10CQ5bA3kP9xGvaYmsfTFYj4=
X-Received: by 2002:a37:9c8b:: with SMTP id f133mr14649761qke.375.1580100367042; Sun, 26 Jan 2020 20:46:07 -0800 (PST)
MIME-Version: 1.0
References: <7E638208-B23C-4740-B51D-96CDF959BC71@cisco.com> <20191124113142.GA4381@w1.fi> <B3A11009-A3E7-4C0C-A830-370596A57CD8@cisco.com> <CAOgPGoB-Wt1Bhwi3ukGtDA6Ajd4xZFBhZAbtNJQnUw+7_8YHEg@mail.gmail.com>
In-Reply-To: <CAOgPGoB-Wt1Bhwi3ukGtDA6Ajd4xZFBhZAbtNJQnUw+7_8YHEg@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
Date: Sun, 26 Jan 2020 20:46:18 -0800
Message-ID: <CAOgPGoDdkOgD5hB5Ve6k42qZjeHWPcQownT5XoSpwoct4+G5mw@mail.gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: Jouni Malinen <j@w1.fi>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000165d01059d17c961"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/tUTTcdQMxVWJ3sFkDRAs7pz3M-k>
Subject: Re: [Emu] Processing of TEWAP erratum 5127
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jan 2020 04:46:10 -0000

>
>> Could it be that this text refers to RFC 5295:
>>
>>  If an inner method supports export of an Extended Master Session Key
>>  (EMSK), then the IMSK SHOULD be derived from the EMSK as defined in
>>  [*RFC5295*].  The usage label used is "TEAPbindkey@ietf.org", and the
>>  length is 64 octets.  *Optional data parameter is not used in the*
>> * derivation.*
>>
>>
>> USRK = KDF(EMSK, key label | "\0" | optional data | length)
>>
>> Which perhaps is meant to translate to:
>>
>> IMSK = KDF(EMSK, “TEAPbindkey@ietf.org”, 64)
>>
>> But again, only when the inner method supports export of the EMSK.  Note
>> the text below, by the way:
>>
>> USRKs MUST be at least 64 octets in length.
>>
>>
>>
>> However we interpret the text, it seems that either the argument count is
>> wrong or the function is wrong.
>>
>> The following description is then clearly indicating
>> that "\0" is 0x00 and length (that | 64) is "2-octet unsigned integer in
>> network byte order".  That seems to be talking about some binary data
>> and the seed is the only place where such byte order and field size
>> discussion would apply. I'm actually implementing that last one because
>> of that discussion in the RFC.
>>
>> It should also be noted that the "First 32 octets of TLS-PRF(..., 64)"
>> does not make much sense since "TLS-PRF(..., 32)" would cover same. This
>> would seem to imply that "First 32 octets of TLS-PRF" could actually be
>> trying to address that PRF argument mismatch. Anyway, maybe this should
>> simply say:
>>
>> IMSK = TLS-PRF(EMSK, "TEAPbindkey@ietf.org", 0x00 | 0x00 | 0x40, 32)
>> (or with empty seed "" instead of that 3 octet seed)
>>
>>
>>
> I’m really not sure what adding a known seed gets us at this point.
>>
>>
[Joe] The intent is that the IMSK derivation uses the USRK derivation of
RFC 5295.  The label, null and 2-byte length are defined in that
specification.  (P_<hash> is defined in RFC 5246)

IMSK = P_<hash> (EMSK, "TEAPbindkey@ietf.org" | 0x00 | 0x00 | 0x40)

P_<hash> is iterated to generate 64 bytes, the output is truncated to 32.
If we add a parameter to the P_<hash>  to define the length, this would be

IMSK = Truncate(P_<hash>(EMSK, "TEAPbindkey@ietf.org" | 0x00 | 0x00 | 0x40,
64), 32)


>
>> The "and the length is 64 octets" part just above this is a bit
>> confusing with this, though.
>>
>> [Joe]  In particular its not clear If the same construction should be
used for the other derivations. For example, whether to include the output
length into the data fed into the PRF or not or if there is a null between
the label and the seed.  I believe the intent was the following:
>
> IMCK[j] = TLS-PRF(S-IMCK[j-1], "Inner Methods Compound Keys", IMSK[j], 60)
>>
>>   (this is actually unchanged)
>>
>> IMCK[j] =  P_<hash>(S-IMCK[j-1], "Inner Methods Compound Keys", | 0x00 |
IMSK[j] | 0x00 | 0x3C, 60)

> MSK = TLS-PRF(S-IMCK[j], "Session Key Generating Function", "", 64)
>>   (i.e., add the missing empty seed)
>>
>>
MSK = P_<hash>(S-IMCK[j], "Session Key Generating Function" | 0x00 | 0x00 |
0x40, 64)

>
>> EMSK = TLS-PRF(S-IMCK[j],
>>           "Extended Session Key Generating Function", "", 64)
>>   (i.e., add the missing empty seed)
>>
>>
EMSK = P_<hash>(S-IMCK[j], ""Extended Session Key Generating Function" |
0x00 | 0x00 | 0x40, 64)

>
>>
>>
>> On the last two, entropy is thus borrowed from S-IMCK[j].  Correct?  I
>> don’t have the full flow in my head, but are these indepedently generated
>> on both sides, right?  If so, I don’t see any other alternative to what you
>> are suggesting.
>>
>>
>
[Joe]  THis is not the only the derivation could be interpreted.  The null
after the label and the inclusion of the length are part of RFC 8295 and
not the TLS PRF.   To fix this errata I think we should define the TLS-PRF
to be P_<hash> with a length parameter for TLS 1.2  and then use the
definitions above that explicitly define the 3 inputs.   TLS 1.3 defines
the PRF in terms of HKDF extract and expand functions from RFC 5869 so
there would need to be some mapping to 1.3 as well.

v2.23.0 | Report a Bug | By Email