IETF Logo Mail Archive

[Gen-art] RE: Gen-ART review of draft-martin-ibcs-03

"Luther Martin" <martin@voltage.com> Tue, 01 May 2007 21:48 UTC

Return-path: <gen-art-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hj0DI-0004kd-B2; Tue, 01 May 2007 17:48:48 -0400
Received: from gen-art by megatron.ietf.org with local (Exim 4.43) id 1Hj0DH-0004iM-7h for gen-art-confirm+ok@megatron.ietf.org; Tue, 01 May 2007 17:48:47 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hj0DG-0004iD-Sn for gen-art@ietf.org; Tue, 01 May 2007 17:48:46 -0400
Received: from mail.voltage.com ([209.213.222.98]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Hj0DE-0001fa-FL for gen-art@ietf.org; Tue, 01 May 2007 17:48:46 -0400
Received: from influenza.voltage.com (influenza.voltage.com [172.16.0.77]) by mail.voltage.com (8.13.7/8.13.7) with ESMTP id l41Lmr0P023005; Tue, 1 May 2007 14:48:53 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 01 May 2007 14:48:58 -0700
Message-ID: <1C01650B36DD3746867EA0B30E3B9819C276FB@influenza.voltage.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Gen-ART review of draft-martin-ibcs-03
Thread-Index: Acd2LPG7dNbUer4mS5igtGL0dmPHWQA0p9cgAAKOgRAFG6cUsA==
References: <F222151D3323874393F83102D614E055068B91B6@CORPUSMX20A.corp.emc.com> <1C01650B36DD3746867EA0B30E3B9819579586@influenza.voltage.com> <F222151D3323874393F83102D614E055068B91D1@CORPUSMX20A.corp.emc.com>
From: Luther Martin <martin@voltage.com>
To: Black_David@emc.com, gen-art@ietf.org, Xavier Boyen <xavier@voltage.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=4.65.5502:2.3.11, 1.2.37, 4.0.164 definitions=2007-05-01_01:2007-04-28, 2007-04-30, 2007-05-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 phishscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=3.1.0-0703060001 definitions=main-0705010075
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a2c12dacc0736f14d6b540e805505a86
Cc: lnoll@neoscale.com
Subject: [Gen-art] RE: Gen-ART review of draft-martin-ibcs-03
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Errors-To: gen-art-bounces@ietf.org

David,
David,

Some comments are in-line below. 

We've added hash agility, specifying a different hash algorithm for each
of the defined levels of bit security as well as including an additional
parameter that defines the hash function used in each of the relevant
algorithms. 

We've also added the longer key lengths that the extremely
security-conscious might want - now specifying parameters for up to and
including the equivalent of 256 bits of symmetric strength. 

> > Next, regarding point [3], the algorithms described in this draft
are
> > public-key algorithms and are definitely not stream ciphers.
> 
> I stand behind point [3], here's a longer explanation and example:
> 
> At least Section 8.4 and 8.5 perform encryption and decryption by
> XOR-ing a keystream with the plaintext or ciphertext (Sections
> 5.4 and 5.5 appear to do likewise, but there are potential mistakes
> in those sections that make this somewhat unclear).  While "stream
> cipher" may not be a precise term for these constructs, they are
> at least a stream-cipher-like operating mode for the public key
> algorithms.  In particular, they are subject to <key,IV> reuse
> concerns that apply to stream ciphers.
> 
> Specifically, for section 8.4, the actual encryption step for the
> message m is:
> 	y = HashStream(|m|, h') XOR m
> where h' does not depend on m, so if the same s (effectively an IV)
> is ever used twice with the same identity and public parameters for
> different messages that have the same length (e.g., m1 and m2), the
> HashStream element will be the same, so one can obtain the XOR of
> the plaintext messages by XORing the corresponding ciphertexts, i.e.:
> 	y1 XOR y2 = m1 XOR m2
> This is usually considered undesirable, as it tends to leak
information
> about m1 and m2.  At a minimum, this needs to be discussed in the
> security considerations section, even if the countermeasures to
> prevent this from happening are left to other documents that apply
> these algorithms to particular contexts.

We've added text that says that users SHOULD use a PRNG like those
specified in FIPS 186-2 or X9.62. I believe that the definition of
"random" should take care of this. After all, if your source of entropy
is random enough, then the probability of generating the same random
value twice is cryptographically small.

> 
> > Are architectural issues, like the restrictions on letting arbitrary
> > clients decrypt on behalf of an arbitrary identity, more suitable
for
> > other documents? After all, this document just describes two
> > cryptographic algorithms. Are issues surrounding their applications
> > better described elsewhere?
> 
> Yes and no.  Let me start with an apology.  The following text from
> my review is not correct:
> 
> -> It is *very* important to understand that the ability to encrypt
> -> or decrypt on behalf of an identity is not proof of that identity,
> -> and hence the mechanisms described in this draft MUST NOT be used
> -> for authentication purposes, and any identity used with these
> -> mechanisms MUST be authenticated or verified by other means.
> 
> With a suitably configured key server including proper use of
> authentication with key server clients, proof of possession of
> the private key for an identity could be used as proof of that
> identity (i.e., authentication), but the configuration restrictions
> are important.  In any case, the above text is wrong as written,
> and I apologize for that mistake.
> 
> At the very least, the draft needs an architectural diagram showing
> the key server and the clients showing which keys flow where for
> at least one example - that would have saved me from this mistake,
> and the fact that I made it is a backhanded indication that such
> a diagram and associated discussion is needed.  I think that
> discussion also needs to bring out the dependence on the key
> server and authentication to the key server in restricting
> availability of private keys to their corresponding identities
> if one intends to use them for authentication.
> 

There is another draft that gives an overall description of a complete
IBE system. We've added a reference to that document. 

I have a draft that includes the above comments; let me know what
additional points need to be addressed.

Luther



_______________________________________________
Gen-art mailing list
Gen-art@ietf.org
https://www1.ietf.org/mailman/listinfo/gen-art

v2.23.0 | Report a Bug | By Email