IETF Logo Mail Archive

Re: [Gen-art] Gen-ART review of draft-ietf-marf-redaction-04

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 11 January 2012 19:02 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E70B921F852F; Wed, 11 Jan 2012 11:02:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xmsPyCy0PuVz; Wed, 11 Jan 2012 11:02:48 -0800 (PST)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 4BCBB21F84D4; Wed, 11 Jan 2012 11:02:48 -0800 (PST)
Received: from sn87.proper.com (sn87.proper.com [75.101.18.87]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id q0BJ2kd0059299 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 11 Jan 2012 12:02:47 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="iso-8859-1"
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <7C4DFCE962635144B8FAE8CA11D0BF1E05A7B80D63@MX14A.corp.emc.com>
Date: Wed, 11 Jan 2012 11:02:45 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <636DA6C1-48E5-4A3D-BEE8-B6AD46E7DF49@vpnc.org>
References: <7C4DFCE962635144B8FAE8CA11D0BF1E05A7B80D63@MX14A.corp.emc.com>
To: IETF Discussion <ietf@ietf.org>
X-Mailer: Apple Mail (2.1251.1)
Cc: gen-art@ietf.org, marf@ietf.org
Subject: Re: [Gen-art] Gen-ART review of draft-ietf-marf-redaction-04
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2012 19:02:49 -0000

On Jan 10, 2012, at 6:44 PM, <david.black@emc.com> <david.black@emc.com> wrote:

> [1] The first open issue is the absence of security guidance to ensure that this
> redaction technique effectively hides the redacted information.  The redaction
> technique is to concatenate a secret string (called the "redaction key") to the
> information to be redacted, apply "any hashing/digest algorithm", convert the output
> to base64 and use that base64 string to replace the redacted information.
> 
> There are two important ways in which this technique could fail to effectively hide
> the redacted information:
> 	- The secret string may inject insufficient entropy.
> 	- The hashing/digest algorithm may be weak.
> 
> To take an extreme example, if the secret string ("redaction key") consists of a
> single ASCII character, and a short email local part is being redacted, then the
> output is highly vulnerable to dictionary and brute force attacks because only 6 bits
> of entropy are added (the result may look secure, but it's not).  Beyond this extreme
> example, this is a potentially real concern - e.g., applying the rule of thumb that
> ASCII text contains 4-5 bits of entropy per character, the example in Appendix A
> uses a "redaction key" of "potatoes" that injects at most 40 bits of entropy -
> is that sufficient for email redaction purposes?
> 
> To take a silly example, if a CRC is used as the hash with that sort of short input,
> the result is not particularly difficult to invert.
> 
> I suggest a couple of changes:
> 1) Change "any hashing/digest algorithm" to require use of a secure hash, and
> 	explain what is meant by "secure hash" in the security considerations section.

Simply saying "any hash algorithm listed in [FIPS180-3]" is precise and sufficient.

> 2) Require a minimum length of the "redaction key" string, and strongly suggest
> 	(SHOULD) that it be randomly generated (e.g., by running sufficient output
> 	of an entropy-rich random number generator through a base64 converter).

Proposal: "The redaction key SHOULD be based on at least 64 bits of pseudo-random input that is converted to base64".

> [2] The second open issue is absence of security considerations for the redaction
> key.  The security considerations section needs to caution that the redaction key
> is a secret key that must be managed and protected as a secret key.  Disclosure
> of a redaction key removes the redaction from all reports that used that key.

Agree.

> As part of this, guidance should be provided on when and how to change the
> redaction key in order to limit the effects of loss of secrecy for a single
> redaction key.

Disagree, given that we have absolutely no idea how systems that use this will work operationally. Simply telling them "if it is no longer secret, you're hosed" is sufficient.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email