Re: [Hipsec] HIT Suites and algorithms used in RFC5201-bis
René Hummen <rene.hummen@cs.rwth-aachen.de> Mon, 27 December 2010 14:09 UTC
Return-Path: <rene.hummen@informatik.rwth-aachen.de>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BCC233A686C for <hipsec@core3.amsl.com>; Mon, 27 Dec 2010 06:09:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.179
X-Spam-Level:
X-Spam-Status: No, score=0.179 tagged_above=-999 required=5 tests=[AWL=2.821, BAYES_20=-0.74, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2rrLdOD5GiY4 for <hipsec@core3.amsl.com>; Mon, 27 Dec 2010 06:09:51 -0800 (PST)
Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by core3.amsl.com (Postfix) with ESMTP id 403F83A6869 for <hipsec@ietf.org>; Mon, 27 Dec 2010 06:09:50 -0800 (PST)
MIME-version: 1.0
Received: from ironport-out-1.rz.rwth-aachen.de ([134.130.5.40]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0LE300DCZBFUHJ80@mta-1.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Mon, 27 Dec 2010 15:11:54 +0100 (CET)
X-IronPort-AV: E=Sophos; i="4.60,234,1291590000"; d="p7s'?scan'208"; a="86735854"
Received: from relay-auth-1.ms.rz.rwth-aachen.de (HELO relay-auth-1) ([134.130.7.78]) by ironport-in-1.rz.rwth-aachen.de with ESMTP; Mon, 27 Dec 2010 15:11:54 +0100
Received: from umic-i4-137-226-45-181.nn.rwth-aachen.de ([unknown] [137.226.45.181]) by relay-auth-1.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0LE300KO2BFUN010@relay-auth-1.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Mon, 27 Dec 2010 15:11:54 +0100 (CET)
From: René Hummen <rene.hummen@cs.rwth-aachen.de>
Content-type: multipart/signed; boundary="Apple-Mail-7--528173305"; protocol="application/pkcs7-signature"; micalg="sha1"
Date: Mon, 27 Dec 2010 15:12:02 +0100
In-reply-to: <42082FED-C009-4C35-813A-F55165A419BE@cs.rwth-aachen.de>
To: HIP WG <hipsec@ietf.org>
References: <42082FED-C009-4C35-813A-F55165A419BE@cs.rwth-aachen.de>
Message-id: <891C9764-94DE-4D35-B321-FCCAC68632E8@cs.rwth-aachen.de>
X-Mailer: Apple Mail (2.1082)
Subject: Re: [Hipsec] HIT Suites and algorithms used in RFC5201-bis
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Dec 2010 14:09:52 -0000
Hello Tobias, On 09.12.2010, at 11:26, Tobias Heer wrote: > Hello, > > we have consolidated the set of algorithms to be used in RFC5201 and would like > to present it to the list and ask for feedback. > > We have three HIT Suites. The HIT Suites define the algorithms that are used > for generating a HIT/Orchid. It also defines which HMAC flavor will be used in > HIP control packets. > > > HIT Suite ID > RESERVED 0 > RSA,DSA/SHA-1 1 (REQUIRED) > ECDSA/SHA-384 2 (RECOMMENDED) > ECDSA_LOW/SHA-1 3 (RECOMMENDED) > > RSA,DSA/SHA-1 represent the class of HITs we have today with HIP version 1. All > contained Algorithms (RSA and DSA) must be supported by hosts that implement > this suite. > > ECDSA/SHA-384 bundles two ECC curves (NIST P-256 and P-384) with SHA-384. Both > curves must be implemented by hosts that implement HIT this HIT suite. > > ECDSA_LOW/SHA-1 is meant for devices with limited computation capabilities. It > uses the SECP160R curve from SECG. > > If we want to make a bold move towards ECC cryptography (and make packet > fragmentation, etc. less likely) we could change the REQUIRED and RECOMMENDED > tags so that we REQUIRE the ECDSA/SHA-384 HIT SUITE and make the other two > recommended. Any comments on this? With either RSA,DSA/SHA-1 or ECDSA/SHA-384 required, how could a HIP implementation for low resource devices (only supporting ECDSA_LOW/SHA-1) be standard compliant? In this respect, does it make sense to only have a a single ECDSA family instead of separating between ECDSA and ECDSA_LOW? BR, René -- Dipl.-Inform. Rene Hummen, Ph.D. Student Chair of Communication and Distributed Systems RWTH Aachen University, Germany tel: +49 241 80 20772 web: http://www.comsys.rwth-aachen.de/team/rene-hummen/
- [Hipsec] HIT Suites and algorithms used in RFC520… Tobias Heer
- Re: [Hipsec] HIT Suites and algorithms used in RF… Miika Komu
- Re: [Hipsec] HIT Suites and algorithms used in RF… Henrik Ziegeldorf
- Re: [Hipsec] HIT Suites and algorithms used in RF… Henderson, Thomas R
- Re: [Hipsec] HIT Suites and algorithms used in RF… Tobias Heer
- Re: [Hipsec] HIT Suites and algorithms used in RF… Tobias Heer
- Re: [Hipsec] HIT Suites and algorithms used in RF… René Hummen