Re: [Hipsec] [Tm-rid] Fwd: New Version Notification for draft-moskowitz-hip-new-crypto-04.txt
Robert Moskowitz <rgm@labs.htt-consult.com> Fri, 24 January 2020 13:41 UTC
Return-Path: <rgm@labs.htt-consult.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79EDB12008B; Fri, 24 Jan 2020 05:41:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bx-7H9MfPfJI; Fri, 24 Jan 2020 05:41:39 -0800 (PST)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF4BB120052; Fri, 24 Jan 2020 05:41:38 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 8780162162; Fri, 24 Jan 2020 08:41:36 -0500 (EST)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id tT822QNNWMUW; Fri, 24 Jan 2020 08:41:25 -0500 (EST)
Received: from lx140e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 55C0B6211C; Fri, 24 Jan 2020 08:41:22 -0500 (EST)
To: Daniel Migault <daniel.migault@ericsson.com>
Cc: "tm-rid@ietf.org" <tm-rid@ietf.org>, hipsec@ietf.org
References: <157979422864.22806.5435940336310786424.idtracker@ietfa.amsl.com> <2e4a29e3-e4ca-22f4-ec50-105e53359b41@labs.htt-consult.com> <CADZyTkn48RWo+rvza=DFsY4RU3=nTNv+6VuBSvFLXqF53xC6eg@mail.gmail.com>
From: Robert Moskowitz <rgm@labs.htt-consult.com>
Message-ID: <0c9949d8-2d37-b1f7-eb53-84f200897ebe@labs.htt-consult.com>
Date: Fri, 24 Jan 2020 08:41:14 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <CADZyTkn48RWo+rvza=DFsY4RU3=nTNv+6VuBSvFLXqF53xC6eg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------5BBB26A04AA57AF358C77262"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/bMUQmWKKGV9GoXldHCvRQ6nbspo>
Subject: Re: [Hipsec] [Tm-rid] Fwd: New Version Notification for draft-moskowitz-hip-new-crypto-04.txt
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 13:41:43 -0000
I would actually like to make a presentation at SAAG about KMAC as a KDF and why the IETF should incorporate it. SP 800-185 was published back in Dec 2016. This clearly shows how to use KMAC as a replacement for HMAC. Many in the security community 'rejected' SHA3 as only marginally faster than SHA256. They missed that thus KMAC is 2x as fast as HMAC-SHA256! SP 800-56Cr1 was published in Apr 2018. Here it was NOT as clear that KMAC as a KDF was a clean replacement for HKDF when the source was an ECDH derive secret. SP 800-108 has not been updated since 1st published in Oct 2009. So there was a reasonable question as to KMAC being equal to HKDF for an ECDH derived secret. But, "anyone skilled in the arts" of understanding crypto algorithms (not necessarily at the level to create them) could see from FIPS 202 (Aug 2015) that the sponge function in the form of SHAKE directly performs both processes in HKDF - Extract and Expand. But it took until 800-185 for the "approved" method to add keying material into SHAKE. Thus KMAC as defined in 800-56Cr1 is cryptographically equivalent to HKDF and MANY fewer hash operations. So the standard has been around for some years. The cryptoanalysis is that of the sponge function being a PRF; there is no practical limit on how much you can squeeze out of the sponge. Well there is a limit of 2^(n-1) bits, I believe. It has been us crypto-plumbers that have not been paying attention. On 1/24/20 7:45 AM, Daniel Migault wrote: > Hi, > > Thanks Robert for the update. I would like to get feed backs from the > tmrid and especially hip WG of their thoughts regarding this new proposal. > > Bob, could you updates the WGs on the maturity level of your proposal > as well as the next (technical) steps to complete that work. > > Yours, > Daniel > > On Thu, Jan 23, 2020 at 10:47 AM Robert Moskowitz > <rgm@labs.htt-consult.com <mailto:rgm@labs.htt-consult.com>> wrote: > > I have added sec 8.2, discussing the security of using KMAC as a > KDF. This is based on a conversation I had with the Keccak team > at the IACR conference at Columbia U earlier this month. > > Basically the KMAC output is a PRF and as such can be directly > divided into multiple keys. No need for a compress and expand > process on the output of ECDH; this is done implicitly in the sponge. > > > > > -------- Forwarded Message -------- > Subject: New Version Notification for > draft-moskowitz-hip-new-crypto-04.txt > Date: Thu, 23 Jan 2020 07:43:48 -0800 > From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> > To: Stuart Card <stu.card@axenterprize.com> > <mailto:stu.card@axenterprize.com>, Adam Wiethuechter > <adam.wiethuechter@axenterprize.com> > <mailto:adam.wiethuechter@axenterprize.com>, Robert Moskowitz > <rgm@labs.htt-consult.com> <mailto:rgm@labs.htt-consult.com>, > Stuart W. Card <stu.card@axenterprize.com> > <mailto:stu.card@axenterprize.com> > > > > > A new version of I-D, draft-moskowitz-hip-new-crypto-04.txt > has been successfully submitted by Robert Moskowitz and posted to the > IETF repository. > > Name: draft-moskowitz-hip-new-crypto > Revision: 04 > Title: New Cryptographic Algorithms for HIP > Document date: 2020-01-23 > Group: Individual Submission > Pages: 12 > URL: > https://www.ietf.org/internet-drafts/draft-moskowitz-hip-new-crypto-04.txt > Status: > https://datatracker.ietf.org/doc/draft-moskowitz-hip-new-crypto/ > Htmlized: > https://tools.ietf.org/html/draft-moskowitz-hip-new-crypto-04 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-moskowitz-hip-new-crypto > Diff: > https://www.ietf.org/rfcdiff?url2=draft-moskowitz-hip-new-crypto-04 > > Abstract: > This document provides new cryptographic algorithms to be used with > HIP. The Edwards Elliptic Curve and the Keccak sponge functions are > the main focus. The HIP parameters and processing instructions > impacted by these algorithms are defined. > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at > tools.ietf.org <http://tools.ietf.org>. > > The IETF Secretariat > > -- > Tm-rid mailing list > Tm-rid@ietf.org <mailto:Tm-rid@ietf.org> > https://www.ietf.org/mailman/listinfo/tm-rid > -- Standard Robert Moskowitz Owner HTT Consulting C:248-219-2059 F:248-968-2824 E:rgm@labs.htt-consult.com There's no limit to what can be accomplished if it doesn't matter who gets the credit
- Re: [Hipsec] [Tm-rid] Fwd: New Version Notificati… Daniel Migault
- Re: [Hipsec] [Tm-rid] Fwd: New Version Notificati… Robert Moskowitz
- Re: [Hipsec] [Tm-rid] Fwd: New Version Notificati… Michael Richardson
- Re: [Hipsec] [Tm-rid] Fwd: New Version Notificati… Robert Moskowitz