Re: [Hipsec] Salt for KEYMAT

Robert Moskowitz <rgm@htt-consult.com> Wed, 12 May 2010 20:27 UTC

Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 83F4D3A68F5 for <hipsec@core3.amsl.com>; Wed, 12 May 2010 13:27:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.657
X-Spam-Level:
X-Spam-Status: No, score=-0.657 tagged_above=-999 required=5 tests=[AWL=-0.658, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gd0GUQPij58w for <hipsec@core3.amsl.com>; Wed, 12 May 2010 13:27:53 -0700 (PDT)
Received: from klovia.htt-consult.com (klovia.htt-consult.com [208.83.67.149]) by core3.amsl.com (Postfix) with ESMTP id 73B4B3A6957 for <hipsec@ietf.org>; Wed, 12 May 2010 13:27:52 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 2C59468CA2; Wed, 12 May 2010 20:21:12 +0000 (UTC)
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wz-nd470a1JT; Wed, 12 May 2010 16:21:03 -0400 (EDT)
Received: from nc2400.htt-consult.com (h155.home.htt [208.83.67.155]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id F360E68D3E; Wed, 12 May 2010 16:21:02 -0400 (EDT)
Message-ID: <4BEB0F32.2050901@htt-consult.com>
Date: Wed, 12 May 2010 16:27:30 -0400
From: Robert Moskowitz <rgm@htt-consult.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100330 Fedora/3.0.4-1.fc12 Thunderbird/3.0.4
MIME-Version: 1.0
To: Tobias Heer <heer@cs.rwth-aachen.de>
References: <4BEB0A99.6020309@htt-consult.com> <4C1B4F99-6A17-4272-945A-8D9009A3CAD7@cs.rwth-aachen.de>
In-Reply-To: <4C1B4F99-6A17-4272-945A-8D9009A3CAD7@cs.rwth-aachen.de>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: HIP WG <hipsec@ietf.org>
Subject: Re: [Hipsec] Salt for KEYMAT
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2010 20:27:54 -0000

On 05/12/2010 04:16 PM, Tobias Heer wrote:
> Am 12.05.2010 um 22:07 schrieb Robert Moskowitz:
>
>    
>> In draft-krawczyk-hkdf-01.txt:
>>
>>    Ideally, the salt value is a random (or pseudorandom) string of the
>>    length HashLen.  Yet, even a salt value of less quality (shorter in
>>    size or with limited entropy) may still make a significant
>>    contribution to the security of the output keying material; designers
>>    of applications are therefore encouraged to provide salt values to
>>    HKDF if such values can be obtained by the application.
>>
>> Currently KEYMAT uses I&  J which is 128 bits of nonce for the salt.  This is better than nothing; the question is should I&  J be increased in size (Tobias and I have discussed making them 128 bits each), add a nonce HIP parameter, or do something else?  Actually for SHA-384 you would need even a larger salt, so what is the desire here?
>>
>>      
> We had discussed making the salt size (wherever it comes from) depend on the HIT_SUITE. This doesn't work perfectly because the cipher for esp also depends on the shared secret and it is independent from the HIT. Making the dependency work in the other direction (salt length depends on esp suite) isn't correct either. Making it the maximum of both could work but it would be slightly more complicated.

Actually the salt size seems to only be linked to the hash used. 
Currently for HIP that is SHA-1, SHA-256, or SHA-384. This places a salt 
size recommendation of 160, 256, or 384 bits respectively regardless of 
the key sizes pulled out of the Expand phase. So tying this to the 
HIT_SUITE makes sense as this is where the hash used within HIP is 
specified. Just what do we do, make I & J sizes vary with the hash or 
add a HIP parameter to get the additional bits.

Note that making I & J bigger should NOT impact puzzle calculation. That 
is determined by the hash used and the value of K. Or at least that is 
my reading of the puzzle mechanism; those that have actually coded it 
are welcomed to comment.