Re: [http-auth] Definition of SHA256 and SHA512/256 algorithms in RFC 7616

Chaim Geretz <chaim.geretz@idt.net> Thu, 29 December 2016 18:12 UTC

Return-Path: <chaim.geretz@idt.net>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6056129640 for <http-auth@ietfa.amsl.com>; Thu, 29 Dec 2016 10:12:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=idt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3mByq1gnSJmc for <http-auth@ietfa.amsl.com>; Thu, 29 Dec 2016 10:12:41 -0800 (PST)
Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB0F4129443 for <http-auth@ietf.org>; Thu, 29 Dec 2016 10:12:41 -0800 (PST)
Received: by mail-oi0-x22b.google.com with SMTP id 128so209410485oig.0 for <http-auth@ietf.org>; Thu, 29 Dec 2016 10:12:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=idt-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kNuMyD3kpahEgAxk3L0wKgycvoArpOnKTzh0YDqHpzM=; b=ufb0SKh+u35mZZ/cA5lfbRZo6sCUlCcmgbui+VQJr3xuR2/69OIGKFVK9YfXP96Pqy vQMm85CqOYszlckpYj4goriPorZn8xwTNxvjeRKlB/laPMW31CGRFTZSKa491/A0Wg40 Kvv9c26JRFuhPuudrcnWDIUse+vK7rAgk+w37KPLozogzffDusmqyVxgyQl6olknYkc0 Ppzagn9N2mgMdyOMC1WXf1SQN5DpmYyjGeH3Wu623uqaV9SS/2rVvPAXs/95TSjEBBeD YDKcsqpQABQMtWQemL2FXER0g7rn9Zqyby7luIR5k8JrLcSXALUPFnV/JjgbXs7Ru8Dp 2e5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kNuMyD3kpahEgAxk3L0wKgycvoArpOnKTzh0YDqHpzM=; b=Yi1B/ywV0H5HWk9HhQNpzYYw6/Ks+hvR/DI4dzb6cknn7FJoSf6QnYEFTuNe7EL3Et gWtHdhYn6s87Lr71VJbFBeQqatHd7ADim0/cSm4qVV+VkXvkaUXgp5Y3KOv/UXTz8Ofg G1JMW40UeEwXa8ptWvXmUIbkX46dJDlvjIr6/84W/4D22dvRnCUCVGBbsP2zUSi+3u2e zX8vsafHBWeGVUUXbKURK4fHyix7FAlAEPEimN78XX3i1e/iTkqdr/0G9iBbGN5IHAhk xax2xRl6A+Q19DSk6nSo7ZmPtk8lpNk4QoIJOLQTlF78JQA+8w2EHxOdbhaxVBC5+jLr uDNw==
X-Gm-Message-State: AIkVDXLSzZT7625tY5XYn+/8u0jfth6ruWsKKzdMc+ffU9vLd8qKvagnHGtCGtkBM5BWfyO+AROj9Pjp8g3wPVOs
X-Received: by 10.157.9.249 with SMTP id 54mr22687505otz.157.1483035161030; Thu, 29 Dec 2016 10:12:41 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.9.153 with HTTP; Thu, 29 Dec 2016 10:12:20 -0800 (PST)
In-Reply-To: <VI1PR07MB12649529192F4587ECB6CAF3856B0@VI1PR07MB1264.eurprd07.prod.outlook.com>
References: <CAP-tQRitZ6xfFWZA00S3xfnaGaCjOgtaxyO2ZW-DQgDX7+MN1Q@mail.gmail.com> <VI1PR07MB12649529192F4587ECB6CAF3856B0@VI1PR07MB1264.eurprd07.prod.outlook.com>
From: Chaim Geretz <chaim.geretz@idt.net>
Date: Thu, 29 Dec 2016 13:12:20 -0500
Message-ID: <CAP-tQRjKQOohQ0UyMAFPjZO=SupftpyDjTXuExNq9DKO-ybfyA@mail.gmail.com>
To: Sophie Bremer <sophie.bremer@netzkonform.de>
Content-Type: multipart/alternative; boundary="001a1134f50ef686940544d00738"
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/Gk3Hbidsnd6eQcBBNRlUERAFuaQ>
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] Definition of SHA256 and SHA512/256 algorithms in RFC 7616
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Dec 2016 18:12:43 -0000

Sophie,

Thanks for your response

> The linked IANA registry for the hash algorithms clarifies the use as in
FIPS 180-3.

The reference to FIPS 180-3 is only for the HTTP Digest Algorithm
Values SHA-256
and SHA-512.

http://www.iana.org/assignments/http-dig-alg/http-dig-alg.txt does not
include any specification information for SHA-512-256 save for a pointer to
RFC 7616.

Chaim


On Thu, Dec 29, 2016 at 12:43 PM, Sophie Bremer <
sophie.bremer@netzkonform.de> wrote:

> Hi Chaim,
>
> thank you for pointing this out!
> It explains some problems I had myself with the implementation for proxy
> servers.
>
> > Am 28.12.2016 um 20:19 schrieb Chaim Geretz <chaim.geretz@idt.net>:
> >
> > Greetings,
> >
> > I think that RFC 7616 needs to define or point to a document describing
> how the various hash algorithms mentioned in Section 3.2 are to be
> implemented.
>
> The linked IANA registry for the hash algorithms clarifies the use as in
> FIPS 180-3.
> On the other hand the registry may change in the future and so the
> definition of the algorithm value too.
> If this is a possible scenario, I agree with you.
> I like to see more opinions for this proposal.
>
> > Inspecting the values used in Section 3.9.2 for userhash and response
> shows that they are generated by truncating the hex output of a sha512 hash
> to the initial 64 hex characters.
>
> You are right.
>
> > If this is the desired implementation of SHA512/256 then this should be
> mentioned in the RFC.
>
> The example is not in sync with the IANA registry and has to be updated.
>
> > If the intention is to use SHA512/256 as described in FIPS 180.4 then
> this should be mentioned, and the values changed to
> userhash="793263caabb707a56211940d90411ea4a575adeccb7e360aeb624ed06ece9b0b"
> and response="3798d4131c277846293534c3edc11bd8a5e4cdcbff78b05db9
> d95eeb1cec68a5"
>
> I will look into your provided values and clarify/correct the example.
>
> Once again, thank you for this catch!
>
> Best Regards,
> Sophie
>