[http-auth] Definition of SHA256 and SHA512/256 algorithms in RFC 7616

Chaim Geretz <chaim.geretz@idt.net> Wed, 28 December 2016 19:19 UTC

Return-Path: <chaim.geretz@idt.net>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A5D8129564 for <http-auth@ietfa.amsl.com>; Wed, 28 Dec 2016 11:19:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=idt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o3iEjiJvH97E for <http-auth@ietfa.amsl.com>; Wed, 28 Dec 2016 11:19:42 -0800 (PST)
Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C6A312945D for <http-auth@ietf.org>; Wed, 28 Dec 2016 11:19:42 -0800 (PST)
Received: by mail-oi0-x22f.google.com with SMTP id v84so379123701oie.3 for <http-auth@ietf.org>; Wed, 28 Dec 2016 11:19:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=idt-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=xxgD71ss3ZbovkSvV40YABLjDPGh4G5ess281/Kzjro=; b=muG9R2XD10iHbss4avpF3LrkZIr5PmbpX61RAiup/EdlE6KXJLXcPj29R1F6Ds5LMs 6a4TE8m5/a3WntYyJNm14oS2FnglhLnWvFKc3a1CWZTju7UPO+sRZ0G40QRM0AXGi6rG 690hBYFMksW7mmRCFzdlvLjLM1mH5YKmTvdXDCHcZ1C49ZWyZs7s63R6koycOgXmhvVG J4p23TarvwCx3Mo2cgzecGvVhiD3FSiKgUzvqjoGOF940ISqDNJ6SNaoPAnkwqXz8GKS AEeFikEj2B+ogiQHTShqVkST4KgUMWIPdcFD8CZnWLdbOJ1c8EIzVIPhEf7o7vMIkR06 NwRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=xxgD71ss3ZbovkSvV40YABLjDPGh4G5ess281/Kzjro=; b=mjhHgMxwb6uSI/BdoPjrKYIS16UajO+ULobQhIC7ruYZnbDqUrq8sOV6/nuxMOrQCX PNe8b6C/mD+lohKFXArIEzBeRRtA7AOTttfrOvEFMgXhX+UiTgV2qnbm6jOKk9liXWYj 7f6TRQCjyzd4WfBvVKKhIvwJfgLShI6y3OSIgiZ+qvw1vMFNqh3iwYAG6Zq4/KnPUBaA TLGrCgwyliamKZMheHgSCEv2RFLs1Vov1g1u980Jhl36kIITyZWcnvSF0tiwn3qSsVzB gk4NqWjjlNgzEs7LEtOkqETOYyKvpio/PSYVHPW67RdM9qDJkIDnqaf8HZ80sY0Oavl/ TOEg==
X-Gm-Message-State: AIkVDXIxEc/ydWDYDcVCS8FcN57OAAEQGack98uJQQDG6ycJo7N9qaAk9EZxMvAwtPsboIlEv/lv02WAYtAPi0kX
X-Received: by 10.202.240.195 with SMTP id o186mr18732817oih.28.1482952781488; Wed, 28 Dec 2016 11:19:41 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.9.153 with HTTP; Wed, 28 Dec 2016 11:19:21 -0800 (PST)
From: Chaim Geretz <chaim.geretz@idt.net>
Date: Wed, 28 Dec 2016 14:19:21 -0500
Message-ID: <CAP-tQRitZ6xfFWZA00S3xfnaGaCjOgtaxyO2ZW-DQgDX7+MN1Q@mail.gmail.com>
To: http-auth@ietf.org
Content-Type: multipart/alternative; boundary=94eb2c096318c277560544bcd95f
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-auth/mSghM0Y8akYjhygZFUYJHdgeMvg>
X-Mailman-Approved-At: Wed, 28 Dec 2016 11:53:08 -0800
Subject: [http-auth] Definition of SHA256 and SHA512/256 algorithms in RFC 7616
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Dec 2016 19:19:44 -0000

Greetings,

I think that RFC 7616 needs to define or point to a document describing how
the various hash algorithms mentioned in Section 3.2 are to be implemented.

Inspecting the values used in Section 3.9.2 for userhash and response shows
that they are generated by truncating the hex output of a sha512 hash to
the initial 64 hex characters.

If this is the desired implementation of SHA512/256 then this should be
mentioned in the RFC.

If the intention is to use SHA512/256 as described in FIPS 180.4 then this
should be mentioned, and the values changed to
userhash="793263caabb707a56211940d90411ea4a575adeccb7e360aeb624ed06ece9b0b"
and response=
"3798d4131c277846293534c3edc11bd8a5e4cdcbff78b05db9d95eeb1cec68a5"

Chaim Geretz