Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsis-nslp-auth-06
RJ Atkinson <rja.lists@gmail.com> Mon, 20 September 2010 15:08 UTC
Return-Path: <rja.lists@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 161433A69F7 for <ietf@core3.amsl.com>; Mon, 20 Sep 2010 08:08:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.991
X-Spam-Level:
X-Spam-Status: No, score=-1.991 tagged_above=-999 required=5 tests=[AWL=0.008, BAYES_00=-2.599, J_CHICKENPOX_91=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y00oaekLdO7F for <ietf@core3.amsl.com>; Mon, 20 Sep 2010 08:08:55 -0700 (PDT)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by core3.amsl.com (Postfix) with ESMTP id AEC6D3A69D2 for <ietf@ietf.org>; Mon, 20 Sep 2010 08:08:55 -0700 (PDT)
Received: by qyk1 with SMTP id 1so2959142qyk.10 for <ietf@ietf.org>; Mon, 20 Sep 2010 08:09:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:content-type :content-transfer-encoding:subject:date:message-id:to:mime-version :x-mailer; bh=+rjh46H8HrBjWrMVqr5gPysVDkjFKLPMmlb8lSd/3YU=; b=Yc7PIyHApQLjC14t+AsUEG1iBPQ3x0pNKGDmjYhfALqhWL7RrX4hgzKPdkuYOp8DkW Saqfko8E293iLZYJEQTimjpRjv1H3lQBYKO6sZyFgJVaGYyh08WJLmxyx68uAozc2cLw p13KketaWoXTtuHsLkv+QV2KtyU7e+WXd+8NY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version:x-mailer; b=m1uEEUYEUKAPhIQnx2satjG8ZK1o4FRawoBLQCo5a16iy1Z8AlJ2LJFO3zsXZDtPx/ i4Op5cwZwMs94xNhHrU6SDaw5ZqKreScciUl+SDOC2TMGB6ndogpw5iEHfXva4rhG3tn 41D0rGSCtiauYzIhnK4kUMBIvnKPL02lYkKhE=
Received: by 10.229.251.16 with SMTP id mq16mr6233304qcb.118.1284995359258; Mon, 20 Sep 2010 08:09:19 -0700 (PDT)
Received: from [10.30.20.5] (pool-96-225-170-25.nrflva.fios.verizon.net [96.225.170.25]) by mx.google.com with ESMTPS id q8sm7671550qcs.24.2010.09.20.08.09.18 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 20 Sep 2010 08:09:18 -0700 (PDT)
From: RJ Atkinson <rja.lists@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsis-nslp-auth-06
Date: Mon, 20 Sep 2010 11:09:16 -0400
Message-Id: <E03C0F11-1608-4193-8630-F69FDA79F4D8@gmail.com>
To: ietf@ietf.org
Mime-Version: 1.0 (Apple Message framework v1081)
X-Mailer: Apple Mail (2.1081)
X-Mailman-Approved-At: Mon, 20 Sep 2010 14:39:24 -0700
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Sep 2010 15:08:57 -0000
Data: In the most recent round of updates to interior routing cryptographic authentication, the collective conclusion was that HMAC-SHA-256 would be best for "mandatory" implementation, as it likely has the longest lifetime of the widely available (mode + algorithm) combinations. [RFC-5709, Section 3] The DNSsec specifications also seem to have settled upon SHA-256, rather than some different or shorter hash algorithm. [RFC-4509, Section 6.2] [RFC-5702, Section 8.1] A number of large commercial/financial/governmental users mandate that commercial products use cryptographic algorithms, modes, and implementations that have been approved/successfully evaluated under NIST FIPS-140. This creates a marketplace incentive to have/use NIST-compliant modes/algorithms, at least as openly specified implementation options for IETF protocols. [http://csrc.nist.gov/groups/STM/cavp/index.html] Identified weaknesses in MD5 don't necessarily apply to Keyed-MD5 or HMAC-MD5 **as used for datagram authentication by IETF interior routing protocols**. [RFC-5310, Section 1, Paragraph 7] [RFC-5709, Section 4, 2nd Paragraph] The recent round of IGP authentication updates provides a range of algorithm alternatives, particularly including the SHA family. [RFC-4822, RFC-5304, RFC-5310, RFC-5709] Those weaknesses in MD5 and also in SHA-1 reportedly *are* problematic in some other uses (e.g. X.509v3/PKIX certificates). [See references Wang04, Wang05, RR07, and RR08 in RFC-5709 for more information.] [RFC-5702] While the discussion in [RFC-4270] is valuable, at this point, nearly 5 years later, it necessarily is significantly incomplete. The sundry references into the published research literature cited in [RFC-5709] are also worth reading. NIST announced a "cryptographic hash algorithm competition" more than 2 years ago to seek a replacement for SHA-2. While this replacement will be known as SHA-3, it will not necessarily be related mathematically to the SHA-1/2 algorithm family. [http://csrc.nist.gov/groups/ST/hash/sha-3/index.html] Opinion: There probably is some value in having an open specification for less computationally intense "optional" (mode + algorithm)s, for example HMAC-MD5 or HMAC-SHA1. Obviously that ought to be optional-to-implement, but it likely would be useful for network operators (of any kind: educational, ISP, enterprise, other) to be able to make appropriate site-specific tradeoffs about which algorithm to deploy locally. For example, threat environments reportedly vary widely from one site to another. HMAC is generally preferred to Keyed, primarily because (A) it has some formal mathematics behind it and (B) HMAC is approved under NIST FIPS-140.[FIPS-198] [See above for why FIPS-140 matters commercially.] The IETF Security Area appears to be looking at other approaches (i.e. beyond SHA-2) as it thinks about future directions for cryptographic authentication. For example, one option specified in [RFC-5926] is AES-CMAC. Caveat: I am neither a mathematician nor a cryptographer. I'm simply reporting the results of a literature search, both in the research literature and in the always useful rfc-index.txt. > On 9th Sept 2010 at 16:56, Russ Housley wrote: >> Will any implementations be impacted? If not, we should ask the >> Security ADs for their best suggestion. On 9th Sept 2010 at !9:51, Roland Bless wrote: > At least we have one implementation, but it's nothing that > we couldn't change easily. So getting advice from the security > ADs would be good. RFC4270 recommends to change to > HMAC-SHA-256+, but I don't know whether there exist already better > alternatives.
- Gen-ART LC Review of draft-ietf-nsis-nslp-auth-06 Ben Campbell
- Re: Gen-ART LC Review of draft-ietf-nsis-nslp-aut… Roland Bless
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Russ Housley
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Roland Bless
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… Lars Eggert
- Re: [Gen-art] Gen-ART LC Review of draft-ietf-nsi… RJ Atkinson