IETF Logo Mail Archive

Re: Fw: [Ipsec] I-D ACTION:draft-kelly-ipsec-ciph-sha2-00.txt

"Scott G. Kelly" <s.kelly@ix.netcom.com> Fri, 29 September 2006 21:22 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GTPoP-0004oH-UH; Fri, 29 Sep 2006 17:22:25 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GTPoO-0004oC-D5 for ipsec@ietf.org; Fri, 29 Sep 2006 17:22:24 -0400
Received: from elasmtp-kukur.atl.sa.earthlink.net ([209.86.89.65]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GTPoM-0006dI-F8 for ipsec@ietf.org; Fri, 29 Sep 2006 17:22:23 -0400
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=hbLzbBWbUjnQuQ9wgv04f4o5YE/RfBSrZ28fa/s1isTRWNRNbflzKB0OgRrLLIIB; h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
Received: from [209.86.224.53] (helo=elwamui-wigeon.atl.sa.earthlink.net) by elasmtp-kukur.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1GTPoB-0008Ie-R5; Fri, 29 Sep 2006 17:22:11 -0400
Received: from 75.32.19.206 by webmail.pas.earthlink.net with HTTP; Fri, 29 Sep 2006 17:22:11 -0400
Message-ID: <31324918.1159564931917.JavaMail.root@elwamui-wigeon.atl.sa.earthlink.net>
Date: Fri, 29 Sep 2006 17:22:11 -0400
From: "Scott G. Kelly" <s.kelly@ix.netcom.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Subject: Re: Fw: [Ipsec] I-D ACTION:draft-kelly-ipsec-ciph-sha2-00.txt
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: EarthLink Zoo Mail 1.0
X-ELNK-Trace: 5b98cdd91c374dcd776432462e451d7bd15d05d9470ff7101e722121a44b6f920ac8d04312deb141350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 209.86.224.53
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Cc: ipsec list <ipsec@ietf.org>
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: "Scott G. Kelly" <scott@hyperthought.com>
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Errors-To: ipsec-bounces@ietf.org

Hi Steve,

Thanks for the quick and detailed review.  Responses inline...

>I found 2.1.1 + 2.1.2 confusing.  2.1.1 says you can't have keys of other
>than length 256.  I might quarrel with that -- I'd definitely have used
>SHOULD NOT instead of MUST NOT -- but 2.1.2 tells you what to do if your
>key isn't 256 bits long.  I perceive no increase in security from padding
>a short key with zeros, nor do I understand why it's better to do a
>SHA-256 reduction on a long key before using it with HMAC rather than
>simply using the longer key directly.  And the notion of a variable key
>length function where the variable is constrained to exactly one value is
>a bit strange.

Part of the confusion probably derives from trying to combine PRF functionality into the same doc with authentication/integrity functionality (the latter of which was already in the doc), yet maintain differing requirements for the keys. Maybe that was a mistake. The intent was that for integrity/auth, you have to use a fixed length, as RFC2104 explicitly recommends against shorter keys, and this lanuage is consistent with RFC2403 and the other HMAC RFCs.

We added the PRF support after that text was written (rather than writing a separate doc), and in the interest of flexibility, chose to allow variable length keys.  I'm wondering now if that was a mistake, and we should have had a single position on key sizes. That would definitely simplify things.

As for padding short keys, it certainly adds no security. It is there to explicitly tell implementors what to do (so they don't instead hash the key, and use the output). It's called out for the sake of interoperability. 

As for using longer keys, I see now that I misread this line in 2104:

"Applications that use keys longer than B bytes will first hash the key using H and then use the resultant L byte string as the actual key to HMAC."

'B' refers to the block size (in this case, 512 bits), but I was thinking of 256 bits, in which case you would simply hash the key and use the output. Definitely my mistake, and I will fix this in the next rev.

>You might want to cite RFC 4634 as an Informative reference, since it has
>code, and 4231 since it also gives definitions and code points for other
>uses of HMAC-SHA-256.

Okay.

>Stepping back a bit, I personally would rather see a single RFC describing
>how to use a number of different hash functions with HMAC.  I could almost
>use a set of text editor substitution patterns to change this draft from
>SHA-256 to SHA-384 or SHA-512.  The core of such a document would be a
>table listing acceptable key sizes and truncation sizes for each function
>considered.  An appendix could list test vectors.

Russ just mentioned that NSA-B requires SHA-384 support, and I was looking at the draft to see if that could be cleanly dropped in - this might be one way to do it.  If there is general support for this approach, we can look at what it would take to re-spin the doc.

Thanks again for the review,

Scott



_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email