Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-sha2-06

Benjamin Kaduk <kaduk@MIT.EDU> Tue, 21 April 2015 00:33 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 868081B35E1 for <kitten@ietfa.amsl.com>; Mon, 20 Apr 2015 17:33:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5bMRxZFQl4iI for <kitten@ietfa.amsl.com>; Mon, 20 Apr 2015 17:33:00 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46A571B35E2 for <kitten@ietf.org>; Mon, 20 Apr 2015 17:33:00 -0700 (PDT)
X-AuditID: 1209190f-f79d16d000000d3d-e4-55359abb9f5d
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 98.D4.03389.BBA95355; Mon, 20 Apr 2015 20:32:59 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t3L0Wwwq021754; Mon, 20 Apr 2015 20:32:58 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t3L0WuTW010218 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 20 Apr 2015 20:32:58 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t3L0Wu5Z010995; Mon, 20 Apr 2015 20:32:56 -0400 (EDT)
Date: Mon, 20 Apr 2015 20:32:55 -0400 (EDT)
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Michael Peck <mpeck1@gmail.com>
In-Reply-To: <55353646.2020009@mit.edu>
Message-ID: <alpine.GSO.1.10.1504202029181.22210@multics.mit.edu>
References: <alpine.GSO.1.10.1503301227280.22210@multics.mit.edu> <alpine.GSO.1.10.1504171407190.22210@multics.mit.edu> <CAKbsn2L9Ebo4JmAC=3PNdwm+ZtazvYcDdmT16M7W7mdk1qi-QA@mail.gmail.com> <55353646.2020009@mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrFIsWRmVeSWpSXmKPExsUixCmqrLt7lmmoweL1vBZHN69isfjV18zq wOSxc9Zddo8lS34yBTBFcdmkpOZklqUW6dslcGUsuHCDtWAze8WpufOZGhh/s3YxcnJICJhI XNyxlB3CFpO4cG89WxcjF4eQwGImicdf+1kgnI2MErNnb2YCqRISOMQkseg6VFUDo8TCU3MY QRIsAtoS/edugNlsAioSM99sZAOxRQSUJf4/mA7WzCwgLLH+3AxmEFtYwEVi1pYVYKs5BdQl tt56xAJi8wo4SkxfuZwVYsF1RomH3w+D3SoqoCOxev8UqCJBiZMzn7BADNWSWD59G8sERsFZ SFKzkKQWMDKtYpRNya3SzU3MzClOTdYtTk7My0st0jXRy80s0UtNKd3ECA5WSf4djN8OKh1i FOBgVOLhZZhsGirEmlhWXJl7iFGSg0lJlPdbC1CILyk/pTIjsTgjvqg0J7X4EKMEB7OSCO+1 qUA53pTEyqrUonyYlDQHi5I476YffCFCAumJJanZqakFqUUwWRkODiUJXreZQI2CRanpqRVp mTklCGkmDk6Q4TxAw2+A1PAWFyTmFmemQ+RPMepy3JnyfxGTEEtefl6qlDjvb5AiAZCijNI8 uDmwJPOKURzoLWHeHJAqHmCCgpv0CmgJE9CSuG0mIEtKEhFSUg2MuSYuP7yuTN56+FZZy49S /fLut/t2zxTKZGtfn7vGwuV1xDup55Z7jBz8Tl7de8vj6ZEVx0LuT6tOvnp/e0XClglmTOGm t9Lk/+nmzTd8zregpXj9wrgrC8RXH2hN/HXwHuPSavbcvzmsbHLG/1Y8crewm9m6/qFEYcBD Od7SCLWihVeS1zFOVGIpzkg01GIuKk4EAJ7vvUMNAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/-YUSLIlO58jPaSau0pjc2hG0YXA>
Cc: kitten@ietf.org
Subject: Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-sha2-06
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2015 00:33:01 -0000

On Mon, 20 Apr 2015, Greg Hudson wrote:

> On 04/20/2015 11:56 AM, Michael Peck wrote:
> > Our draft's current practice of truncating the pseudo-random function
> > output to 128 bits (for enctype aes128-cts-hmac-sha256-128) and 256 bits
> > (for enctype aes256-cts-hmac-sha384-192) rather than providing the full
> > HMAC output has the benefit of discouraging misuse of the output.  If
>
> To the best of my knowledge, all current users of the RFC 3961 PRF have
> a fixed amount of desired output, and iterate and truncate the PRF
> function to produce the number of desired bytes.  See the definitions of
> PRF+ in RFC 4402 and RFC 6112.

I'm trimming most of the mail, but I agree with everything Greg said.  The
RFC 3961 pseudo-random function is basically only useful as a building
block for a PRF+ construction, given that different enctypes are permitted
to (and do!) output different length pseudo-random output.

-Ben