Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09
Jeffrey Altman <jaltman@secure-endpoints.com> Tue, 28 June 2016 11:58 UTC
Return-Path: <prvs=19870317dd=jaltman@secure-endpoints.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A09D12DE3E for <kitten@ietfa.amsl.com>; Tue, 28 Jun 2016 04:58:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=secure-endpoints.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LgEExj40LiWH for <kitten@ietfa.amsl.com>; Tue, 28 Jun 2016 04:58:56 -0700 (PDT)
Received: from sequoia-grove.secure-endpoints.com (sequoia-grove.ad.secure-endpoints.com [208.125.0.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACC8F12DE34 for <kitten@ietf.org>; Tue, 28 Jun 2016 04:58:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=secure-endpoints.com; s=MDaemon; t=1467115113; x=1467719913; i=jaltman@secure-endpoints.com; q=dns/txt; h=VBR-Info:Subject:To: References:Cc:From:Openpgp:Organization:Message-ID:Date: User-Agent:MIME-Version:In-Reply-To:Content-Type; bh=H0PzHdYMGaV 482z1BYCJhUS+/bhpt4tVfIPx/7kZGAw=; b=AsyLy7gizkaUToLnARJrv6hhuqx S6IlpJc1Sytb8MfN+X1sPM1nPC0IvZC8NFb2JIzq2kcmUG7iluhjAWd0sukU+lsU hSRiXlmhX5KEA8IRLZcrryPo5ujhgeGZ1ekp8FAVw10KMxT3NuffP/TAl0lRHSC0 Wp3Re2wSdnoeWFFk=
X-MDAV-Result: clean
X-MDAV-Processed: sequoia-grove.secure-endpoints.com, Tue, 28 Jun 2016 07:58:33 -0400
X-Spam-Processed: sequoia-grove.secure-endpoints.com, Tue, 28 Jun 2016 07:58:32 -0400
Received: from [x.x.x.x] by secure-endpoints.com (Cipher TLSv1:AES-SHA:256) (MDaemon PRO v16.0.3) with ESMTPSA id md50001110180.msg for <kitten@ietf.org>; Tue, 28 Jun 2016 07:58:31 -0400
VBR-Info: md=secure-endpoints.com; mc=all; mv=vbr.emailcertification.org;
X-MDArrival-Date: Tue, 28 Jun 2016 07:58:31 -0400
X-Authenticated-Sender: jaltman@secure-endpoints.com
X-Return-Path: prvs=19870317dd=jaltman@secure-endpoints.com
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: kitten@ietf.org
To: Luke Howard <lukeh@padl.com>, Benjamin Kaduk <kaduk@MIT.EDU>
References: <alpine.GSO.1.10.1606261730110.18480@multics.mit.edu> <CAC2=hncg3HftSt4JPz0ZT6+wtrKd1zSdoc+jPhStHvf4ZtwaqQ@mail.gmail.com> <alpine.GSO.1.10.1606272147210.18480@multics.mit.edu> <677848B0-17A4-47A6-93EB-F9939654DBAC@padl.com>
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Openpgp: id=FA444AF197F449B24CF3E699F77A735592B69A04; url=http://pgp.mit.edu
Organization: Secure Endpoints Inc.
Message-ID: <12304a67-7cd8-9010-7164-abfd0a47d0d4@secure-endpoints.com>
Date: Tue, 28 Jun 2016 07:58:23 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <677848B0-17A4-47A6-93EB-F9939654DBAC@padl.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms000002040606020708070807"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/6NLj7PU9DG6AI9YJD__Ld-rof54>
Cc: kitten@ietf.org, draft-ietf-kitten-aes-cts-hmac-sha2@tools.ietf.org
Subject: Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2016 11:58:59 -0000
+1 On 6/28/2016 3:21 AM, Luke Howard wrote: > I reckon let's do it "properly" even if at the expense of redundant text. > > Sent from my iPhone > >> On 28 Jun 2016, at 11:49, Benjamin Kaduk <kaduk@MIT.EDU> wrote: >> >> Thanks, Michael. >> >> If the WG does want to treat the PRF octet-string input as a SP800-108 >> context and use a zero-byte separator, it seems like the "quick-and-dirty" >> patch would be to just stick one in after "prf" and then there would be >> another (somewhat superfluous) one appended after the octet-string by >> KDF-HMAC-SHA2. That might be easier than essentially inlining the >> definitino of KDF-HMAC-SHA2 for just the PRF calculation. >> >> -Ben >> >>> On Mon, 27 Jun 2016, Michael Jenkins wrote: >>> >>> Ben, >>> >>> we'll get started on these. >>> >>>> On Sun, Jun 26, 2016 at 11:03 PM, Benjamin Kaduk <kaduk@mit.edu> wrote: >>>> >>>> Hi Michael et al, >>>> >>>> As I was preparing the shepherd writeup for this document, I noticed some >>>> things that do not block the progression of the document but do require >>>> changes, and one item that may require further WG input. Can you prepare >>>> a new version with the changes mentioned below? >>>> >>>> The one item which would potentially affect the actual protocol: at the >>>> end of Section 5, the pseudo-random function seems to be using a SP800-108 >>>> KDF but omits the zero byte between label and context. I think it would >>>> be better to have the zero byte -- do you remember whether there was a >>>> reason to omit it? (Adding the zero byte would require re-rolling some >>>> test vectors, to be clear.) >>>> >>>> Additionally, all document authors will need to confirm compliance with >>>> BCPs 78 and 79 for this document, namely that there are no intellectual >>>> property concerns with the document that are not already disclosed. >>>> >>>> Please add a normative reference to RFC 2104 for HMAC, first mentioned at >>>> the end of Section 1. >>>> >>>> In Section 3, it might aid clarity to mention that the 0x00000001 input to >>>> HMAC() is the 'i' parameter from SP800-108 [indicating that this is the >>>> first block of output, even though it is the only block of output as >>>> well]. >>>> >>>> In Section 4, it might be worth re-mentioning "where PBKDF2 is the >>>> function of that name from RFC 2898" after the algorithm block, since most >>>> everything else used there also gets clarified. (It is already cited at >>>> the beginning of the section, in the overview paragraph.) >>>> >>>> The document should be consistent about using "cipher state" as one word >>>> or two (RFC 3961 prefers the two-word form). It also makes a rather >>>> sudden appearance at the beginning of Section 5 with no explanatory >>>> introduction; it might help the reader to instead start with "The RFC 3961 >>>> cipher state that maintains cryptographic state across different >>>> encryption operations using the same key is used as the formal >>>> initialization vector [...]" On the next page, "cipherstate" is defined as >>>> "a 128-bit initialization vector derived from the ciphertext", which is >>>> potentially misleading, since it can't be both used as the IV for and >>>> derived from the same ciphertext! Probably it's better to say "derived >>>> from a previous (if any) ciphertext using the same encryption key, as >>>> specified below". >>>> >>>> Still in Section 5, in the definition of the encryption function (well, >>>> computing the cipherstate, really), I'm of two minds whether it's worth >>>> mentioning that the case of L < 128 is impossible because of the 128-bit >>>> confounder. >>>> >>>> In the decryption function, can you add a note to the right of "(C, H) = >>>> ciphertext" that "[H is the last h bits of the ciphertext]"? >>>> >>>> In the pseudo-random function, please replace "base-key" with "input-key", >>>> since the key input to the PRF is not expected to be a kerberos protocol >>>> long-term base key. >>>> >>>> In Section 6, the "associated cryptosystem"s are supposed to be >>>> "AES-128-CTS" or "AES-256-CTS", but those strings do not appear elsewhere >>>> in the document. While the meaning is pretty clear, it's probably better >>>> to just say "aes128-cts-hmac-sha256-128 or aes256-cts-hmac-sha384-192 as >>>> appropriate". This does duplicate the preceding text, but we do want to >>>> explicitly list the "associated encryption algorithm" as listed in the >>>> Checksum Algorithm Profile of Section 4 of RFC 3961. >>>> >>>> In Section 8.1, the acronym "TGT" is used, the only instance in the >>>> document. It's also potentially misleading, since ticket-granting tickets >>>> are generally objects that are issued to client principals by the AS. >>>> I'd go with "Cross-realm krbtgt keys" instead. >>>> >>>> The test vectors for key derivation have a parenthetical "constant = >>>> 0x...", but the term "constant" does not appear elsewhere in the document. >>>> The hex values are the label input for the HMAC, so we should call them >>>> that. >>>> >>>> >>>> Thanks, >>>> >>>> Ben >>> >>> >>> >>> -- >>> Mike Jenkins >>> mjjenki@tycho.ncsc.mil - if you want me to read it only at my desk >>> m.jenkins.364706@gmail.com - to read everywhere >>> 443-634-3951 >> >> _______________________________________________ >> Kitten mailing list >> Kitten@ietf.org >> https://www.ietf.org/mailman/listinfo/kitten > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten >
- Re: [kitten] shepherd review of draft-aes-cts-hma… Jeffrey Altman
- Re: [kitten] shepherd review of draft-aes-cts-hma… Matt Miller (mamille2)
- Re: [kitten] shepherd review of draft-aes-cts-hma… Stephen Farrell
- Re: [kitten] shepherd review of draft-aes-cts-hma… Jeffrey Altman
- Re: [kitten] shepherd review of draft-aes-cts-hma… Luke Howard
- Re: [kitten] shepherd review of draft-aes-cts-hma… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-aes-cts-hma… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-aes-cts-hma… Luke Howard
- Re: [kitten] shepherd review of draft-aes-cts-hma… Michael Jenkins
- Re: [kitten] shepherd review of draft-aes-cts-hma… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-aes-cts-hma… Luke Howard
- [kitten] shepherd review of draft-aes-cts-hmac-sh… Benjamin Kaduk