Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09
Michael Jenkins <m.jenkins.364706@gmail.com> Mon, 27 June 2016 15:00 UTC
Return-Path: <m.jenkins.364706@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB13012D89A for <kitten@ietfa.amsl.com>; Mon, 27 Jun 2016 08:00:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FieZ5bHloI5A for <kitten@ietfa.amsl.com>; Mon, 27 Jun 2016 08:00:14 -0700 (PDT)
Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C3AB12D80C for <kitten@ietf.org>; Mon, 27 Jun 2016 07:53:57 -0700 (PDT)
Received: by mail-lf0-x22d.google.com with SMTP id f6so157758696lfg.0 for <kitten@ietf.org>; Mon, 27 Jun 2016 07:53:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=qSLHeNb8NREEZW9y+4GhLcEQY06jdwrzDVcs0gtcOrE=; b=doZuvF+Ty+a4tV7aVh5wcwkgbOgITCWko/kAJDl88ASMW7GE48/X1JnWCTyNEZ0dkM 7aIcTHFqllyu771bssjncHZbTb+LDNPN10MY7SnGctU5tNzs1LD9AOoycMfwkqemqlEZ BLdobCmTGDXq7LjpKAYUHA0FKLpUXP7YDfy7Fz1XbFEm9BV1YEYq2vHmfagQ3AGcit63 AhEb6rOvuBeJ5+6Ww4wV3CfDOK2r1b97c7DIU3ghWlI0LeeygNTjpulrIxjLmwfAglrJ RTfHPjRmx+FO3rzVngG8VeDSaj9qNgwKDEEn9oIHxKf6TLr0SAulX1f5ZbQUpBOy3B/e b2NA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=qSLHeNb8NREEZW9y+4GhLcEQY06jdwrzDVcs0gtcOrE=; b=fHNA0tWDJgVoqz5SjcNjJ7URhe+FwqYIfjh5tqI7LlOwe+zW7nCpuOnSjTEQDYhlEK J/rb7sE5+8H6N5qTQAhC4D8f6OoVngzB2BiZfNq7JllJ5LcKEMG/1bij9TqzHdMbu0yr KztcP7JtVVDp/UAqRojIrpTeE6apWcH1uNkzab6uS12g+iY4F4PSZvJh3JYJsh/UD6PC VxhSsNaWX5+16PtzeIkIhCSPcxK5AXR0UTiDaCaZ109/F/CWUMf1EzDc3sMso6hrOD61 BP0X08K1PV5U8+1vYRdN6m+RTQKU0ZjMETKN2czQbpg5L8JpTN69nt3oLI1j8atTnlhg +r2A==
X-Gm-Message-State: ALyK8tJWc6c0mhzARYXHLrMxiZpBsY+er0NEf2H7mr5mASouCrdvOA8NcsGAZ0c/muaWYjpBkrtN6gL1rlQl9A==
X-Received: by 10.25.21.106 with SMTP id l103mr398546lfi.27.1467039235263; Mon, 27 Jun 2016 07:53:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.141.132 with HTTP; Mon, 27 Jun 2016 07:53:54 -0700 (PDT)
In-Reply-To: <alpine.GSO.1.10.1606261730110.18480@multics.mit.edu>
References: <alpine.GSO.1.10.1606261730110.18480@multics.mit.edu>
From: Michael Jenkins <m.jenkins.364706@gmail.com>
Date: Mon, 27 Jun 2016 10:53:54 -0400
Message-ID: <CAC2=hncg3HftSt4JPz0ZT6+wtrKd1zSdoc+jPhStHvf4ZtwaqQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Content-Type: multipart/alternative; boundary="001a113f17e87d5214053643b0ab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/SL7BGGCCsXxqwOph5XXZel5tORg>
Cc: kitten@ietf.org, draft-ietf-kitten-aes-cts-hmac-sha2@tools.ietf.org
Subject: Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2016 15:00:17 -0000
Ben, we'll get started on these. On Sun, Jun 26, 2016 at 11:03 PM, Benjamin Kaduk <kaduk@mit.edu> wrote: > Hi Michael et al, > > As I was preparing the shepherd writeup for this document, I noticed some > things that do not block the progression of the document but do require > changes, and one item that may require further WG input. Can you prepare > a new version with the changes mentioned below? > > The one item which would potentially affect the actual protocol: at the > end of Section 5, the pseudo-random function seems to be using a SP800-108 > KDF but omits the zero byte between label and context. I think it would > be better to have the zero byte -- do you remember whether there was a > reason to omit it? (Adding the zero byte would require re-rolling some > test vectors, to be clear.) > > Additionally, all document authors will need to confirm compliance with > BCPs 78 and 79 for this document, namely that there are no intellectual > property concerns with the document that are not already disclosed. > > Please add a normative reference to RFC 2104 for HMAC, first mentioned at > the end of Section 1. > > In Section 3, it might aid clarity to mention that the 0x00000001 input to > HMAC() is the 'i' parameter from SP800-108 [indicating that this is the > first block of output, even though it is the only block of output as > well]. > > In Section 4, it might be worth re-mentioning "where PBKDF2 is the > function of that name from RFC 2898" after the algorithm block, since most > everything else used there also gets clarified. (It is already cited at > the beginning of the section, in the overview paragraph.) > > The document should be consistent about using "cipher state" as one word > or two (RFC 3961 prefers the two-word form). It also makes a rather > sudden appearance at the beginning of Section 5 with no explanatory > introduction; it might help the reader to instead start with "The RFC 3961 > cipher state that maintains cryptographic state across different > encryption operations using the same key is used as the formal > initialization vector [...]" On the next page, "cipherstate" is defined as > "a 128-bit initialization vector derived from the ciphertext", which is > potentially misleading, since it can't be both used as the IV for and > derived from the same ciphertext! Probably it's better to say "derived > from a previous (if any) ciphertext using the same encryption key, as > specified below". > > Still in Section 5, in the definition of the encryption function (well, > computing the cipherstate, really), I'm of two minds whether it's worth > mentioning that the case of L < 128 is impossible because of the 128-bit > confounder. > > In the decryption function, can you add a note to the right of "(C, H) = > ciphertext" that "[H is the last h bits of the ciphertext]"? > > In the pseudo-random function, please replace "base-key" with "input-key", > since the key input to the PRF is not expected to be a kerberos protocol > long-term base key. > > In Section 6, the "associated cryptosystem"s are supposed to be > "AES-128-CTS" or "AES-256-CTS", but those strings do not appear elsewhere > in the document. While the meaning is pretty clear, it's probably better > to just say "aes128-cts-hmac-sha256-128 or aes256-cts-hmac-sha384-192 as > appropriate". This does duplicate the preceding text, but we do want to > explicitly list the "associated encryption algorithm" as listed in the > Checksum Algorithm Profile of Section 4 of RFC 3961. > > In Section 8.1, the acronym "TGT" is used, the only instance in the > document. It's also potentially misleading, since ticket-granting tickets > are generally objects that are issued to client principals by the AS. > I'd go with "Cross-realm krbtgt keys" instead. > > The test vectors for key derivation have a parenthetical "constant = > 0x...", but the term "constant" does not appear elsewhere in the document. > The hex values are the label input for the HMAC, so we should call them > that. > > > Thanks, > > Ben > -- Mike Jenkins mjjenki@tycho.ncsc.mil - if you want me to read it only at my desk m.jenkins.364706@gmail.com - to read everywhere 443-634-3951
- Re: [kitten] shepherd review of draft-aes-cts-hma… Jeffrey Altman
- Re: [kitten] shepherd review of draft-aes-cts-hma… Matt Miller (mamille2)
- Re: [kitten] shepherd review of draft-aes-cts-hma… Stephen Farrell
- Re: [kitten] shepherd review of draft-aes-cts-hma… Jeffrey Altman
- Re: [kitten] shepherd review of draft-aes-cts-hma… Luke Howard
- Re: [kitten] shepherd review of draft-aes-cts-hma… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-aes-cts-hma… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-aes-cts-hma… Luke Howard
- Re: [kitten] shepherd review of draft-aes-cts-hma… Michael Jenkins
- Re: [kitten] shepherd review of draft-aes-cts-hma… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-aes-cts-hma… Luke Howard
- [kitten] shepherd review of draft-aes-cts-hmac-sh… Benjamin Kaduk