IETF Logo Mail Archive

Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09

Luke Howard <lukeh@padl.com> Tue, 28 June 2016 07:21 UTC

Return-Path: <lukeh@padl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B5AC12DB08 for <kitten@ietfa.amsl.com>; Tue, 28 Jun 2016 00:21:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.327
X-Spam-Level:
X-Spam-Status: No, score=-3.327 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h52psYK1ZzwH for <kitten@ietfa.amsl.com>; Tue, 28 Jun 2016 00:21:17 -0700 (PDT)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F05512DB09 for <kitten@ietf.org>; Tue, 28 Jun 2016 00:21:16 -0700 (PDT)
Received: by us.padl.com with ESMTP id u5S7LAdB018310; Tue, 28 Jun 2016 03:21:14 -0400
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Luke Howard <lukeh@padl.com>
X-Mailer: iPhone Mail (13F69)
In-Reply-To: <alpine.GSO.1.10.1606272147210.18480@multics.mit.edu>
Date: Tue, 28 Jun 2016 17:21:10 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <677848B0-17A4-47A6-93EB-F9939654DBAC@padl.com>
References: <alpine.GSO.1.10.1606261730110.18480@multics.mit.edu> <CAC2=hncg3HftSt4JPz0ZT6+wtrKd1zSdoc+jPhStHvf4ZtwaqQ@mail.gmail.com> <alpine.GSO.1.10.1606272147210.18480@multics.mit.edu>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/W07vhHpnYNL5DrAlvJ_h0TblMBE>
Cc: kitten@ietf.org, draft-ietf-kitten-aes-cts-hmac-sha2@tools.ietf.org
Subject: Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2016 07:21:20 -0000

I reckon let's do it "properly" even if at the expense of redundant text.

Sent from my iPhone

> On 28 Jun 2016, at 11:49, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
> 
> Thanks, Michael.
> 
> If the WG does want to treat the PRF octet-string input as a SP800-108
> context and use a zero-byte separator, it seems like the "quick-and-dirty"
> patch would be to just stick one in after "prf" and then there would be
> another (somewhat superfluous) one appended after the octet-string by
> KDF-HMAC-SHA2.  That might be easier than essentially inlining the
> definitino of KDF-HMAC-SHA2 for just the PRF calculation.
> 
> -Ben
> 
>> On Mon, 27 Jun 2016, Michael Jenkins wrote:
>> 
>> Ben,
>> 
>> we'll get started on these.
>> 
>>> On Sun, Jun 26, 2016 at 11:03 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
>>> 
>>> Hi Michael et al,
>>> 
>>> As I was preparing the shepherd writeup for this document, I noticed some
>>> things that do not block the progression of the document but do require
>>> changes, and one item that may require further WG input.  Can you prepare
>>> a new version with the changes mentioned below?
>>> 
>>> The one item which would potentially affect the actual protocol: at the
>>> end of Section 5, the pseudo-random function seems to be using a SP800-108
>>> KDF but omits the zero byte between label and context.  I think it would
>>> be better to have the zero byte -- do you remember whether there was a
>>> reason to omit it?  (Adding the zero byte would require re-rolling some
>>> test vectors, to be clear.)
>>> 
>>> Additionally, all document authors will need to confirm compliance with
>>> BCPs 78 and 79 for this document, namely that there are no intellectual
>>> property concerns with the document that are not already disclosed.
>>> 
>>> Please add a normative reference to RFC 2104 for HMAC, first mentioned at
>>> the end of Section 1.
>>> 
>>> In Section 3, it might aid clarity to mention that the 0x00000001 input to
>>> HMAC() is the 'i' parameter from SP800-108 [indicating that this is the
>>> first block of output, even though it is the only block of output as
>>> well].
>>> 
>>> In Section 4, it might be worth re-mentioning "where PBKDF2 is the
>>> function of that name from RFC 2898" after the algorithm block, since most
>>> everything else used there also gets clarified.  (It is already cited at
>>> the beginning of the section, in the overview paragraph.)
>>> 
>>> The document should be consistent about using "cipher state" as one word
>>> or two (RFC 3961 prefers the two-word form).  It also makes a rather
>>> sudden appearance at the beginning of Section 5 with no explanatory
>>> introduction; it might help the reader to instead start with "The RFC 3961
>>> cipher state that maintains cryptographic state across different
>>> encryption operations using the same key is used as the formal
>>> initialization vector [...]" On the next page, "cipherstate" is defined as
>>> "a 128-bit initialization vector derived from the ciphertext", which is
>>> potentially misleading, since it can't be both used as the IV for and
>>> derived from the same ciphertext!  Probably it's better to say "derived
>>> from a previous (if any) ciphertext using the same encryption key, as
>>> specified below".
>>> 
>>> Still in Section 5, in the definition of the encryption function (well,
>>> computing the cipherstate, really), I'm of two minds whether it's worth
>>> mentioning that the case of L < 128 is impossible because of the 128-bit
>>> confounder.
>>> 
>>> In the decryption function, can you add a note to the right of "(C, H) =
>>> ciphertext" that "[H is the last h bits of the ciphertext]"?
>>> 
>>> In the pseudo-random function, please replace "base-key" with "input-key",
>>> since the key input to the PRF is not expected to be a kerberos protocol
>>> long-term base key.
>>> 
>>> In Section 6, the "associated cryptosystem"s are supposed to be
>>> "AES-128-CTS" or "AES-256-CTS", but those strings do not appear elsewhere
>>> in the document.  While the meaning is pretty clear, it's probably better
>>> to just say "aes128-cts-hmac-sha256-128 or aes256-cts-hmac-sha384-192 as
>>> appropriate".  This does duplicate the preceding text, but we do want to
>>> explicitly list the "associated encryption algorithm" as listed in the
>>> Checksum Algorithm Profile of Section 4 of RFC 3961.
>>> 
>>> In Section 8.1, the acronym "TGT" is used, the only instance in the
>>> document.  It's also potentially misleading, since ticket-granting tickets
>>> are generally objects that are issued to client principals by the AS.
>>> I'd go with "Cross-realm krbtgt keys" instead.
>>> 
>>> The test vectors for key derivation have a parenthetical "constant =
>>> 0x...", but the term "constant" does not appear elsewhere in the document.
>>> The hex values are the label input for the HMAC, so we should call them
>>> that.
>>> 
>>> 
>>> Thanks,
>>> 
>>> Ben
>> 
>> 
>> 
>> --
>> Mike Jenkins
>> mjjenki@tycho.ncsc.mil - if you want me to read it only at my desk
>> m.jenkins.364706@gmail.com - to read everywhere
>> 443-634-3951
> 
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email