IETF Logo Mail Archive

Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09

"Matt Miller (mamille2)" <mamille2@cisco.com> Tue, 05 July 2016 22:23 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69E5D12B02C for <kitten@ietfa.amsl.com>; Tue, 5 Jul 2016 15:23:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.927
X-Spam-Level:
X-Spam-Status: No, score=-15.927 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B4ca1D679pxn for <kitten@ietfa.amsl.com>; Tue, 5 Jul 2016 15:23:17 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDC0912B022 for <kitten@ietf.org>; Tue, 5 Jul 2016 15:23:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8325; q=dns/txt; s=iport; t=1467757397; x=1468966997; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=WRayx6JQop0EkBq9g98VTYDMLjansKEX0B5BaWPpwJQ=; b=H5fQ9EyWd4OL06sLjlTeJIC6PNuo7lNBtp+Zy/19KEvzdK8paI79H+ji aXIxBaCENfwD8QjTX2IkYK8yf6xt+dhjuXgVNYVz76llP+xiKoHHk+Skc M/vvFyFlYrU1x/wyIygFZeRGpSfgOy4Dl+RfSyaZ7N271kYri8d5g61dX 8=;
X-Files: signature.asc : 496
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AjAgD0MnxX/5tdJa1ZA4M+VnwGrTKMEIF3IoUsSgKBLzgUAQEBAQEBAWUnhEwBAQQBAQEbUQsFCwIBCA4KLiEGCyUCBAENBQ6ICAMPCA63Jw2EMQEBAQEBAQEBAQEBAQEBAQEBAQEBAQ4JBYgfCIJNgkOBbTEmgmWCLwWOBIpbMgIBgy6BbG6GLoIQgWqEVoMuhTyGV4FAh3IBHjaCCByBTG4Bh1R/AQEB
X-IronPort-AV: E=Sophos;i="5.28,315,1464652800"; d="asc'?scan'208";a="294060257"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Jul 2016 22:23:01 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id u65MN1um010332 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 5 Jul 2016 22:23:01 GMT
Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 5 Jul 2016 17:23:00 -0500
Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1210.000; Tue, 5 Jul 2016 17:23:00 -0500
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: Jeffrey Altman <jaltman@secure-endpoints.com>, Luke Howard <lukeh@padl.com>
Thread-Topic: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09
Thread-Index: AQHR0CCUuSaQZ9bq5EeM2+5UxA2/DZ/9uwMAgAC3QQCAAFyWAIAATXSAgAe5xoCAA/UOgA==
Date: Tue, 05 Jul 2016 22:23:00 +0000
Message-ID: <CED7D3E2-CA5D-4743-B2BB-1ED10607FE09@cisco.com>
References: <alpine.GSO.1.10.1606261730110.18480@multics.mit.edu> <CAC2=hncg3HftSt4JPz0ZT6+wtrKd1zSdoc+jPhStHvf4ZtwaqQ@mail.gmail.com> <alpine.GSO.1.10.1606272147210.18480@multics.mit.edu> <677848B0-17A4-47A6-93EB-F9939654DBAC@padl.com> <12304a67-7cd8-9010-7164-abfd0a47d0d4@secure-endpoints.com> <5778E173.3020707@cs.tcd.ie>
In-Reply-To: <5778E173.3020707@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-pgp-agent: GPGMail
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.129.24.54]
Content-Type: multipart/signed; boundary="Apple-Mail=_DD92C132-49D4-4CA7-A2C9-08C2C785D204"; protocol="application/pgp-signature"; micalg="pgp-sha512"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/WSiuTyIIDHf4Dz64Xg3aNEP7Vl8>
Cc: "kitten@ietf.org" <kitten@ietf.org>, "draft-ietf-kitten-aes-cts-hmac-sha2@tools.ietf.org" <draft-ietf-kitten-aes-cts-hmac-sha2@tools.ietf.org>
Subject: Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jul 2016 22:23:19 -0000

Hello All,

Thanks to Mike for submitting the update so quickly.

It appears to me that -10 addresses all the concerns raised.
Are there any objections to moving forward with IETF Last Call
with this revision?

For convenience, the latest revision can be found here:
https://tools.ietf.org/html/draft-ietf-kitten-aes-cts-hmac-sha2-10


Thanks,

- Kitten Chairs

> On Jul 3, 2016, at 03:57, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
> Hiya,
> 
> I nearly just started the IETF last call for this, but then
> noticed these emails;-) Please ignore any status change
> emails you may have seen.
> 
> Chairs - please tell me when you want me to start IETF LC.
> 
> I did my AD review of it, and modulo this discussion being
> resolved, I think it's ready to go ahead.
> 
> Thanks,
> S.
> 
> On 28/06/16 12:58, Jeffrey Altman wrote:
>> +1
>> 
>> On 6/28/2016 3:21 AM, Luke Howard wrote:
>>> I reckon let's do it "properly" even if at the expense of redundant text.
>>> 
>>> Sent from my iPhone
>>> 
>>>> On 28 Jun 2016, at 11:49, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
>>>> 
>>>> Thanks, Michael.
>>>> 
>>>> If the WG does want to treat the PRF octet-string input as a SP800-108
>>>> context and use a zero-byte separator, it seems like the "quick-and-dirty"
>>>> patch would be to just stick one in after "prf" and then there would be
>>>> another (somewhat superfluous) one appended after the octet-string by
>>>> KDF-HMAC-SHA2.  That might be easier than essentially inlining the
>>>> definitino of KDF-HMAC-SHA2 for just the PRF calculation.
>>>> 
>>>> -Ben
>>>> 
>>>>> On Mon, 27 Jun 2016, Michael Jenkins wrote:
>>>>> 
>>>>> Ben,
>>>>> 
>>>>> we'll get started on these.
>>>>> 
>>>>>> On Sun, Jun 26, 2016 at 11:03 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
>>>>>> 
>>>>>> Hi Michael et al,
>>>>>> 
>>>>>> As I was preparing the shepherd writeup for this document, I noticed some
>>>>>> things that do not block the progression of the document but do require
>>>>>> changes, and one item that may require further WG input.  Can you prepare
>>>>>> a new version with the changes mentioned below?
>>>>>> 
>>>>>> The one item which would potentially affect the actual protocol: at the
>>>>>> end of Section 5, the pseudo-random function seems to be using a SP800-108
>>>>>> KDF but omits the zero byte between label and context.  I think it would
>>>>>> be better to have the zero byte -- do you remember whether there was a
>>>>>> reason to omit it?  (Adding the zero byte would require re-rolling some
>>>>>> test vectors, to be clear.)
>>>>>> 
>>>>>> Additionally, all document authors will need to confirm compliance with
>>>>>> BCPs 78 and 79 for this document, namely that there are no intellectual
>>>>>> property concerns with the document that are not already disclosed.
>>>>>> 
>>>>>> Please add a normative reference to RFC 2104 for HMAC, first mentioned at
>>>>>> the end of Section 1.
>>>>>> 
>>>>>> In Section 3, it might aid clarity to mention that the 0x00000001 input to
>>>>>> HMAC() is the 'i' parameter from SP800-108 [indicating that this is the
>>>>>> first block of output, even though it is the only block of output as
>>>>>> well].
>>>>>> 
>>>>>> In Section 4, it might be worth re-mentioning "where PBKDF2 is the
>>>>>> function of that name from RFC 2898" after the algorithm block, since most
>>>>>> everything else used there also gets clarified.  (It is already cited at
>>>>>> the beginning of the section, in the overview paragraph.)
>>>>>> 
>>>>>> The document should be consistent about using "cipher state" as one word
>>>>>> or two (RFC 3961 prefers the two-word form).  It also makes a rather
>>>>>> sudden appearance at the beginning of Section 5 with no explanatory
>>>>>> introduction; it might help the reader to instead start with "The RFC 3961
>>>>>> cipher state that maintains cryptographic state across different
>>>>>> encryption operations using the same key is used as the formal
>>>>>> initialization vector [...]" On the next page, "cipherstate" is defined as
>>>>>> "a 128-bit initialization vector derived from the ciphertext", which is
>>>>>> potentially misleading, since it can't be both used as the IV for and
>>>>>> derived from the same ciphertext!  Probably it's better to say "derived
>>>>>> from a previous (if any) ciphertext using the same encryption key, as
>>>>>> specified below".
>>>>>> 
>>>>>> Still in Section 5, in the definition of the encryption function (well,
>>>>>> computing the cipherstate, really), I'm of two minds whether it's worth
>>>>>> mentioning that the case of L < 128 is impossible because of the 128-bit
>>>>>> confounder.
>>>>>> 
>>>>>> In the decryption function, can you add a note to the right of "(C, H) =
>>>>>> ciphertext" that "[H is the last h bits of the ciphertext]"?
>>>>>> 
>>>>>> In the pseudo-random function, please replace "base-key" with "input-key",
>>>>>> since the key input to the PRF is not expected to be a kerberos protocol
>>>>>> long-term base key.
>>>>>> 
>>>>>> In Section 6, the "associated cryptosystem"s are supposed to be
>>>>>> "AES-128-CTS" or "AES-256-CTS", but those strings do not appear elsewhere
>>>>>> in the document.  While the meaning is pretty clear, it's probably better
>>>>>> to just say "aes128-cts-hmac-sha256-128 or aes256-cts-hmac-sha384-192 as
>>>>>> appropriate".  This does duplicate the preceding text, but we do want to
>>>>>> explicitly list the "associated encryption algorithm" as listed in the
>>>>>> Checksum Algorithm Profile of Section 4 of RFC 3961.
>>>>>> 
>>>>>> In Section 8.1, the acronym "TGT" is used, the only instance in the
>>>>>> document.  It's also potentially misleading, since ticket-granting tickets
>>>>>> are generally objects that are issued to client principals by the AS.
>>>>>> I'd go with "Cross-realm krbtgt keys" instead.
>>>>>> 
>>>>>> The test vectors for key derivation have a parenthetical "constant =
>>>>>> 0x...", but the term "constant" does not appear elsewhere in the document.
>>>>>> The hex values are the label input for the HMAC, so we should call them
>>>>>> that.
>>>>>> 
>>>>>> 
>>>>>> Thanks,
>>>>>> 
>>>>>> Ben
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> Mike Jenkins
>>>>> mjjenki@tycho.ncsc.mil - if you want me to read it only at my desk
>>>>> m.jenkins.364706@gmail.com - to read everywhere
>>>>> 443-634-3951
>>>> 
>>>> _______________________________________________
>>>> Kitten mailing list
>>>> Kitten@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/kitten
>>> 
>>> _______________________________________________
>>> Kitten mailing list
>>> Kitten@ietf.org
>>> https://www.ietf.org/mailman/listinfo/kitten
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> Kitten mailing list
>> Kitten@ietf.org
>> https://www.ietf.org/mailman/listinfo/kitten
>> 
> 
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email