Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09
"Matt Miller (mamille2)" <mamille2@cisco.com> Tue, 05 July 2016 22:23 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69E5D12B02C for <kitten@ietfa.amsl.com>; Tue, 5 Jul 2016 15:23:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.927
X-Spam-Level:
X-Spam-Status: No, score=-15.927 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B4ca1D679pxn for <kitten@ietfa.amsl.com>; Tue, 5 Jul 2016 15:23:17 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDC0912B022 for <kitten@ietf.org>; Tue, 5 Jul 2016 15:23:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8325; q=dns/txt; s=iport; t=1467757397; x=1468966997; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=WRayx6JQop0EkBq9g98VTYDMLjansKEX0B5BaWPpwJQ=; b=H5fQ9EyWd4OL06sLjlTeJIC6PNuo7lNBtp+Zy/19KEvzdK8paI79H+ji aXIxBaCENfwD8QjTX2IkYK8yf6xt+dhjuXgVNYVz76llP+xiKoHHk+Skc M/vvFyFlYrU1x/wyIygFZeRGpSfgOy4Dl+RfSyaZ7N271kYri8d5g61dX 8=;
X-Files: signature.asc : 496
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AjAgD0MnxX/5tdJa1ZA4M+VnwGrTKMEIF3IoUsSgKBLzgUAQEBAQEBAWUnhEwBAQQBAQEbUQsFCwIBCA4KLiEGCyUCBAENBQ6ICAMPCA63Jw2EMQEBAQEBAQEBAQEBAQEBAQEBAQEBAQ4JBYgfCIJNgkOBbTEmgmWCLwWOBIpbMgIBgy6BbG6GLoIQgWqEVoMuhTyGV4FAh3IBHjaCCByBTG4Bh1R/AQEB
X-IronPort-AV: E=Sophos;i="5.28,315,1464652800"; d="asc'?scan'208";a="294060257"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Jul 2016 22:23:01 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id u65MN1um010332 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 5 Jul 2016 22:23:01 GMT
Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 5 Jul 2016 17:23:00 -0500
Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1210.000; Tue, 5 Jul 2016 17:23:00 -0500
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: Jeffrey Altman <jaltman@secure-endpoints.com>, Luke Howard <lukeh@padl.com>
Thread-Topic: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09
Thread-Index: AQHR0CCUuSaQZ9bq5EeM2+5UxA2/DZ/9uwMAgAC3QQCAAFyWAIAATXSAgAe5xoCAA/UOgA==
Date: Tue, 05 Jul 2016 22:23:00 +0000
Message-ID: <CED7D3E2-CA5D-4743-B2BB-1ED10607FE09@cisco.com>
References: <alpine.GSO.1.10.1606261730110.18480@multics.mit.edu> <CAC2=hncg3HftSt4JPz0ZT6+wtrKd1zSdoc+jPhStHvf4ZtwaqQ@mail.gmail.com> <alpine.GSO.1.10.1606272147210.18480@multics.mit.edu> <677848B0-17A4-47A6-93EB-F9939654DBAC@padl.com> <12304a67-7cd8-9010-7164-abfd0a47d0d4@secure-endpoints.com> <5778E173.3020707@cs.tcd.ie>
In-Reply-To: <5778E173.3020707@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-pgp-agent: GPGMail
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.129.24.54]
Content-Type: multipart/signed; boundary="Apple-Mail=_DD92C132-49D4-4CA7-A2C9-08C2C785D204"; protocol="application/pgp-signature"; micalg="pgp-sha512"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/WSiuTyIIDHf4Dz64Xg3aNEP7Vl8>
Cc: "kitten@ietf.org" <kitten@ietf.org>, "draft-ietf-kitten-aes-cts-hmac-sha2@tools.ietf.org" <draft-ietf-kitten-aes-cts-hmac-sha2@tools.ietf.org>
Subject: Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jul 2016 22:23:19 -0000
Hello All, Thanks to Mike for submitting the update so quickly. It appears to me that -10 addresses all the concerns raised. Are there any objections to moving forward with IETF Last Call with this revision? For convenience, the latest revision can be found here: https://tools.ietf.org/html/draft-ietf-kitten-aes-cts-hmac-sha2-10 Thanks, - Kitten Chairs > On Jul 3, 2016, at 03:57, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > > Hiya, > > I nearly just started the IETF last call for this, but then > noticed these emails;-) Please ignore any status change > emails you may have seen. > > Chairs - please tell me when you want me to start IETF LC. > > I did my AD review of it, and modulo this discussion being > resolved, I think it's ready to go ahead. > > Thanks, > S. > > On 28/06/16 12:58, Jeffrey Altman wrote: >> +1 >> >> On 6/28/2016 3:21 AM, Luke Howard wrote: >>> I reckon let's do it "properly" even if at the expense of redundant text. >>> >>> Sent from my iPhone >>> >>>> On 28 Jun 2016, at 11:49, Benjamin Kaduk <kaduk@MIT.EDU> wrote: >>>> >>>> Thanks, Michael. >>>> >>>> If the WG does want to treat the PRF octet-string input as a SP800-108 >>>> context and use a zero-byte separator, it seems like the "quick-and-dirty" >>>> patch would be to just stick one in after "prf" and then there would be >>>> another (somewhat superfluous) one appended after the octet-string by >>>> KDF-HMAC-SHA2. That might be easier than essentially inlining the >>>> definitino of KDF-HMAC-SHA2 for just the PRF calculation. >>>> >>>> -Ben >>>> >>>>> On Mon, 27 Jun 2016, Michael Jenkins wrote: >>>>> >>>>> Ben, >>>>> >>>>> we'll get started on these. >>>>> >>>>>> On Sun, Jun 26, 2016 at 11:03 PM, Benjamin Kaduk <kaduk@mit.edu> wrote: >>>>>> >>>>>> Hi Michael et al, >>>>>> >>>>>> As I was preparing the shepherd writeup for this document, I noticed some >>>>>> things that do not block the progression of the document but do require >>>>>> changes, and one item that may require further WG input. Can you prepare >>>>>> a new version with the changes mentioned below? >>>>>> >>>>>> The one item which would potentially affect the actual protocol: at the >>>>>> end of Section 5, the pseudo-random function seems to be using a SP800-108 >>>>>> KDF but omits the zero byte between label and context. I think it would >>>>>> be better to have the zero byte -- do you remember whether there was a >>>>>> reason to omit it? (Adding the zero byte would require re-rolling some >>>>>> test vectors, to be clear.) >>>>>> >>>>>> Additionally, all document authors will need to confirm compliance with >>>>>> BCPs 78 and 79 for this document, namely that there are no intellectual >>>>>> property concerns with the document that are not already disclosed. >>>>>> >>>>>> Please add a normative reference to RFC 2104 for HMAC, first mentioned at >>>>>> the end of Section 1. >>>>>> >>>>>> In Section 3, it might aid clarity to mention that the 0x00000001 input to >>>>>> HMAC() is the 'i' parameter from SP800-108 [indicating that this is the >>>>>> first block of output, even though it is the only block of output as >>>>>> well]. >>>>>> >>>>>> In Section 4, it might be worth re-mentioning "where PBKDF2 is the >>>>>> function of that name from RFC 2898" after the algorithm block, since most >>>>>> everything else used there also gets clarified. (It is already cited at >>>>>> the beginning of the section, in the overview paragraph.) >>>>>> >>>>>> The document should be consistent about using "cipher state" as one word >>>>>> or two (RFC 3961 prefers the two-word form). It also makes a rather >>>>>> sudden appearance at the beginning of Section 5 with no explanatory >>>>>> introduction; it might help the reader to instead start with "The RFC 3961 >>>>>> cipher state that maintains cryptographic state across different >>>>>> encryption operations using the same key is used as the formal >>>>>> initialization vector [...]" On the next page, "cipherstate" is defined as >>>>>> "a 128-bit initialization vector derived from the ciphertext", which is >>>>>> potentially misleading, since it can't be both used as the IV for and >>>>>> derived from the same ciphertext! Probably it's better to say "derived >>>>>> from a previous (if any) ciphertext using the same encryption key, as >>>>>> specified below". >>>>>> >>>>>> Still in Section 5, in the definition of the encryption function (well, >>>>>> computing the cipherstate, really), I'm of two minds whether it's worth >>>>>> mentioning that the case of L < 128 is impossible because of the 128-bit >>>>>> confounder. >>>>>> >>>>>> In the decryption function, can you add a note to the right of "(C, H) = >>>>>> ciphertext" that "[H is the last h bits of the ciphertext]"? >>>>>> >>>>>> In the pseudo-random function, please replace "base-key" with "input-key", >>>>>> since the key input to the PRF is not expected to be a kerberos protocol >>>>>> long-term base key. >>>>>> >>>>>> In Section 6, the "associated cryptosystem"s are supposed to be >>>>>> "AES-128-CTS" or "AES-256-CTS", but those strings do not appear elsewhere >>>>>> in the document. While the meaning is pretty clear, it's probably better >>>>>> to just say "aes128-cts-hmac-sha256-128 or aes256-cts-hmac-sha384-192 as >>>>>> appropriate". This does duplicate the preceding text, but we do want to >>>>>> explicitly list the "associated encryption algorithm" as listed in the >>>>>> Checksum Algorithm Profile of Section 4 of RFC 3961. >>>>>> >>>>>> In Section 8.1, the acronym "TGT" is used, the only instance in the >>>>>> document. It's also potentially misleading, since ticket-granting tickets >>>>>> are generally objects that are issued to client principals by the AS. >>>>>> I'd go with "Cross-realm krbtgt keys" instead. >>>>>> >>>>>> The test vectors for key derivation have a parenthetical "constant = >>>>>> 0x...", but the term "constant" does not appear elsewhere in the document. >>>>>> The hex values are the label input for the HMAC, so we should call them >>>>>> that. >>>>>> >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Ben >>>>> >>>>> >>>>> >>>>> -- >>>>> Mike Jenkins >>>>> mjjenki@tycho.ncsc.mil - if you want me to read it only at my desk >>>>> m.jenkins.364706@gmail.com - to read everywhere >>>>> 443-634-3951 >>>> >>>> _______________________________________________ >>>> Kitten mailing list >>>> Kitten@ietf.org >>>> https://www.ietf.org/mailman/listinfo/kitten >>> >>> _______________________________________________ >>> Kitten mailing list >>> Kitten@ietf.org >>> https://www.ietf.org/mailman/listinfo/kitten >>> >> >> >> >> _______________________________________________ >> Kitten mailing list >> Kitten@ietf.org >> https://www.ietf.org/mailman/listinfo/kitten >> > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten
- Re: [kitten] shepherd review of draft-aes-cts-hma… Jeffrey Altman
- Re: [kitten] shepherd review of draft-aes-cts-hma… Matt Miller (mamille2)
- Re: [kitten] shepherd review of draft-aes-cts-hma… Stephen Farrell
- Re: [kitten] shepherd review of draft-aes-cts-hma… Jeffrey Altman
- Re: [kitten] shepherd review of draft-aes-cts-hma… Luke Howard
- Re: [kitten] shepherd review of draft-aes-cts-hma… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-aes-cts-hma… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-aes-cts-hma… Luke Howard
- Re: [kitten] shepherd review of draft-aes-cts-hma… Michael Jenkins
- Re: [kitten] shepherd review of draft-aes-cts-hma… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-aes-cts-hma… Luke Howard
- [kitten] shepherd review of draft-aes-cts-hmac-sh… Benjamin Kaduk