IETF Logo Mail Archive

Re: [kitten] I-D Action: draft-ietf-kitten-aes-cts-hmac-sha2-03.txt

"Peck, Michael A" <mpeck@mitre.org> Fri, 15 August 2014 16:57 UTC

Return-Path: <mpeck@mitre.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A2801A007B for <kitten@ietfa.amsl.com>; Fri, 15 Aug 2014 09:57:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.868
X-Spam-Level:
X-Spam-Status: No, score=-4.868 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WWvQBSeNCHMo for <kitten@ietfa.amsl.com>; Fri, 15 Aug 2014 09:57:02 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 89FFD1A006C for <kitten@ietf.org>; Fri, 15 Aug 2014 09:57:02 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id E1A241F0AF3; Fri, 15 Aug 2014 12:57:01 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id D36731F0AF1; Fri, 15 Aug 2014 12:57:01 -0400 (EDT)
Received: from IMCMBX04.MITRE.ORG ([169.254.4.226]) by IMCCAS01.MITRE.ORG ([129.83.29.68]) with mapi id 14.03.0174.001; Fri, 15 Aug 2014 12:57:01 -0400
From: "Peck, Michael A" <mpeck@mitre.org>
To: Benjamin Kaduk <kaduk@MIT.EDU>, "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: [kitten] I-D Action: draft-ietf-kitten-aes-cts-hmac-sha2-03.txt
Thread-Index: AQHPlgxyGHeCy5BqJE6NR5iOV7LZfJuSjYgAgAIfAYCAPFTiAIABJloA
Date: Fri, 15 Aug 2014 16:57:00 +0000
Message-ID: <D013B1AC.154B5%mpeck@mitre.org>
References: <20140702154337.23812.83936.idtracker@ietfa.amsl.com> <alpine.GSO.1.10.1407052139080.17412@multics.mit.edu> <CFE01F83.10E1B%mpeck@mitre.org> <alpine.GSO.1.10.1408121149210.21571@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1408121149210.21571@multics.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.1.140326
x-originating-ip: [172.31.48.181]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <201891C0FC786D4B9E148F8082E91A97@imc.mitre.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/XKkNo5p8zffGjbhPjqAK1573Dfg
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-aes-cts-hmac-sha2-03.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Aug 2014 16:57:05 -0000

Ben,

Thanks for checking these, I did not think of using openssl.
We separately wrote code in both Java (with Bouncy Castle) and Python to
generate the test vectors.
Bouncy Castle supports PBKDF2, CTS mode, etc.
We found Python code for everything except CTS, so we used CBC there and
manually modified the result.

Mike

On 8/14/14, 3:23 PM, "Benjamin Kaduk" <kaduk@MIT.EDU> wrote:

>On Mon, 7 Jul 2014, Peck, Michael A wrote:
>
>> Ben,
>>
>> Thanks for reviewing the changes.
>>
>> I put together test vectors this morning for deriving Kp from the
>>base-key
>> and for the pseudo-random function invocations.
>> I can add the following text to Appendix A (Test Vectors) once
>> Internet-Draft submission reopens.
>> If you'd like to verify these I certainly wouldn't mind.
>
>The key derivation vectors are pretty easy to verify -- one can just use
>the openssl command-line tool with the appropriate knobs set.  The
>string2key and encryption vectors look like they'll take some more effort
>to verify.  Here's what I have so far:
>
>> Sample results for key derivation:
>>    ----------------------------------
>>
>>    enctype aes128-cts-hmac-sha256-128:
>>    128-bit base-key:
>>       37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C
>>    Kc value for key usage 2 (constant = 0x0000000299):
>>       B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3
>>    Ke value for key usage 2 (constant = 0x00000002AA):
>>       9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E
>>    Ki value for key usage 2 (constant = 0x0000000255):
>>       9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C
>>    Kp value (constant = 0x707266):
>>       9C 66 77 98 08 4F 16 82 1E 77 15 DD 5A A6 EB 71
>
>
>no-knife:~/krb/aes/kd> printf "\x00\x00\x00\x02\x99"|openssl dgst -mac
>hmac -macopt hexkey:3705D96080C17728A0E800EAB6E0D23C -sha256
>(stdin)= 682df7d0a529ed3c7eabeaf3bae7f1507365f7cd676feaaf4f07803f56331f49
>no-knife:~/krb/aes/kd> printf
>"\x00\x00\x00\x01\x00\x00\x00\x02\x99\x00\x00\x00\x00\x80" | openssl dgst
>-mac hmac -macopt hexkey:3705D96080C17728A0E800EAB6E0D23C -sha256
>(stdin)= b31a018a48f54776f403e9a396325dc3a688db623e7e5718ca087f29a6e0d18b
>no-knife:~/krb/aes/kd> printf
>"\x00\x00\x00\x01\x00\x00\x00\x02\xaa\x00\x00\x00\x00\x80" | openssl dgst
>-mac hmac -macopt hexkey:3705D96080C17728A0E800EAB6E0D23C -sha256
>(stdin)= 9b197dd1e8c5609d6e67c3e37c62c72e86165fff45c059c5430c2cb28271c8e1
>no-knife:~/krb/aes/kd> printf
>"\x00\x00\x00\x01\x00\x00\x00\x02\x55\x00\x00\x00\x00\x80" | openssl dgst
>-mac hmac -macopt hexkey:3705D96080C17728A0E800EAB6E0D23C -sha256
>(stdin)= 9fda0e56ab2d85e1569a688696c26a6c5a76939834fa73931ab260832012c15f
>no-knife:~/krb/aes/kd> printf "\x00\x00\x00\x01prf\x00\x00\x00\x00\x80" |
>openssl dgst -mac hmac -macopt hexkey:3705D96080C17728A0E800EAB6E0D23C
>-sha256
>(stdin)= 9c667798084f16821e7715dd5aa6eb71edcc9410a3c32474ba097333187f23bc
>
>I didn't find a way to get openssl to perform the k-truncation, but since
>one is doing a manual verification anyway at this point, that doesn't seem
>like a big deal.
>
>
>
>
>>    enctype aes256-cts-hmac-sha384-192:
>>    256-bit base-key:
>>       6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98
>>       00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52
>>    Kc value for key usage 2 (constant = 0x0000000299):
>>       EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4
>>       BA 41 F2 8F AF 69 E7 3D
>>    Ke value for key usage 2 (constant = 0x00000002AA):
>>       56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7
>>       A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49
>>    Ki value for key usage 2 (constant = 0x0000000255):
>>       69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6
>>       22 C4 D0 0F FC 23 ED 1F
>>    Kp value (constant = 0x707266):
>>       5D 63 0D B7 EF DE 37 DE 9C 92 03 C5 2B D9 6C 77
>>       31 BE 1C 5B DD 50 DC 75 44 D9 60 AF F3 CC 23 04
>
>
>
>grumpy-fuzzball:~> printf
>"\x00\x00\x00\x01\x00\x00\x00\x02\x99\x00\x00\x00\x00\xc0" | openssl dgst
>-mac hmac -sha256 -macopt
>hexkey:6D404D37FAF79F9DF0D33568D320669800EB4836472EA8A026D16B7182460C52
>(stdin)= 6b727ae22a201c0a9c1254814582cd7dbbc2bc52eb2e9911d956051f12d744a7
>grumpy-fuzzball:~> printf
>"\x00\x00\x00\x01\x00\x00\x00\x02\x99\x00\x00\x00\x00\xc0" | openssl dgst
>-mac hmac -sha384 -macopt
>hexkey:6D404D37FAF79F9DF0D33568D320669800EB4836472EA8A026D16B7182460C52
>(stdin)=
>ef5718be86cc84963d8bbb5031e9f5c4ba41f28faf69e73db59bbe8665a6c224a58ed65f1d
>7921a017b9f9c173fb79ed
>grumpy-fuzzball:~> printf
>"\x00\x00\x00\x01\x00\x00\x00\x02\xaa\x00\x00\x00\x01\x00" | openssl dgst
>-mac hmac -sha384 -macopt
>hexkey:6D404D37FAF79F9DF0D33568D320669800EB4836472EA8A026D16B7182460C52
>(stdin)=
>56ab22bee63d82d7bc5227f6773f8ea7a5eb1c825160c38312980c442e5c7e490e6e8072e7
>c673258eff172053f03f35
>grumpy-fuzzball:~> printf
>"\x00\x00\x00\x01\x00\x00\x00\x02\x55\x00\x00\x00\x00\xc0" | openssl dgst
>-mac hmac -sha384 -macopt
>hexkey:6D404D37FAF79F9DF0D33568D320669800EB4836472EA8A026D16B7182460C52
>(stdin)=
>69b16514e3cd8e56b82010d5c73012b622c4d00ffc23ed1f19c6803ff0cf1ecf953b5ef3c3
>f1202fd849fbddfbf3a908
>grumpy-fuzzball:~> printf "\x00\x00\x00\x01prf\x00\x00\x00\x01\x00" |
>openssl dgst -mac hmac -sha384 -macopt
>hexkey:6D404D37FAF79F9DF0D33568D320669800EB4836472EA8A026D16B7182460C52
>(stdin)=
>5d630db7efde37de9c9203c52bd96c7731be1c5bdd50dc7544d960aff3cc23042f35cd2dae
>8522ec44215ee31aab49d0
>
>Note that the last bytes of the printf invocation must change whether we
>are producing Kc/Ki or Ke/Kp.
>
>
>
>> Sample pseudo-random function (PRF) invocations:
>>    -----------------------------------------
>>
>>    PRF input octet-string: "test" (0x74657374)
>>
>>    enctype aes128-cts-hmac-sha256-128:
>>    Kp value:
>>       9C 66 77 98 08 4F 16 82 1E 77 15 DD 5A A6 EB 71
>>    PRF output:
>> 3A CA 18 6C C1 26 56 76 5C FE B1 D2 2D 1C B1 36
>>
>>    enctype aes256-cts-hmac-sha384-192:
>>    Kp value:
>>       5D 63 0D B7 EF DE 37 DE 9C 92 03 C5 2B D9 6C 77
>>       31 BE 1C 5B DD 50 DC 75 44 D9 60 AF F3 CC 23 04
>>    PRF output:
>>       01 72 03 F2 90 CD 16 6C D6 B2 BB 4F 18 7D 16 23
>>       6B 9A 4E D7 66 19 D8 11 6C 64 06 A3 37 E7 F9 08
>
>These also look good:
>
>grumpy-fuzzball:~> printf "test" | openssl dgst -mac hmac -sha256 -macopt
>hexkey:9C667798084F16821E7715DD5AA6EB71
>(stdin)= 3aca186cc12656765cfeb1d22d1cb136761138f3463d5987be408ab09039523d
>grumpy-fuzzball:~> printf "test" | openssl dgst -mac hmac -sha384 -macopt
>hexkey:5D630DB7EFDE37DE9C9203C52BD96C7731BE1C5BDD50DC7544D960AFF3CC2304
>(stdin)=
>017203f290cd166cd6b2bb4f187d16236b9a4ed76619d8116c6406a337e7f9087882bd79ed
>d42abc6d44319f94db2fa5
>
>-Ben
>
>_______________________________________________
>Kitten mailing list
>Kitten@ietf.org
>https://www.ietf.org/mailman/listinfo/kitten

v2.29.0 | Report a Bug | By Email | System Status