IETF Logo Mail Archive

Re: [kitten] I-D Action: draft-ietf-kitten-aes-cts-hmac-sha2-07.txt

Greg Hudson <ghudson@mit.edu> Fri, 04 December 2015 17:22 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5B6F1A8AEF for <kitten@ietfa.amsl.com>; Fri, 4 Dec 2015 09:22:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZWoic1nVKv5n for <kitten@ietfa.amsl.com>; Fri, 4 Dec 2015 09:22:22 -0800 (PST)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A96C1A8AE9 for <kitten@ietf.org>; Fri, 4 Dec 2015 09:22:21 -0800 (PST)
X-AuditID: 1209190e-f79046d0000036c0-ac-5661cbcc2d7c
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id B0.32.14016.CCBC1665; Fri, 4 Dec 2015 12:22:20 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id tB4HMJKX024404 for <kitten@ietf.org>; Fri, 4 Dec 2015 12:22:20 -0500
Received: from [18.101.8.91] (vpn-18-101-8-91.mit.edu [18.101.8.91]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id tB4HMHRg019332 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <kitten@ietf.org>; Fri, 4 Dec 2015 12:22:19 -0500
To: kitten@ietf.org
References: <20151203182416.14249.59890.idtracker@ietfa.amsl.com> <8BBA724D-905D-4B7D-BE87-A8748D8A8F3E@mitre.org>
From: Greg Hudson <ghudson@mit.edu>
X-Enigmail-Draft-Status: N1110
Message-ID: <5661CBC9.7010404@mit.edu>
Date: Fri, 04 Dec 2015 12:22:17 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <8BBA724D-905D-4B7D-BE87-A8748D8A8F3E@mitre.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsUixG6nonvmdGKYwdz16hZHN69icWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxpLW2IIdvBXzGiezNjCe5Opi5OSQEDCRmLf5GSOELSZx4d56 ti5GLg4hgcVMEkeXvWKBcI4xSpy/eokVwrnGJDGv4w9TFyMHh7CAj8TVN94g3SICwhK7t75j BrGFBEokLhzcwApiswkoS6zfv5UFYoOcRG/3JDCbV0BNYs6aX6wgY1gEVCT2nA8BMUUFIiQW 7ciEqBCUODnzCVg1p4CtxNxfv8BsZgF1iT/zLjFD2PISzVtnM09gFJyFpGUWkrJZSMoWMDKv YpRNya3SzU3MzClOTdYtTk7My0st0jXWy80s0UtNKd3ECApTTkm+HYxfDyodYhTgYFTi4V2x PiFMiDWxrLgy9xCjJAeTkijvrWOJYUJ8SfkplRmJxRnxRaU5qcWHGCU4mJVEeJllgHK8KYmV ValF+TApaQ4WJXHeuV98w4QE0hNLUrNTUwtSi2CyMhwcShK8z04BNQoWpaanVqRl5pQgpJk4 OEGG8wANfwdSw1tckJhbnJkOkT/FqCglzvsIJCEAksgozYPrBaeRVI7oV4ziQK8I8zqDVPEA UxBc9yugwUxAg4M+xoMMLklESEk1MOq5zN0rUFI3SbG409ZFoSPQ8HKkpFWm66rXTG5RgZ5X g80MfzSwrlmjOmX/B9X6GF4nYfPF5Tw9rP5rxadFWCy51aMRtjSPOcuJLU818rhJgOAlliuZ fVeWXw/lZqwwEjjHe/+g6vSZx/KexahPnyH7htOi0VLAStSB9X9KMgtjlMwlQ00lluKMREMt 5qLiRAC7QjYF/gIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/YX_cVVcvZlBvQbtrC-bQACnwf54>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-aes-cts-hmac-sha2-07.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2015 17:22:24 -0000

On 12/03/2015 01:32 PM, Peck, Michael A wrote:
> We would appreciate working group feedback on this new finally posted draft.

I'm looking at the description of ciphertext state in this draft versus
the description in RFC 3962.  RFC 3962 says:

   The initial vector carried out from one encryption for use in a
   subsequent encryption is the next-to-last block of the encryption
   output; this is the encrypted form of the last plaintext block.  When
   decrypting, the next-to-last block of the supplied ciphertext is
   carried forward as the next initial vector.  If only one ciphertext
   block is available (decrypting one block, or encrypting one block or
   less), then that one block is carried out instead.

The draft says:

      ciphertext = C | H[1..h]
      cipherstate = the last full (128 bit) block of C
      (i.e. the next-to-last block if the last block
      is not a full 128 bits)

I believe the intent was to align the draft with RFC 3962 (in that a
previous version of the draft used a simpler construction involving the
confounder, and it was later changed), but these definitions are not
identical when the last plaintext block is a full 128 bits, unless I'm
missing something.

As an implementor, I would like to reuse the AES enc-provider in MIT
krb5, which consumes and outputs ciphertext state, so I would prefer
that the definitions align.  It looks like Luke's implementation for
Heimdal also reuses the _krb5_evp_encrypt_cts() function, which consumes
and outputs ciphertext state.

(This discussion does not affect the test vectors, which do not use
cipher state.  Cipher state is really only used for the obsolete krb5
rlogin, as far as I know.)

v2.23.0 | Report a Bug | By Email