Re: [kitten] I-D Action: draft-ietf-kitten-aes-cts-hmac-sha2-05.txt
Michael Jenkins <m.jenkins.364706@gmail.com> Mon, 02 February 2015 17:28 UTC
Return-Path: <m.jenkins.364706@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF9411A877A for <kitten@ietfa.amsl.com>; Mon, 2 Feb 2015 09:28:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.951
X-Spam-Level:
X-Spam-Status: No, score=0.951 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BL9QTz7Oj55D for <kitten@ietfa.amsl.com>; Mon, 2 Feb 2015 09:28:44 -0800 (PST)
Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B31181A8777 for <kitten@ietf.org>; Mon, 2 Feb 2015 09:28:43 -0800 (PST)
Received: by mail-qg0-f41.google.com with SMTP id q108so48420553qgd.0 for <kitten@ietf.org>; Mon, 02 Feb 2015 09:28:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9W0BCNGpei0MlvaPvXd+qbx9wsXpLETOh8bTqkzTYbs=; b=Ix7yZrQaQ+OoCuck9S00Fib29h61ySIn9/4Ze27my2qJZqYQftUJTiWG9gL7ZP2L9+ NRXOy3SN60Rl4tn4m1k1rNiY/yw/1yoTHAD/FsztBGgpbeqHAJpCkCP1wUMtyrEmLR1+ 3bVCx1cGt/EmiHGnm/wO29hF7R2bQveEeBem49I2JwfPIyvt9JKMAghPUCUGB3DelbAk HDcd7D0yVL8Gf8KvJLHS3Dfh6jg+CNlRNP7+/0mjCnc+QHY41iHNRUcjiwY2V5rNsZ1L LCwM6w5/gIlt/xaKerC4+fxNvqOn6F+jB9GfOJ0YvTdccplrDdem2rafjVgqEjnY+9dp JoRQ==
MIME-Version: 1.0
X-Received: by 10.140.48.67 with SMTP id n61mr40291160qga.82.1422898122858; Mon, 02 Feb 2015 09:28:42 -0800 (PST)
Received: by 10.229.39.131 with HTTP; Mon, 2 Feb 2015 09:28:42 -0800 (PST)
In-Reply-To: <20140930141040.271b6205@willson.usersys.redhat.com>
References: <20140923122546.30735.53089.idtracker@ietfa.amsl.com> <20140930141040.271b6205@willson.usersys.redhat.com>
Date: Mon, 02 Feb 2015 12:28:42 -0500
Message-ID: <CAC2=hncRCQoDMgAVunuqugDi1UozH+oWxZX-T5KgMFdXHmLXUA@mail.gmail.com>
From: Michael Jenkins <m.jenkins.364706@gmail.com>
To: Simo Sorce <simo@redhat.com>
Content-Type: multipart/alternative; boundary="001a113519c42a249e050e1e4997"
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/Zm7EBeCPbI_VDQWRymH47hoarPw>
Cc: kitten@ietf.org, "mjjenki@tycho.ncsc.mil" <mjjenki@tycho.ncsc.mil>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-aes-cts-hmac-sha2-05.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Feb 2015 17:28:46 -0000
Simo, As I understand it (I inherited this draft from Kelley Burgin), the answer is essentially because this work was submitted as a precursor to a "Using Kerberos in a Suite B compliant manner" draft (which will be submitted as an independent informational draft). [For the discussion of why this draft is a kitten work item, you'd have to look at the archive.] As such, the encryption and hash algorithm sizes are determined by the Suite B requirements. That said, the Suite B requirements were tuned to match what seemed to becoming commonly available at the time, particularly in terms of accelerated AES. So, for instance, SHA-384 is matched to AES-256, because AES-256 had a hardware accelerated implementation. Once this pair was selected as a Suite B level of security, it seemed reasonable to simply use them as much as possible (and, for example, truncate the hash results) than to require lots of other sizes as well. [Again, as this was inherited work, I'm working from received lore.] *That* said, there's nothing particularly Suite B about this (the enc-type) draft, or needn't be, so I'd rather put the above seminal explanation in the document than say "because Suite B". I propose that the following paragraph be added to the Security Considerations section (8) to address the entire document, rather than to litter the document with in-place explanations: 8.2 Algorithm dimensions Although there is nothing in this document that constrains its application, it has been written to be consistent with common implementations of AES and SHA-2. The encryption and hash algorithm sizes have been chosen to create a consistent level of protection, with consideration to implementation efficiencies. So, for instance, SHA-384, which would normally be matched to AES-192, is instead matched to AES-256 to leverage the fact that there are efficient hardware implementations of AES-256. Would this suffice? If so, I'll generate an -06 version and upload it in time for Dallas. Mike Jenkins NSA mjjenki@tycho.ncsc.mil / m.jenkins.364706@gmail.com official email / read-everywhere email - feel free to include both On Tue, Sep 30, 2014 at 2:10 PM, Simo Sorce <simo@redhat.com> wrote: > On Tue, 23 Sep 2014 05:25:46 -0700 > internet-drafts@ietf.org wrote: > > > > > A New Internet-Draft is available from the on-line Internet-Drafts > > directories. This draft is a work item of the Common Authentication > > Technology Next Generation Working Group of the IETF. > > > > Title : AES Encryption with HMAC-SHA2 for Kerberos 5 > > Authors : Michael J. Jenkins > > Michael A. Peck > > Kelley W. Burgin > > Filename : draft-ietf-kitten-aes-cts-hmac-sha2-05.txt > > Hi while reading this otherwise very nice specification two questions > kept popping in my mind. > > Why SHA-512 is not being used ? > Why AES-192 is not being used and SHA-384 is paired with AES-256 > instead ? > Why are you using a hash twice the size of the bit strength required, > and chop it off, isn't HMAC supposedly not affected by birthday > attacks ? > > I can guess at the rationale of some of these choices (some of it was > discussed in IETF meetings/lists), but it would be nice to have a > section that explains the choice or even just a reference to some other > document that does. > > Regards, > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten > -- Mike Jenkins mjjenki@tycho.ncsc.mil - if you want me to read it only at my desk m.jenkins.364706@gmail.com - to read everywhere else 443-634-3951
- [kitten] I-D Action: draft-ietf-kitten-aes-cts-hm… internet-drafts
- Re: [kitten] I-D Action: draft-ietf-kitten-aes-ct… Simo Sorce
- Re: [kitten] I-D Action: draft-ietf-kitten-aes-ct… Michael Jenkins
- Re: [kitten] I-D Action: draft-ietf-kitten-aes-ct… Benjamin Kaduk
- Re: [kitten] I-D Action: draft-ietf-kitten-aes-ct… Michael Jenkins
- Re: [kitten] I-D Action: draft-ietf-kitten-aes-ct… Simo Sorce