Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-sha2-06
Greg Hudson <ghudson@mit.edu> Mon, 20 April 2015 17:24 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 590501A035F for <kitten@ietfa.amsl.com>; Mon, 20 Apr 2015 10:24:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.611
X-Spam-Level:
X-Spam-Status: No, score=-3.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id myJtbWd_qHuG for <kitten@ietfa.amsl.com>; Mon, 20 Apr 2015 10:24:31 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A67581A8773 for <kitten@ietf.org>; Mon, 20 Apr 2015 10:24:31 -0700 (PDT)
X-AuditID: 1209190e-f79a76d000000d1b-a2-5535364e3657
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 2E.58.03355.E4635355; Mon, 20 Apr 2015 13:24:30 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t3KHOO4J014659; Mon, 20 Apr 2015 13:24:24 -0400
Received: from [18.101.8.198] (vpn-18-101-8-198.mit.edu [18.101.8.198]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t3KHOMT3011458 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 20 Apr 2015 13:24:23 -0400
Message-ID: <55353646.2020009@mit.edu>
Date: Mon, 20 Apr 2015 13:24:22 -0400
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Michael Peck <mpeck1@gmail.com>, Benjamin Kaduk <kaduk@mit.edu>
References: <alpine.GSO.1.10.1503301227280.22210@multics.mit.edu> <alpine.GSO.1.10.1504171407190.22210@multics.mit.edu> <CAKbsn2L9Ebo4JmAC=3PNdwm+ZtazvYcDdmT16M7W7mdk1qi-QA@mail.gmail.com>
In-Reply-To: <CAKbsn2L9Ebo4JmAC=3PNdwm+ZtazvYcDdmT16M7W7mdk1qi-QA@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJIsWRmVeSWpSXmKPExsUixCmqrOtnZhpqMOu3mMXRzatYLH71NbM6 MHnsnHWX3WPJkp9MAUxRXDYpqTmZZalF+nYJXBl/rq1iLfglUtF7/xJ7A+NtgS5GTg4JAROJ cwsOM0PYYhIX7q1nA7GFBBYzSRzozeli5AKyNzJKHL16nB3COcIkMXfHHxaQKl4BNYktHVfY QWwWAVWJje8+s4LYbALKEuv3bwWrERUIk5j2+zkrRL2gxMmZT8DiIgLOEs9PHWMCsZkFhCUu bN8LViMs4CIxa8sKqGV7GCW+rlgLVsQpEChx8udbFogGPYkd13+xQtjyEs1bZzNPYBSchWTH LCRls5CULWBkXsUom5JbpZubmJlTnJqsW5ycmJeXWqRrrJebWaKXmlK6iREcwpJ8Oxi/HlQ6 xCjAwajEwythaBIqxJpYVlyZe4hRkoNJSZR3rrZpqBBfUn5KZUZicUZ8UWlOavEhRgkOZiUR XkF2oBxvSmJlVWpRPkxKmoNFSZx30w++ECGB9MSS1OzU1ILUIpisDAeHkgTvQxOgRsGi1PTU irTMnBKENBMHJ8hwHqDhV0BqeIsLEnOLM9Mh8qcYFaXEeV+DJARAEhmleXC9sBTzilEc6BVh XglToCoeYHqC634FNJgJaHDcNhOQwSWJCCmpBkahNW777dX/9zvcXval0Vh+z8I072erba/f nvnf1nuGdGmS6cbAyC7+b8eUJlg9MDL5yHpZbOnpI9tkDk4+8iU7o8T46+s3xgcPbXO4+2Pz jKYvs5hc6iqbdl/4FeQ6aaLTJ4dJZvVf/Uy3TJ0kW/gl1yNd5GJkdSNHkkVzzEIPn8bJ83XW ae9WYinOSDTUYi4qTgQAnto1qAwDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/Zppwfsh5OyZVLQSK-ot_k5Wy6o0>
Cc: kitten@ietf.org
Subject: Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-sha2-06
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Apr 2015 17:24:33 -0000
On 04/20/2015 11:56 AM, Michael Peck wrote: > Our draft's current practice of truncating the pseudo-random function > output to 128 bits (for enctype aes128-cts-hmac-sha256-128) and 256 bits > (for enctype aes256-cts-hmac-sha384-192) rather than providing the full > HMAC output has the benefit of discouraging misuse of the output. If > the full HMAC output is returned by the PRF, I'd be afraid it may imply > an output of 256 or 384 bit strength when the maximum strength is in > reality limited to 128 or 256. It's not clear to me the potential ways > the PRF output might be used - certainly I could see both appropriate > and inappropriate ways to use the output. To the best of my knowledge, all current users of the RFC 3961 PRF have a fixed amount of desired output, and iterate and truncate the PRF function to produce the number of desired bytes. See the definitions of PRF+ in RFC 4402 and RFC 6112. So, for example, if someone asks for 256 bits of PRF output (e.g. via gss_pseudo_random()) and the enctype is aes128-cts-hmac-sha256-128 with the PRF truncated to 128 bits. The user will wind up invoking PRF(K, 00 00 00 00 || string) PRF(K, 00 00 00 01 || string) and concatenating the results. The application has not in any way been discouraged from producing a 256-bit string with only 2^128 possible values; it has merely been made twice as slow. > If the working group prefers the full output be returned, we can do that > and could attempt to address it in the security considerations. I think the audience of this enctype's security considerations is mainly implementors of the enctype. Applications aren't written to specific enctypes; they are written to RFC 3961 or a higher layer. If you want to say something about the inherently limited entropy of the PRF output then I won't object, but I don't think it is necessary or useful. > We > provide the PRF definition to comply with the RFC 3961 framework but > would probably prefer a NIST SP 800-108 KDF be used to derive keys for > other uses. I could see the PRF output potentially being used as the Ki > key derivation key input to a NIST SP 800-108 KDF for those who want to > use that. The PRF+ construction is pretty similar to the KDF used in the aes-sha2 draft, except that it doesn't append a length to the end of each PRF invocation's input string. I believe the only potential problem there is that PRF+(K, 256, S) will be an extension of PRF+(K, 128, S) rather than a totally different value. That's a potential safety issue, but as long as callers use different S values for different kinds of keys, it's not a real problem.
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-s… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Greg Hudson
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Greg Hudson
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Jeffrey Altman
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Michael Jenkins
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Jeffrey Altman
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Greg Hudson
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Weijun Wang
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Greg Hudson
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Luke Howard
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Viktor Dukhovni
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… D.Rogers
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Luke Howard
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Viktor Dukhovni
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… D.Rogers
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Nico Williams
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Nico Williams
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Nico Williams
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Nico Williams
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Nico Williams
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Michael Peck
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Viktor Dukhovni
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Greg Hudson
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Nico Williams
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Nico Williams
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Jeffrey Altman
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Michael Peck
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Greg Hudson
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Benjamin Kaduk
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Jeffrey Altman
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Michael Jenkins
- Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hm… Jeffrey Altman