Re: Comments on draft-ietf-kitten-krb5-gssapi-prf-03.txt

[Sam Hartman <hartmans-ietf@mit.edu>]

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@sun.com> writes:

    Nicolas> On Mon, May 23, 2005 at 02:13:55PM -0400, Blumenthal, Uri
    Nicolas> wrote:
    >> Sounds fine. Do we want to elaborate, like explain that since
    >> PRF is a PSEUDO-random function, it does have a [usually rather
    >> long] cycle after which the values start repeating, and we're
    >> trying to avoid it?

    Nicolas> I don't care -- as long as we get done with this pair of
    Nicolas> I-Ds :)

    Nicolas> Also, I'm not sure that the period is the issue here --
    Nicolas> for each call the periodicity issue is handled already in
    Nicolas> section 2.  The issue is that at some point a PRF can
    Nicolas> start leaking data.  I imagine GSS_Pseudo_random() being
    Nicolas> used to make an XOR encryption pad, for example -- after
    Nicolas> a while but well before the underlying PRG/PRF's period
    Nicolas> is reached we may have other weaknesses in it leak
    Nicolas> information through the pad, parts of which might be
    Nicolas> recoverable by attackers that know any of the plaintext
    Nicolas> being encrypted.  IANAC, but this seems difficult to
    Nicolas> explain, particularly in the generic function definition,
    Nicolas> rather than in the mechanims'.

Hmm, I'd consider using a PRF to construct a stream cipher a fine use
of a PRF if a bit odd in GSS.  I'd certainly expect reasonable crypto
to deal appropriately in this case.

    Nicolas> So I think vague text is the best I can do here, though I
    Nicolas> welcome suggestions -- I'm sure others can do better than
    Nicolas> :)

I agree vague text is the answer.  I'd recommend avoiding specific
numbers.


_______________________________________________
Kitten mailing list
Kitten@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten