Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09
Benjamin Kaduk <kaduk@MIT.EDU> Tue, 28 June 2016 01:49 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90C4412DAD4 for <kitten@ietfa.amsl.com>; Mon, 27 Jun 2016 18:49:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.627
X-Spam-Level:
X-Spam-Status: No, score=-5.627 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DgbbKu4zpyln for <kitten@ietfa.amsl.com>; Mon, 27 Jun 2016 18:49:56 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5413712DAD1 for <kitten@ietf.org>; Mon, 27 Jun 2016 18:49:55 -0700 (PDT)
X-AuditID: 12074423-88bff70000004bf8-79-5771d7c1f58f
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id F4.02.19448.1C7D1775; Mon, 27 Jun 2016 21:49:54 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id u5S1nq9S023246; Mon, 27 Jun 2016 21:49:53 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u5S1nntx010281 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 27 Jun 2016 21:49:52 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u5S1nnqp000396; Mon, 27 Jun 2016 21:49:49 -0400 (EDT)
Date: Mon, 27 Jun 2016 21:49:48 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Michael Jenkins <m.jenkins.364706@gmail.com>
In-Reply-To: <CAC2=hncg3HftSt4JPz0ZT6+wtrKd1zSdoc+jPhStHvf4ZtwaqQ@mail.gmail.com>
Message-ID: <alpine.GSO.1.10.1606272147210.18480@multics.mit.edu>
References: <alpine.GSO.1.10.1606261730110.18480@multics.mit.edu> <CAC2=hncg3HftSt4JPz0ZT6+wtrKd1zSdoc+jPhStHvf4ZtwaqQ@mail.gmail.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsUixCmqrXvoemG4waf3PBZbb35ntDi6eRWL xbJvV9kcmD12zrrL7rFkyU8mjy+XP7MFMEdx2aSk5mSWpRbp2yVwZeza+Zex4LFaxfWnLxgb GC/JdTFyckgImEicWvKHGcQWEmhjklgyMaeLkQvI3sgoceHAAWYI5xCTxLwfrSwQTgOjxNLr T4EyHBwsAtoSc3+7gnSzCahIzHyzkQ3EFhEwkFg0aR2YzSzgLrHt/z5WEFtYwEpi673p7CA2 p0CgRFPzNrAaXgFHiRPbnrJDzG9jlLi54y4TSEJUQEdi9f4pLBBFghInZz5hgRiqJbF8+jaW CYwCs5CkZiFJLWBkWsUom5JbpZubmJlTnJqsW5ycmJeXWqRrppebWaKXmlK6iREUpuwuyjsY X/Z5H2IU4GBU4uHdUVcYLsSaWFZcmXuIUZKDSUmU99REoBBfUn5KZUZicUZ8UWlOavEhRgkO ZiUR3vyrQDnelMTKqtSifJiUNAeLkjgvIwMDg5BAemJJanZqakFqEUxWhoNDSYL34TWgRsGi 1PTUirTMnBKENBMHJ8hwHqDhbNdBhhcXJOYWZ6ZD5E8xKkqJ83aANAuAJDJK8+B6wWlkN5Pq K0ZxoFeEeW+BVPEAUxBc9yugwUxAg1mr80EGlyQipKQaGBkSL8tcsF7vn+BRzfzk8qP3e0/t TvFLm3Xq1xHRnymBu3Y3L2g8oHSpgC3b6eGelS3++dx7bxaXGPrnKgm+lC54KxG9qD5vauVf Jq7k3w+zgsVKV67Pl/oT9ipsK1tm/Iou78g2hwklCUmJZ282P/LunhFyO/fm088rfYr2fl1V tit+TmzuRCWW4oxEQy3mouJEAELtfXf+AgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/dI8RBCLpjun0R81QTW__LuSBCMY>
Cc: kitten@ietf.org, draft-ietf-kitten-aes-cts-hmac-sha2@tools.ietf.org
Subject: Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2016 01:49:57 -0000
Thanks, Michael. If the WG does want to treat the PRF octet-string input as a SP800-108 context and use a zero-byte separator, it seems like the "quick-and-dirty" patch would be to just stick one in after "prf" and then there would be another (somewhat superfluous) one appended after the octet-string by KDF-HMAC-SHA2. That might be easier than essentially inlining the definitino of KDF-HMAC-SHA2 for just the PRF calculation. -Ben On Mon, 27 Jun 2016, Michael Jenkins wrote: > Ben, > > we'll get started on these. > > On Sun, Jun 26, 2016 at 11:03 PM, Benjamin Kaduk <kaduk@mit.edu> wrote: > > > Hi Michael et al, > > > > As I was preparing the shepherd writeup for this document, I noticed some > > things that do not block the progression of the document but do require > > changes, and one item that may require further WG input. Can you prepare > > a new version with the changes mentioned below? > > > > The one item which would potentially affect the actual protocol: at the > > end of Section 5, the pseudo-random function seems to be using a SP800-108 > > KDF but omits the zero byte between label and context. I think it would > > be better to have the zero byte -- do you remember whether there was a > > reason to omit it? (Adding the zero byte would require re-rolling some > > test vectors, to be clear.) > > > > Additionally, all document authors will need to confirm compliance with > > BCPs 78 and 79 for this document, namely that there are no intellectual > > property concerns with the document that are not already disclosed. > > > > Please add a normative reference to RFC 2104 for HMAC, first mentioned at > > the end of Section 1. > > > > In Section 3, it might aid clarity to mention that the 0x00000001 input to > > HMAC() is the 'i' parameter from SP800-108 [indicating that this is the > > first block of output, even though it is the only block of output as > > well]. > > > > In Section 4, it might be worth re-mentioning "where PBKDF2 is the > > function of that name from RFC 2898" after the algorithm block, since most > > everything else used there also gets clarified. (It is already cited at > > the beginning of the section, in the overview paragraph.) > > > > The document should be consistent about using "cipher state" as one word > > or two (RFC 3961 prefers the two-word form). It also makes a rather > > sudden appearance at the beginning of Section 5 with no explanatory > > introduction; it might help the reader to instead start with "The RFC 3961 > > cipher state that maintains cryptographic state across different > > encryption operations using the same key is used as the formal > > initialization vector [...]" On the next page, "cipherstate" is defined as > > "a 128-bit initialization vector derived from the ciphertext", which is > > potentially misleading, since it can't be both used as the IV for and > > derived from the same ciphertext! Probably it's better to say "derived > > from a previous (if any) ciphertext using the same encryption key, as > > specified below". > > > > Still in Section 5, in the definition of the encryption function (well, > > computing the cipherstate, really), I'm of two minds whether it's worth > > mentioning that the case of L < 128 is impossible because of the 128-bit > > confounder. > > > > In the decryption function, can you add a note to the right of "(C, H) = > > ciphertext" that "[H is the last h bits of the ciphertext]"? > > > > In the pseudo-random function, please replace "base-key" with "input-key", > > since the key input to the PRF is not expected to be a kerberos protocol > > long-term base key. > > > > In Section 6, the "associated cryptosystem"s are supposed to be > > "AES-128-CTS" or "AES-256-CTS", but those strings do not appear elsewhere > > in the document. While the meaning is pretty clear, it's probably better > > to just say "aes128-cts-hmac-sha256-128 or aes256-cts-hmac-sha384-192 as > > appropriate". This does duplicate the preceding text, but we do want to > > explicitly list the "associated encryption algorithm" as listed in the > > Checksum Algorithm Profile of Section 4 of RFC 3961. > > > > In Section 8.1, the acronym "TGT" is used, the only instance in the > > document. It's also potentially misleading, since ticket-granting tickets > > are generally objects that are issued to client principals by the AS. > > I'd go with "Cross-realm krbtgt keys" instead. > > > > The test vectors for key derivation have a parenthetical "constant = > > 0x...", but the term "constant" does not appear elsewhere in the document. > > The hex values are the label input for the HMAC, so we should call them > > that. > > > > > > Thanks, > > > > Ben > > > > > > -- > Mike Jenkins > mjjenki@tycho.ncsc.mil - if you want me to read it only at my desk > m.jenkins.364706@gmail.com - to read everywhere > 443-634-3951 >
- Re: [kitten] shepherd review of draft-aes-cts-hma… Jeffrey Altman
- Re: [kitten] shepherd review of draft-aes-cts-hma… Matt Miller (mamille2)
- Re: [kitten] shepherd review of draft-aes-cts-hma… Stephen Farrell
- Re: [kitten] shepherd review of draft-aes-cts-hma… Jeffrey Altman
- Re: [kitten] shepherd review of draft-aes-cts-hma… Luke Howard
- Re: [kitten] shepherd review of draft-aes-cts-hma… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-aes-cts-hma… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-aes-cts-hma… Luke Howard
- Re: [kitten] shepherd review of draft-aes-cts-hma… Michael Jenkins
- Re: [kitten] shepherd review of draft-aes-cts-hma… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-aes-cts-hma… Luke Howard
- [kitten] shepherd review of draft-aes-cts-hmac-sh… Benjamin Kaduk