Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-sha2-06

Benjamin Kaduk <kaduk@MIT.EDU> Fri, 17 April 2015 20:41 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E02521A870B for <kitten@ietfa.amsl.com>; Fri, 17 Apr 2015 13:41:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6n5umVjErXiv for <kitten@ietfa.amsl.com>; Fri, 17 Apr 2015 13:41:37 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E30E1A70E1 for <kitten@ietf.org>; Fri, 17 Apr 2015 13:41:36 -0700 (PDT)
X-AuditID: 1209190d-f79676d000000da0-62-55316fff8218
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id A8.30.03488.FFF61355; Fri, 17 Apr 2015 16:41:35 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t3HKfZv6000330; Fri, 17 Apr 2015 16:41:35 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t3HKfXtx015531 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 17 Apr 2015 16:41:34 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t3HKfWqF009893; Fri, 17 Apr 2015 16:41:33 -0400 (EDT)
Date: Fri, 17 Apr 2015 16:41:32 -0400 (EDT)
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Nico Williams <nico@cryptonector.com>
In-Reply-To: <20150415192957.GB29890@localhost>
Message-ID: <alpine.GSO.1.10.1504171639580.22210@multics.mit.edu>
References: <alpine.GSO.1.10.1503301227280.22210@multics.mit.edu> <551D6C35.4080108@mit.edu> <20150415192957.GB29890@localhost>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrFIsWRmVeSWpSXmKPExsUixCmqrPs/3zDU4Ms0M4ujm1exWJy6doTN gcnj5alzjB5LlvxkCmCK4rJJSc3JLEst0rdL4Mr43DGdpeAcW8WLf4vYGxhbWLsYOTkkBEwk 5vb9ZYawxSQu3FvP1sXIxSEksJhJ4uuNaUwQzkZGia6p31khnENMEis//YdyGhgl+jq+M4L0 swhoS/w7/JoJxGYTUJGY+WYjG4gtIqApcX3eUjCbWUBYYv25GWD7hAVcJGZtWcEOYnMK6Eus PXmUBcTmFXCUWLp3KdhMIYF6icXLt4DdKiqgI7F6/xSoGkGJkzOfsEDM1JJYPn0bywRGwVlI UrOQpBYwMq1ilE3JrdLNTczMKU5N1i1OTszLSy3SNdLLzSzRS00p3cQIDlZJ3h2M7w4qHWIU 4GBU4uE9EG8QKsSaWFZcmXuIUZKDSUmUVzfXMFSILyk/pTIjsTgjvqg0J7X4EKMEB7OSCO90 kBxvSmJlVWpRPkxKmoNFSZx30w++ECGB9MSS1OzU1ILUIpisDAeHkgTv/zygRsGi1PTUirTM nBKENBMHJ8hwHqDhH0FqeIsLEnOLM9Mh8qcYdTnuTPm/iEmIJS8/L1VKnHcPSJEASFFGaR7c HFiSecUoDvSWMK8AMOUI8QATFNykV0BLmICWlO4wAFlSkoiQkmpgrPE5cen2ib27ruoKdNr7 bHxw03rH6bWzNTfPnFrXwbxB/cfDpNhlQUvbxNxVWCI/xzeqnVw1m8vvPLNDedB7V6ZSpQve UmUejL/WeidemMrz5sPC9qqjZr85V2nOPP/W9fxhy3cmISf2GT34/uGsetLJBUvflUUeuaNS oG8UukjvOJMlU+OuX0osxRmJhlrMRcWJAAvLGwUNAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/dWUIN10TALxd_qGluF5MaNchhiw>
Cc: kitten@ietf.org
Subject: Re: [kitten] WGLC on draft-ietf-kitten-aes-cts-hmac-sha2-06
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2015 20:41:39 -0000

On Wed, 15 Apr 2015, Nico Williams wrote:

> Eh?  The KDF is a truncation of the PRF.  The PRF is not truncated.
>
> From the draft:
>
>    When the encryption type is aes128-cts-hmac-sha256-128, the output
>    key length k is 128 bits for all applications of KDF-HMAC-SHA2(key,
>    constant) which is computed as follows:
>
>      K1 = HMAC-SHA-256(key, 00 00 00 01 | constant | 00 | 00 00 00 80)
>      KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1))
>               ^^^^
>
> The "SHA2" there must be a cut-n-paste error, otherwise it looks right
> to me.

It is not a cut/paste error; they are defining KDF-HMAC-SHA2() one way for
the 128-bit case, and below KDF-HMAC-SHA2() is defined for the 256-bit
case.

Greg doesn't like this implicitness and requested an explicit length
parameter be used.

-Ben