Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 03 July 2016 09:57 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3024E12D08F for <kitten@ietfa.amsl.com>; Sun, 3 Jul 2016 02:57:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.727
X-Spam-Level:
X-Spam-Status: No, score=-5.727 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EFWh7PX56K89 for <kitten@ietfa.amsl.com>; Sun, 3 Jul 2016 02:57:11 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D637B12B074 for <kitten@ietf.org>; Sun, 3 Jul 2016 02:57:10 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 689F8BE47; Sun, 3 Jul 2016 10:57:09 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8i1ToIZ6fdJw; Sun, 3 Jul 2016 10:57:07 +0100 (IST)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 30F66BE3F; Sun, 3 Jul 2016 10:57:07 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1467539827; bh=5TdbplPFE6kVC51r9n7lMdqaDNk2IZhDhe5vumIy0a8=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=PRI7A+gNk47/HC30PMXFqUSQ80LX+JAWlO4NGozK6zweTLtegp2hib66mq/pINyFf dmqdxD0chF1zSZvWvZMq86YxB1g7RYsz55mrylbYPET6tt4RtPzJ6VpzMG0gLvJnLh GwL+K3dJF60IOMEbhhuisRI8a7wTxLLTZfGMu14g=
To: Jeffrey Altman <jaltman@secure-endpoints.com>, Luke Howard <lukeh@padl.com>, Benjamin Kaduk <kaduk@MIT.EDU>
References: <alpine.GSO.1.10.1606261730110.18480@multics.mit.edu> <CAC2=hncg3HftSt4JPz0ZT6+wtrKd1zSdoc+jPhStHvf4ZtwaqQ@mail.gmail.com> <alpine.GSO.1.10.1606272147210.18480@multics.mit.edu> <677848B0-17A4-47A6-93EB-F9939654DBAC@padl.com> <12304a67-7cd8-9010-7164-abfd0a47d0d4@secure-endpoints.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <5778E173.3020707@cs.tcd.ie>
Date: Sun, 03 Jul 2016 10:57:07 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <12304a67-7cd8-9010-7164-abfd0a47d0d4@secure-endpoints.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040307060605070204020206"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/qabJtv1as5_Fh524b-EMaWoTyKk>
Cc: kitten@ietf.org, draft-ietf-kitten-aes-cts-hmac-sha2@tools.ietf.org
Subject: Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Jul 2016 09:57:13 -0000

Hiya,

I nearly just started the IETF last call for this, but then
noticed these emails;-) Please ignore any status change
emails you may have seen.

Chairs - please tell me when you want me to start IETF LC.

I did my AD review of it, and modulo this discussion being
resolved, I think it's ready to go ahead.

Thanks,
S.

On 28/06/16 12:58, Jeffrey Altman wrote:
> +1
> 
> On 6/28/2016 3:21 AM, Luke Howard wrote:
>> I reckon let's do it "properly" even if at the expense of redundant text.
>>
>> Sent from my iPhone
>>
>>> On 28 Jun 2016, at 11:49, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
>>>
>>> Thanks, Michael.
>>>
>>> If the WG does want to treat the PRF octet-string input as a SP800-108
>>> context and use a zero-byte separator, it seems like the "quick-and-dirty"
>>> patch would be to just stick one in after "prf" and then there would be
>>> another (somewhat superfluous) one appended after the octet-string by
>>> KDF-HMAC-SHA2.  That might be easier than essentially inlining the
>>> definitino of KDF-HMAC-SHA2 for just the PRF calculation.
>>>
>>> -Ben
>>>
>>>> On Mon, 27 Jun 2016, Michael Jenkins wrote:
>>>>
>>>> Ben,
>>>>
>>>> we'll get started on these.
>>>>
>>>>> On Sun, Jun 26, 2016 at 11:03 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
>>>>>
>>>>> Hi Michael et al,
>>>>>
>>>>> As I was preparing the shepherd writeup for this document, I noticed some
>>>>> things that do not block the progression of the document but do require
>>>>> changes, and one item that may require further WG input.  Can you prepare
>>>>> a new version with the changes mentioned below?
>>>>>
>>>>> The one item which would potentially affect the actual protocol: at the
>>>>> end of Section 5, the pseudo-random function seems to be using a SP800-108
>>>>> KDF but omits the zero byte between label and context.  I think it would
>>>>> be better to have the zero byte -- do you remember whether there was a
>>>>> reason to omit it?  (Adding the zero byte would require re-rolling some
>>>>> test vectors, to be clear.)
>>>>>
>>>>> Additionally, all document authors will need to confirm compliance with
>>>>> BCPs 78 and 79 for this document, namely that there are no intellectual
>>>>> property concerns with the document that are not already disclosed.
>>>>>
>>>>> Please add a normative reference to RFC 2104 for HMAC, first mentioned at
>>>>> the end of Section 1.
>>>>>
>>>>> In Section 3, it might aid clarity to mention that the 0x00000001 input to
>>>>> HMAC() is the 'i' parameter from SP800-108 [indicating that this is the
>>>>> first block of output, even though it is the only block of output as
>>>>> well].
>>>>>
>>>>> In Section 4, it might be worth re-mentioning "where PBKDF2 is the
>>>>> function of that name from RFC 2898" after the algorithm block, since most
>>>>> everything else used there also gets clarified.  (It is already cited at
>>>>> the beginning of the section, in the overview paragraph.)
>>>>>
>>>>> The document should be consistent about using "cipher state" as one word
>>>>> or two (RFC 3961 prefers the two-word form).  It also makes a rather
>>>>> sudden appearance at the beginning of Section 5 with no explanatory
>>>>> introduction; it might help the reader to instead start with "The RFC 3961
>>>>> cipher state that maintains cryptographic state across different
>>>>> encryption operations using the same key is used as the formal
>>>>> initialization vector [...]" On the next page, "cipherstate" is defined as
>>>>> "a 128-bit initialization vector derived from the ciphertext", which is
>>>>> potentially misleading, since it can't be both used as the IV for and
>>>>> derived from the same ciphertext!  Probably it's better to say "derived
>>>>> from a previous (if any) ciphertext using the same encryption key, as
>>>>> specified below".
>>>>>
>>>>> Still in Section 5, in the definition of the encryption function (well,
>>>>> computing the cipherstate, really), I'm of two minds whether it's worth
>>>>> mentioning that the case of L < 128 is impossible because of the 128-bit
>>>>> confounder.
>>>>>
>>>>> In the decryption function, can you add a note to the right of "(C, H) =
>>>>> ciphertext" that "[H is the last h bits of the ciphertext]"?
>>>>>
>>>>> In the pseudo-random function, please replace "base-key" with "input-key",
>>>>> since the key input to the PRF is not expected to be a kerberos protocol
>>>>> long-term base key.
>>>>>
>>>>> In Section 6, the "associated cryptosystem"s are supposed to be
>>>>> "AES-128-CTS" or "AES-256-CTS", but those strings do not appear elsewhere
>>>>> in the document.  While the meaning is pretty clear, it's probably better
>>>>> to just say "aes128-cts-hmac-sha256-128 or aes256-cts-hmac-sha384-192 as
>>>>> appropriate".  This does duplicate the preceding text, but we do want to
>>>>> explicitly list the "associated encryption algorithm" as listed in the
>>>>> Checksum Algorithm Profile of Section 4 of RFC 3961.
>>>>>
>>>>> In Section 8.1, the acronym "TGT" is used, the only instance in the
>>>>> document.  It's also potentially misleading, since ticket-granting tickets
>>>>> are generally objects that are issued to client principals by the AS.
>>>>> I'd go with "Cross-realm krbtgt keys" instead.
>>>>>
>>>>> The test vectors for key derivation have a parenthetical "constant =
>>>>> 0x...", but the term "constant" does not appear elsewhere in the document.
>>>>> The hex values are the label input for the HMAC, so we should call them
>>>>> that.
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Ben
>>>>
>>>>
>>>>
>>>> --
>>>> Mike Jenkins
>>>> mjjenki@tycho.ncsc.mil - if you want me to read it only at my desk
>>>> m.jenkins.364706@gmail.com - to read everywhere
>>>> 443-634-3951
>>>
>>> _______________________________________________
>>> Kitten mailing list
>>> Kitten@ietf.org
>>> https://www.ietf.org/mailman/listinfo/kitten
>>
>> _______________________________________________
>> Kitten mailing list
>> Kitten@ietf.org
>> https://www.ietf.org/mailman/listinfo/kitten
>>
> 
> 
> 
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten
>