Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09
Benjamin Kaduk <kaduk@MIT.EDU> Mon, 27 June 2016 14:15 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 394D812D505 for <kitten@ietfa.amsl.com>; Mon, 27 Jun 2016 07:15:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.627
X-Spam-Level:
X-Spam-Status: No, score=-5.627 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xXTUYDFCMmiB for <kitten@ietfa.amsl.com>; Mon, 27 Jun 2016 07:14:59 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97B2312D552 for <kitten@ietf.org>; Mon, 27 Jun 2016 07:14:48 -0700 (PDT)
X-AuditID: 12074425-ebfff70000001189-d8-577134d68e08
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id BF.97.04489.6D431775; Mon, 27 Jun 2016 10:14:47 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id u5REEkHk032283; Mon, 27 Jun 2016 10:14:46 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u5REEgrd029443 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 27 Jun 2016 10:14:44 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u5REEfkp001417; Mon, 27 Jun 2016 10:14:41 -0400 (EDT)
Date: Mon, 27 Jun 2016 10:14:41 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Luke Howard <lukeh@padl.com>
In-Reply-To: <5596DB1C-B1AA-4C5B-94B6-3FA033B8161E@padl.com>
Message-ID: <alpine.GSO.1.10.1606271001090.18480@multics.mit.edu>
References: <alpine.GSO.1.10.1606261730110.18480@multics.mit.edu> <5596DB1C-B1AA-4C5B-94B6-3FA033B8161E@padl.com>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-266937439-1467036881=:18480"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuplleLIzCtJLcpLzFFi42IRYrdT0b1uUhhusHyOusXWm98ZLY5uXsVi cffSf3aLZd+usjmweOycdZfdY8mSn0wecz9MY/H4cvkzWwBLFJdNSmpOZllqkb5dAlfGx5Un 2Ap+iFWcWrmErYHxiFAXIyeHhICJxJyjK1m6GLk4hATamCQ2TnnBDOFsZJT4vwXGOcQk8fjl SVYIp4FRYtr5P8wg/SwC2hJ9u+YxgthsAioSM99sZAOxRQQUJCbvXwvWzSwwm1Fi3uLz7CAJ YQFniduvusGaOQVsJH49/AHWwCvgKPH0VDsTiC0kUCjRtugqWL2ogI7E6v1TWCBqBCVOznwC ZHMADQ2QmPHTZAKjwCwkmVkIGZAws4C6ROODs2wQtrbE/ZttbAsYWVYxyqbkVunmJmbmFKcm 6xYnJ+blpRbpWujlZpbopaaUbmIEh7qL6g7GOX+9DjEKcDAq8fBqyBeEC7EmlhVX5h5ilORg UhLl3fYoN1yILyk/pTIjsTgjvqg0J7X4EKMEB7OSCK8rMMKEeFMSK6tSi/JhUtIcLErivIwM DAxCAumJJanZqakFqUUwWRkODiUJXj6QRsGi1PTUirTMnBKENBMHJ8hwHqDhimDDiwsSc4sz 0yHypxgVpcR55xgDJQRAEhmleXC94FS0m0n1FaM40CvCvL9BqniAaQyu+xXQYCagwazV+SCD SxIRUlINjF0pmly3jsiJd9/6yfluxvVeWzvP5rqm+lVbf6RueMBz/1CZJ7eUf2/Y9QlTzZ8q +XQVea3yy7kQw3DP829L/v5c3rZlr5R05S1NQ17avgrg426QP2m3kUva90lo4NUpitPVXvh8 zf+z61SajdPbY/MmJjGv3M/D3qf6aRtnrWJzeHbiWtNSJZbijERDLeai4kQAopPi6CADAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/rKcjJtM0ZzDQ6PiAhen52dRYnIw>
Cc: "kitten@ietf.org" <kitten@ietf.org>, draft-ietf-kitten-aes-cts-hmac-sha2@tools.ietf.org
Subject: Re: [kitten] shepherd review of draft-aes-cts-hmac-sha2-09
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2016 14:15:02 -0000
On Mon, 27 Jun 2016, Luke Howard wrote:
> > The one item which would potentially affect the actual protocol: at the
> > end of Section 5, the pseudo-random function seems to be using a SP800-108
> > KDF but omits the zero byte between label and context. I think it would
> > be better to have the zero byte -- do you remember whether there was a
> > reason to omit it? (Adding the zero byte would require re-rolling some
> > test vectors, to be clear.)
>
> The PRF is defined in terms of KDF-HMAC-SHA2() which implicitly inserts
> the zero byte when invoking HMAC-SHA-256(), e.g.:
>
> PRF = KDF-HMAC-SHA2(base-key, "prf" | octet-string, 256)
> = k-truncate(HMAC-SHA-256(key, 0x00000001 | "prf" | octet-string | 0x00 | 256))
>
> if I’m not mistaken? Pretty sure our implementation passed the test vectors.
I think that SP800-108 would have it be
[counter] | [label] | 0x00 | [context] | [output-length]
with the NUL between label and context, not between context and
output-length.
Its definitions are:
%%%%%%%%%%%
3) Label
A string that identifies the purpose for the derived keying material,
which is encoded as a binary string. The encoding method for the Label is
defined in a larger context, for example, in the protocol that uses a KDF.
4) Context
A binary string containing the information related to the derived keying
material. It may include identities of parties who are deriving and/or
using the derived keying material and, optionally, a nonce known by the
parties who derive the keys.
%%%%%%%%%%%
For the PRF, the octet-string input is pretty clearly something
specifically known to the parties who derive the keys, which seems like a
context.
For the use of KDF-HMAC-SHA2 elsewhere in the document, e.g. for deriving
Kc, Ke, and Ki, the line between label and context is less clear, since we
invoke it as (e.g.)
Kc = KDF-HMAC-SHA2(base-key, usage | 0x99, 128)
and the 0x99 is defined by the protocol and would plausibly still be part
of the label.
As I recall, the PRF was something of a late addition, and if the
KDF-HMAC-SHA2 construct was defined originally for password key derivation
and deriving Kc/Ke/Ki, that would explain why there was not thought about
having a proper SP800-108 context that would also need separation.
(SP800-108 has the context as optional ("One or more of these fixed input
data fields may be omitted unless required for certain purposes as
discussed in Section 7.5 and Section 7.6."), which is fine and would apply
for the non-PRF cases here.)
-Ben
- Re: [kitten] shepherd review of draft-aes-cts-hma… Jeffrey Altman
- Re: [kitten] shepherd review of draft-aes-cts-hma… Matt Miller (mamille2)
- Re: [kitten] shepherd review of draft-aes-cts-hma… Stephen Farrell
- Re: [kitten] shepherd review of draft-aes-cts-hma… Jeffrey Altman
- Re: [kitten] shepherd review of draft-aes-cts-hma… Luke Howard
- Re: [kitten] shepherd review of draft-aes-cts-hma… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-aes-cts-hma… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-aes-cts-hma… Luke Howard
- Re: [kitten] shepherd review of draft-aes-cts-hma… Michael Jenkins
- Re: [kitten] shepherd review of draft-aes-cts-hma… Benjamin Kaduk
- Re: [kitten] shepherd review of draft-aes-cts-hma… Luke Howard
- [kitten] shepherd review of draft-aes-cts-hmac-sh… Benjamin Kaduk