Re: [OPSAWG] Stephen Farrell's Discuss on draft-ietf-opsawg-hmac-sha-2-usm-snmp-06: (with DISCUSS)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 14 May 2015 13:42 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B13481B29EC; Thu, 14 May 2015 06:42:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.61
X-Spam-Level:
X-Spam-Status: No, score=-3.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4aShmf5AG5iL; Thu, 14 May 2015 06:42:03 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E26721B29EF; Thu, 14 May 2015 06:40:17 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 8ECA5BEAF; Thu, 14 May 2015 14:40:16 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5fvZlCTGszNZ; Thu, 14 May 2015 14:40:16 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 411D6BEAA; Thu, 14 May 2015 14:40:16 +0100 (IST)
Message-ID: <5554A5BF.3050004@cs.tcd.ie>
Date: Thu, 14 May 2015 14:40:15 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: "t.petch" <ietfc@btconnect.com>, The IESG <iesg@ietf.org>
References: <20150514090925.17639.73092.idtracker@ietfa.amsl.com> <04ac01d08e48$7b643a60$4001a8c0@gateway.2wire.net>
In-Reply-To: <04ac01d08e48$7b643a60$4001a8c0@gateway.2wire.net>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsawg/dZWFsoBM_W_6qdL5hR3rppNyB7Y>
Cc: draft-ietf-opsawg-hmac-sha-2-usm-snmp.shepherd@ietf.org, opsawg@ietf.org, draft-ietf-opsawg-hmac-sha-2-usm-snmp@ietf.org, opsawg-chairs@ietf.org, draft-ietf-opsawg-hmac-sha-2-usm-snmp.ad@ietf.org
Subject: Re: [OPSAWG] Stephen Farrell's Discuss on draft-ietf-opsawg-hmac-sha-2-usm-snmp-06: (with DISCUSS)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2015 13:42:05 -0000
Hiya, On 14/05/15 14:18, t.petch wrote: > ----- Original Message ----- > From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie> > To: "The IESG" <iesg@ietf.org> > Sent: Thursday, May 14, 2015 10:09 AM > > >> Stephen Farrell has entered the following ballot position for >> draft-ietf-opsawg-hmac-sha-2-usm-snmp-06: Discuss >> >> The document, along with other ballot positions, can be found here: >> > https://datatracker.ietf.org/doc/draft-ietf-opsawg-hmac-sha-2-usm-snmp/ >> >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> Thanks for defining these. I do have a thing do briefly >> discuss before balloting yes. I'll be getting out of your way >> very shortly, but I want to check first to see if you agree >> with me that this could be simpler and more useful. >> >> I note the following: >> >> - You're defining a bunch of HMAC options. >> - Additional options for fun isn't a good idea with crypto. >> - There may be platforms that do not have good APIs for >> SHA224 or SHA384. >> - HMAC-SHA256 without any truncation is considered perfectly >> fine for this purpose and is widely used elsewhere. >> - You don't need truncation for protocol reasons. >> >> To me, that implies that this would be better if it *only* >> defined a non-truncated HMAC-SHA256 option and if all of the >> rest were removed. >> >> Do you agree that doing so would achieve just as much of a >> security improvement, but with less complexity for >> implementation, test and interop? If so, should we just do >> that? >> > > Stephen, > > This was raised prior to adoption by OPSAWG, advice was sought and Uri > Blumenthal said, 23 Sep 14 > > " > I am for HMAC truncation. > " > and > " > There probably is no doubt that protocols based on SHA-256 and SHA-384 > need to be there. SHA-512 might cause some raised brows, as could > SHA-224. > I still would add them - SHA-512 as SHOULD, and SHA-224 as MAY. > " > which convinced me to support the current position. (At one stage, the > list was even longer:-). Yeah, that's the problem with advice I guess - it's not always the same:-) I'll clear the discuss since the WG considered the issue (even if briefly) and because there are matters of personal preference here where good folks differ. But fwiw I still think adding more unnecessary options as is being done here is just a bad plan so I'm holding my nose whilst doing that;-) In case it helps, my main logic for not wanting all these options is that it is overwhelmingly more likely that the code to switch between them or react to which you've received or to configure things will (due to bugs etc.) weaken security much much much more than the existence of more than one of these options could ever strengthen security. (Put another way the probability of a security bug due to adding N things here is far far higher than the probability that having N things saves the day when N-1 of them are no longer considered good crypto at some point.) So by defining more of these you are doing worse than if you only defined one of these. (The fact that all sha2 digests have the same internal structure is part of but not all of this argument.) On truncation, I'd argue that if that was a significant benefit then it'd be used everywhere and it is not. In fact I don't believe truncation is used anywhere else when there's no protocol (e.g. PDU/fragmentation) issue that causes us to want shorter MACs. I also believe that even those who for truncation would agree that the benefit of reasonable-length truncation is definitely an insignificant benefit, if any, and would also agree that that's a matter of taste when it comes to sha2 variants of hmac (assuming the protocol can live with full length, as in this case). Bottom line: I'll clear and get out of the way, but with a heartfelt plea that you ditch all of these but one. And then ditch truncation too. And so end up with just adding hmac-sha2 as many other protocols have done. S. > > Tom Petch >
- [OPSAWG] Stephen Farrell's Discuss on draft-ietf-… Stephen Farrell
- Re: [OPSAWG] Stephen Farrell's Discuss on draft-i… t.petch
- Re: [OPSAWG] Stephen Farrell's Discuss on draft-i… Stephen Farrell