Re: [saag] errata dilemma for HOTP: An HMAC-Based One-Time Password Algorithm
Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 03 August 2023 04:16 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15474C16950D for <saag@ietfa.amsl.com>; Wed, 2 Aug 2023 21:16:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.61
X-Spam-Level:
X-Spam-Status: No, score=-1.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, PDS_BAD_THREAD_QP_64=0.999, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZNZNloahw6Nq for <saag@ietfa.amsl.com>; Wed, 2 Aug 2023 21:16:23 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [103.96.23.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F8D0C16950C for <saag@ietf.org>; Wed, 2 Aug 2023 21:16:22 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2174.outbound.protection.outlook.com [104.47.71.174]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id au-mta-84-91b7KUVQMueZGWqwd4K9ig-1; Thu, 03 Aug 2023 14:16:17 +1000
X-MC-Unique: 91b7KUVQMueZGWqwd4K9ig-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by ME3PR01MB8024.ausprd01.prod.outlook.com (2603:10c6:220:191::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6631.47; Thu, 3 Aug 2023 04:16:13 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::bf58:2f51:e8e2:758b]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::bf58:2f51:e8e2:758b%7]) with mapi id 15.20.6631.046; Thu, 3 Aug 2023 04:16:13 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, IETF SAAG <saag@ietf.org>
Thread-Topic: [saag] errata dilemma for HOTP: An HMAC-Based One-Time Password Algorithm
Thread-Index: AQHZxbIFrw2ieFWn0EG4cOkca4ZeOq/X9t7e
Date: Thu, 03 Aug 2023 04:16:13 +0000
Message-ID: <SY4PR01MB6251F5297BD8F26BCFD46C5BEE08A@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <CAGL5yWZk-D72XAwzBrOBZ3W22534tiXAVWA9sC+xBnQZwA6_3A@mail.gmail.com>
In-Reply-To: <CAGL5yWZk-D72XAwzBrOBZ3W22534tiXAVWA9sC+xBnQZwA6_3A@mail.gmail.com>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SY4PR01MB6251:EE_|ME3PR01MB8024:EE_
x-ms-office365-filtering-correlation-id: 33497753-cb64-424a-d841-08db93d8602f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: /qKNgsqxEqCCpOIH3WzmQiopxT3Otde/Wc9StS8thixDy0VGkpZrk5DfGooUbO0d26swuDG5G+CA5aVYt5w/dne5cPUp9kkyseabH0BlXn/6RlxBSgspWLXCptF8cEFcSKgpejpEPwykieG8ShtQEqz7Vhh9vfu0jSl/C82JcLrqkd50JVLq2H0LJADx+qYi3TU7ggMYi+k9L1yfPhlothLCyFp3zgrEj+zjGe14XCLBcbm9ybexhv2HfogV/o6DJLIrh/N5HhM1pDzew9KadR56PT8Di4MsAWTlRnjCgLpqFVh9IG1BTYCBLHgfCetZeT/8f/JTqUugAkkt6LHwO0VdoGdqihmA3LUxrOlBM2i2VpnhglA3nwWiYmJUcAEIhhe+n5+RhBydud+vlglbKotioHm26QwU3eDnMn4/D4MvWVZfANgFd2z2IaYmiP/MBbj496FouI4KoB+CBgRDRvxBsEVTN4a1xtZDCigdiIa8Z8jtHdVU/JDwUXJcYPI7TTYCCHiA1FunhfQX8lntLhiXLGUzM69fpGk2bgxMxOXIHdroa+a9oWdK3WQSa7LgX4y/CWgvT9iaH0vI+fUeDYV3mTnQavatVVwmx1dv+lqVlTTAhvznoC2Mv1GqQbC0
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(346002)(396003)(39860400002)(136003)(366004)(451199021)(4744005)(478600001)(33656002)(86362001)(9686003)(7696005)(71200400001)(786003)(316002)(8676002)(8936002)(41300700001)(5660300002)(66446008)(66556008)(66476007)(64756008)(52536014)(55016003)(110136005)(76116006)(2906002)(38100700002)(66946007)(38070700005)(6506007)(186003)(122000001); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: IdRgO81hjLCQ6JINkUtsEoCxzD6N/VfHwS2SM8BPvSTE47eiWyEidKOjjd36wyiSCinEtUfRejO64LWSMbeIRLbBJ/S9PaA6qw4tvySPI75V0XA+4sCn0YA4ore4h7Af44zHaqx3r+HRqHpTgt0Xrb1ip27ReN5LXn6/pxqi3WZZ7DxOg5kcvs5K+nyFdvd0sRANqGJSYQyndMLwQuNmeKlcOWk8y6yJdOIHrh3mF1r2oxyccWsGjyWxJFmiPlBsSBJdMQgVmQoiYHzpZXSS87Nvu3+evs/4GhGvL3rz7UclxfzXjDx5fuQfqv/owl4csvsgOp892FURoy/O7yAOzGM5Ci2CAkw8Er9Gl82PQeu/jZQAQOOPJ71cJCWGkTJtHx9l0jHZG56ORXjanC+AH5BVhUVWL9Tyh1Fk8TzXkW/4Uzjr4hpZiI5anMPmHFfsz6feiwt3kGunpFidEV/tUgllHMiGDw6nmacYtTgObdJJsF/vmL340OXoLeQaGFCY3AlJSHx5Qf+MvrnsBukMgAaggauiv78VPQFISRbuv4SGdbxqNA8gHTYxfNjFmXW4YlRDdMrOH2IY8QKlad3AzZ4qt0cHpdqIRLjSVgxlvtjMyik2hb17paUcFo7uLQplXIQLczRCj9+PJvQk/SH1CI2hSGdpCmDnUQQBSlSXRnisDlXJ+0yiugmksbFoVXdcf2QlJu5vA3KToCrxwqKEpQBm8BfKwvwDt2nWZFOP4oFEMVnXybpxE7qp20B6LohGUY52/VFERXQEiUPDoFOYyf5ET0zl7WG6kdcgkrg9hf2AOYLxbbczb0jVGx2I8p6aXOn73Hf5v7PMHDAf0D6Og49wFBNMM0c5s7+l3NN0GK9qyHd1uP1l1hVzVIfgwRgMTDyReK/O5+ZUne/Az64U79tRl7D4j/fwWPRYUJVoLMKQE+hmTNr09MLUS4YfF4HBspwUlFjcrBKhDIFhRjujEtpVWjDTRHeBtQZMCUzUvORYWrWfU82ylDjQvI0j8P78M7nwj2j7OVXQKhQQHkH/SPvei6IYeNyk/lL7R0eW/tlytnEPB2u5EcYEExhBzB53fzLsqCuXpxKIXZoeL98xZ6CQqJ4wSqw883LO8liaHnJ1tljMfvL+t3MFHRDNvl4T819+3yUnaLu5878CAn1XnjbQRj2aLhWrE56Ilq/Vf80VWcLh83sWdVtwdyup+mvpC2xcGhyb8gdY7PUxLNKlFl0zUPdU33W5pXqn1tXoHW1SwQlXbOBOSPpkP8uTqlQzyI7L98jWiqPD5AHOFVp+x95MBkQmL/o3a7VS486qvkHR67RwxJKzNQoQoRt8NwtPXOhCGZEwZkPdiH/AuZae/YTmtXnOTcOJDqNEX697yXvrOLL6I6gwdzAayCekukjyXdVJhDd1rKubAR+wD3YM7C6Mbhh08DLOIY6xHZHlvQuS8q1UpeKOCwoLcplawOfJCvLkbj4gJb6O3cYQRjegcgM8qiQzduag6fwJRhVKywS6tazohQNR6HMkjiYoDKkRfdMLGTrguxAU8YTVWwZzUrfHhGw4/0vcUf/10jeX/xVZYqeEJ1MdCBmLOluZzRAGJ6U2zxSmh70fA08JGLZH0BwohRcXm4HCWBujmeqJoAX6IhYl1hjkljiCo7Rnbodp
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 33497753-cb64-424a-d841-08db93d8602f
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Aug 2023 04:16:13.8583 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Tdt90TozmNJf0XJY+b3TMN0TFJ86MXf/uuxahl9PAxyJ4vH+TYHyhs3LKVtY5N1pDuO/ViCT2ZWWH2e1aWl2wLjRCbHFI3nnYCJ25q/DOrA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME3PR01MB8024
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/2pwoCLqH9DWLNXEZtIIiziv-_38>
Subject: Re: [saag] errata dilemma for HOTP: An HMAC-Based One-Time Password Algorithm
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2023 04:16:29 -0000
Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org> writes: >The main issue now is if anyone has implemented the 6238 TOTP with the SHA2 >variant, did they interpret the reference to RFC 4226 as to be using the >19th byte of the HMAC-SHA2 string or the last byte? I haven't, but if I did the logical way to do it would be to take the last byte, not a byte from some arbitrary position inside the hash. I would accept the erratum but then also write an RFC to cover SHA-2 use rather than rely on a sort of COME FROM suggestion in a random different RFC, 6238, to control what's going on in 4226. Having said that, there are, probably several billion deployed implementations of HMAC-SHA1 based TOTP and no good reason to use SHA-2 instead, so it seems like a moot problem. If anything I'd say "don't use HMAC-SHA2 unless you really enjoy trying to boil the ocean". Peter.
- [saag] errata dilemma for HOTP: An HMAC-Based One… Paul Wouters
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Peter Gutmann
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Simon Josefsson
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Paul Wouters
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Tero Kivinen
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Simon Josefsson
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Alan DeKok
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Paul Wouters
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Carsten Bormann
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… aebecke@uwe.nsa.gov