[saag] Re: Errata 6576 - HOTP

Simon Josefsson <simon@josefsson.org> Fri, 07 March 2025 18:16 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: saag@mail2.ietf.org
Delivered-To: saag@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4190A8EAD57 for <saag@mail2.ietf.org>; Fri, 7 Mar 2025 10:16:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.401
X-Spam-Level:
X-Spam-Status: No, score=-4.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="XTw/79qC"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="cMiUSL+Q"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aUqJoCirSC1x for <saag@mail2.ietf.org>; Fri, 7 Mar 2025 10:16:18 -0800 (PST)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 33FF78EAD41 for <saag@ietf.org>; Fri, 7 Mar 2025 10:16:18 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=U6FUvqgbo9I1D53DScNn9ZT63R5C0ipCjof3RIQ4HRQ=; t=1741371372; x=1742580972; b=XTw/79qCPzqT75vUEMr2YbX/D3UOfB8ZHLwKZHxLAuUGB+fxeGBjDM2RZEIAimYyDdsx+XlNe4Y huOK3kXVrCQ==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=U6FUvqgbo9I1D53DScNn9ZT63R5C0ipCjof3RIQ4HRQ=; t=1741371372; x=1742580972; b=cMiUSL+Q2mLd7XcRPF4ky3eoMKBXwSvqoDU9VigEPZ6wal5usRUZi2iIZHn/RIL4On3OgUa5pe3 sotbQGKi2xDNMZViLMU0CilhULVhjmcG+fTQH9SOGyX5HlMZ/B10CfvKaPTn4jgbH/4wBEze+W8un DNVVtEuW7TINV21FrcWAyOFDIRKrYxfvDt5xa9wF6SKXgsbTuQnkv1zw+v2VBGkaNPJuXI33++i96 dSyO/s/ROtFp5Mg8kWAdfwodUKQf88mFJlFGsT0YI16H9Pkr5aMy6FGvqBueTD5NV8ulJ5vugkEIt WUMN48jpImUzNZo6c8VAEQIi0w50539y7+IpD7qf2lcvlB8qyfpcMBPmdtWSunxIraBjPBvYwXxer A5YeG+f5JgFIQWVqUaloTYVwfW6lgQ9E35wque+PsevdHTjOU+f79o+uw/lZzBdvjxGLULzdK;
Received: from h-178-174-130-130.a498.priv.bahnhof.se ([178.174.130.130]:54652 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1tqcF0-007qmc-M3; Fri, 07 Mar 2025 18:16:10 +0000
From: Simon Josefsson <simon@josefsson.org>
To: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <ad9a04e7-36e4-4c6e-ab96-d80ad4691ddc@nthpermutation.com> (Michael StJohns's message of "Fri, 7 Mar 2025 12:53:07 -0500")
References: <ad9a04e7-36e4-4c6e-ab96-d80ad4691ddc@nthpermutation.com>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:250307:msj@nthpermutation.com::InmFv2OQkvOx6NGG:7PP7
X-Hashcash: 1:23:250307:saag@ietf.org::qwCSv7hMDA3hY/yo:LE50
Date: Fri, 07 Mar 2025 19:15:47 +0100
Message-ID: <877c50lnak.fsf@josefsson.org>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Message-ID-Hash: 6N2ZXLERNFU3SALZAAQGNNTK6MBG2QYJ
X-Message-ID-Hash: 6N2ZXLERNFU3SALZAAQGNNTK6MBG2QYJ
X-MailFrom: simon@josefsson.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "saag@ietf.org" <saag@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [saag] Re: Errata 6576 - HOTP
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/H8_joqW1SWfwai3JkxxcfvOem-4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>

Michael StJohns <msj@nthpermutation.com> writes:

> https://www.rfc-editor.org/errata/eid6756
>
>
>        RFC 4226 <https://www.rfc-editor.org/rfc/rfc4226>, "HOTP: An
>        HMAC-Based One-Time Password Algorithm", December 2005
>
> Another problem with the same document.
>
> Recommend: Accept.
>
> The reference implementations cited match this described behavior and
> specifying the last byte of the HMAC makes more sense than always the
> 20th byte (correct for HMACSHA1 only).

While that is a change needed to implement RFC 6238 (HOTP SHA2), I don't
think that is a proper fix RFC 4226 which is SHA1-only.

If anything needs to be clarified, I think it should be an errata to RFC
6238 to explain that section 5.3 of RFC 4226 has to modified in this way
in order to implement SHA2.  A new bis document could be prepared that
merged RFC 4226 and RFC 6238 including clarifications.

/Simon