IETF Logo Mail Archive

Re: [saag] Improving the CHAP protocol

"Mark D. Baushke" <mdb@juniper.net> Wed, 18 September 2019 15:48 UTC

Return-Path: <mdb@juniper.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BCBE12095E for <saag@ietfa.amsl.com>; Wed, 18 Sep 2019 08:48:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T1vI0Mf2dII1 for <saag@ietfa.amsl.com>; Wed, 18 Sep 2019 08:48:18 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42954120884 for <saag@ietf.org>; Wed, 18 Sep 2019 08:48:18 -0700 (PDT)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x8IFYj0W012112; Wed, 18 Sep 2019 08:48:12 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-id : date : message-id; s=PPS1017; bh=Tqpu61kFa+q6ipVFzFs4BHeaBTihf0zFQKJ7q6jLEoY=; b=v/MHCwOeq84MWf3sDB+enSi2/hlH+vqBWYS3P63hhxVh0JK962EUmMBsL9Veu/v3UXVK lZvaYSJutIZqNhwWiiAub1aULJl6mp3RGdD5kpMzU9zZ2To3cKUze73x2at6E0bCvM8u WAGQJsCCX+vwekKPrD/S8IBODRwlE/6c+jxk9ONwalGOl1Zu2jvalv9jStFLqqZHp9aq aZCxb0u5hXGDRA/c7WsKRbV860oCtaj5J7Cx7czNBoQ4UIIx0tysKSND08oQNLR5EtJb DkCR99aicmLZDaj1wPoiwJ5y8wBy/+8br5EGtgVYe1K1YjnuG1sJ7JLFU+OsfgMlfWIk 7A==
Received: from nam04-co1-obe.outbound.protection.outlook.com (mail-co1nam04lp2058.outbound.protection.outlook.com [104.47.45.58]) by mx0b-00273201.pphosted.com with ESMTP id 2v3nt8872c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 18 Sep 2019 08:48:12 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UZAvniy03UAKr8ivfgt6pgd2e7I1UbrBcrQZKTeiXtq35GIyJ+Ni5fydBemBFgQ0jSv/UOf+Z4Z6p5K07q5lpR6n/D7Xk1gLH15ZKva4QuxdWX5aE7Bc+npogu+tlGEH4t9A7K8LS07/6Qej8lupoGOpJPcqKI8gGZUqB7LiCyx/9BnA7/BfldAEhL5xl4cTmEIiR7Rcybh1WwjzenAXRR8Kt1jVWTFSXexb8RrD0XQ4hkEF7yxtjFxHDLxoYidPvVHiNRe7E2tts9zXmOQWmCJzEEaZFlIo0wnwxwSZkoXWGpq5JQRmxMhmdixoYMEojGeEIgTEwmZwc3cTvOMdQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Tqpu61kFa+q6ipVFzFs4BHeaBTihf0zFQKJ7q6jLEoY=; b=ew6SCZwomDCpSJ8EggJ/TmXwPWTYwJNEED49W1E6qfBOkBkBbQ+c0nn8Ql344jxz/qxc+wn7kDHyGxbl1C25FUoudRGPlqz9FATMl4Lm3iPnFOzrxXAJrc4inQ/R/Jmi4gjahXSgEZgwz8t3epczYIR+rMGxTZswcfGH8uf5p3/eUZoK1rEQOgt2VtpCV4drv1027G2UIA0nvSe6TTa/sc+6Nd/DHbQypJZL/6vFzJtrD3cFK2SgoV0Q3FfbSqpn/ic9fyE93L/JyCA49KUsl/7MSquG/W0KAdVnoCXJt6ZCZTVerC+dyfae0kSpGQIK76SVr3X+yQL8z7a4cUEC3A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=softfail (sender ip is 66.129.239.13) smtp.rcpttodomain=ietf.org smtp.mailfrom=juniper.net; dmarc=fail (p=reject sp=reject pct=100) action=oreject header.from=juniper.net; dkim=none (message not signed); arc=none
Received: from CH2PR05CA0023.namprd05.prod.outlook.com (2603:10b6:610::36) by BN3PR05MB2753.namprd05.prod.outlook.com (2a01:111:e400:7bb4::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.10; Wed, 18 Sep 2019 15:48:07 +0000
Received: from DM3NAM05FT049.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e51::207) by CH2PR05CA0023.outlook.office365.com (2603:10b6:610::36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.20 via Frontend Transport; Wed, 18 Sep 2019 15:48:07 +0000
Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.13 as permitted sender)
Received: from P-EXFEND-EQX-02.jnpr.net (66.129.239.13) by DM3NAM05FT049.mail.protection.outlook.com (10.152.98.163) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2284.10 via Frontend Transport; Wed, 18 Sep 2019 15:48:07 +0000
Received: from P-EXBEND-EQX-03.jnpr.net (10.104.8.56) by P-EXFEND-EQX-02.jnpr.net (10.104.8.55) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 18 Sep 2019 08:48:06 -0700
Received: from P-EXBEND-EQX-02.jnpr.net (10.104.8.53) by P-EXBEND-EQX-03.jnpr.net (10.104.8.56) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 18 Sep 2019 08:48:06 -0700
Received: from p-mailhub01.juniper.net (10.104.20.6) by P-EXBEND-EQX-02.jnpr.net (10.104.8.53) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Wed, 18 Sep 2019 08:48:06 -0700
Received: from contrail-ubm16-mdb.svec1.juniper.net ([10.163.18.199]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id x8IFm5ls021699; Wed, 18 Sep 2019 08:48:05 -0700 (envelope-from mdb@juniper.net)
To: Maurizio Lombardi <mlombard@redhat.com>
CC: saag@ietf.org
In-Reply-To: <9641f69d-0ffb-1c1d-7fb6-98ef4a54ad2c@redhat.com>
References: <9641f69d-0ffb-1c1d-7fb6-98ef4a54ad2c@redhat.com>
Comments: In-reply-to: Maurizio Lombardi <mlombard@redhat.com> message dated "Wed, 18 Sep 2019 14:25:23 +0200."
From: "Mark D. Baushke" <mdb@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <19009.1568821685.1@contrail-ubm16-mdb.svec1.juniper.net>
Date: Wed, 18 Sep 2019 08:48:05 -0700
Message-ID: <19010.1568821685@contrail-ubm16-mdb.svec1.juniper.net>
X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:66.129.239.13; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(4636009)(376002)(39860400002)(136003)(396003)(346002)(199004)(189003)(51444003)(186003)(966005)(316002)(446003)(11346002)(47776003)(426003)(81166006)(6916009)(46406003)(8936002)(8676002)(70206006)(70586007)(478600001)(336012)(16586007)(117636001)(2906002)(486006)(305945005)(97756001)(6246003)(26005)(97876018)(86362001)(23726003)(81156014)(6306002)(50466002)(76176011)(126002)(476003)(356004)(5660300002)(14444005)(229853002)(7696005)(4326008)(62816006); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR05MB2753; H:P-EXFEND-EQX-02.jnpr.net; FPR:; SPF:SoftFail; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 3b229d28-136f-41a3-34e0-08d73c4f99a3
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(4710121)(4711137)(1401327)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328); SRVR:BN3PR05MB2753;
X-MS-TrafficTypeDiagnostic: BN3PR05MB2753:
X-MS-Exchange-PUrlCount: 2
X-Microsoft-Antispam-PRVS: <BN3PR05MB275303EDC6CF0F42C871CE3FBF8E0@BN3PR05MB2753.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-Forefront-PRVS: 01644DCF4A
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: h4iMY3h56+DhK9wtwUdWt35hKE0o9q/jbWWV3pLTRWJ7bxLY9I7w0PheK4Y8gCsfCTMf4QlwqPxoi9T9wJ9pR0Qm2TyCdR9uzIKzn+/H3A9QVUuTtaH2UiHl5VUmY/4z+L7shx11DARg/okIAWFAqgxOi+5ItJ+cNDRqOl3YOnazFAADJ7PxXcKgsVGsC7NCrnJF29enQyZtJ/aoD0kAXpzX2SDmhgiefckKjsKDlxvHlT/E0S/tpb1LPAEabu0TvgtoSOzbXr87eaJwrVDaOQo+ik5uBaZtnoS8hAG5X6bjjWD5fTzC486lUob+Cfzjp3UwPAaiM2iIecvtp03CyGjGElL2ukmTM6ladval2VzPwuCVA72BUBjykPtYBAaFWx42Oe/HNPwA02VFB+9HDKgEpgWQE7AcG7JOVVcvEGY=
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Sep 2019 15:48:07.2766 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3b229d28-136f-41a3-34e0-08d73c4f99a3
X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.13]; Helo=[P-EXFEND-EQX-02.jnpr.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR05MB2753
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.70,1.0.8 definitions=2019-09-18_08:2019-09-18,2019-09-18 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 spamscore=0 impostorscore=0 clxscore=1011 adultscore=0 lowpriorityscore=0 mlxlogscore=337 malwarescore=0 mlxscore=0 suspectscore=0 phishscore=0 bulkscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1909180152
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/VuiZjoECkRAhh4_-jw_P1mIRlCA>
Subject: Re: [saag] Improving the CHAP protocol
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2019 15:48:21 -0000

Hi Maurizio,

Summary: SHA2-512/256 looks good to me. You may also wish to consider
         SHAKE128(M,256) or SHAKE256(M,256) generating 256 bits.

Long reply:

See "Comparing Hardware Performance of Round 3 SHA-3 Candidates using
Multiple Hardware Architectures in Xilinx and Altera FPGAs" 
https://pdfs.semanticscholar.org/20e2/3a26384b0edc4a218d2d180f0658c1c9a05f.pdf
and look for Keecak vs SHA-2 results.

Doing SHA3 in hardware is going to be faster than doing SHA2 in
hardware.

Doing SHA3 in software is going to be much slower than doing SHA2 in
software.

Comparing SHA2-256 to SHA2-512/256 in software depends on the native
size of a CPU word.

On a 64bit CPU, I beleve that doing a SHA2-256 will be slower than
doing a SHA2-512/256 on the order of 30% (best to run your own
benchmarks using something like 'openssl speed').

Per FIPS Publication 202, for SHA3, to get 256-bits of hash, there are
alternatives: SHA3-256, and the two Extendable-Output Functions (XOF):
SHAKE128 and SHAKE256. (There is no definition for SHA3-512/256.)

I have not done any software performance analysis of SHA3 functionality,
however, the https://keccak.team/2017/is_sha3_slow.html shows that using
the XOF functions are on performance part with SHA-2 on common
processors.

Considering longer term safety of the 256-bit hashes...

The SHA2-512/256 keeps an internal state of 1024 bits and displays only
256 bits of the finished hash. While SHA2-256 keeps an internal state of
512 bits and displays half of it (256 bits), so from a data hiding point
of view is should be more secure to use SH2-512/256.

As the intention is cryptographic agility, I think that adding
SHA2-512/256 is a good idea.

It may also be desirable to consult with your FIPS experts to determine
if SHAKE{128,256} is acceptable to generate the 256-bits needed and be
FIPS 140-2 compliant.

	-- Mark

v2.23.0 | Report a Bug | By Email