Re: [saag] saag Digest, Vol 178, Issue 2

Derrell Piper <ddp@electric-loft.org> Thu, 03 August 2023 19:32 UTC

Return-Path: <ddp@electric-loft.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3CDCC15154F for <saag@ietfa.amsl.com>; Thu, 3 Aug 2023 12:32:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kIR01fEglzvc for <saag@ietfa.amsl.com>; Thu, 3 Aug 2023 12:32:34 -0700 (PDT)
Received: from Mail1.Yoyodyne.COM (mail1.yoyodyne.com [IPv6:2604:4ec0:1000::7]) by ietfa.amsl.com (Postfix) with SMTP id 9F3EDC15154D for <saag@ietf.org>; Thu, 3 Aug 2023 12:32:34 -0700 (PDT)
Received: from smtpclient.apple ([2603:3024:1703:d6a0:91b6:d7a:2424:f235]) by Mail1.Yoyodyne.COM via Internet for <saag@ietf.org>; Thu, 3 Aug 2023 12:32:33 PDT
From: Derrell Piper <ddp@electric-loft.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_59D4D3D5-15B7-42CA-89AA-51D4D01A7AF9"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Thu, 03 Aug 2023 12:32:23 -0700
References: <mailman.110.1691089203.13084.saag@ietf.org>
To: saag@ietf.org
In-Reply-To: <mailman.110.1691089203.13084.saag@ietf.org>
Message-Id: <CB9E96D5-68AA-4D28-8AF3-7D413BAC499B@electric-loft.org>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/eGrITFlRRS_qEQDMM9u8BcQ4T1w>
Subject: Re: [saag] saag Digest, Vol 178, Issue 2
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2023 19:32:38 -0000

> 
> From: Paul Wouters <paul.wouters@aiven.io>
> Subject: [saag] errata dilemma for HOTP: An HMAC-Based One-Time Password Algorithm
> Date: August 2, 2023 at 7:26:35 PM PDT
> To: IETF SAAG <saag@ietf.org>
> 
> 
> I looked at some erratas (to do my part of reducing our list) and noticed this interesting errata:
> 
> https://www.rfc-editor.org/errata/eid6756
> 
> It talks about the HOTP algorithm and the errata proposal points out:
> 
> Section 5.3 says:
> 
> Let OffsetBits be the low-order 4 bits of String[19]
> It should say:
> 
> Let OffsetBits be the low-order 4 bits of the last byte of String
> 
> For the HMAC-SHA1 case, the last byte is string[19], but for the newer SHMAC-SHA2 cases this is not true.
> These are specified in RFC 6238 where it states:
> 
>    TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions,
>    based on SHA-256 or SHA-512 [SHA2 <https://datatracker.ietf.org/doc/html/rfc6238#ref-SHA2>] hash functions, instead of the
>    HMAC-SHA-1 function that has been specified for the HOTP computation
>    in [RFC4226 <https://datatracker.ietf.org/doc/html/rfc4226>].
> The main issue now is if anyone has implemented the 6238 TOTP with the SHA2 variant, did they interpret the reference to RFC 4226 as to be using the 19th byte of the HMAC-SHA2 string or the last byte? This might have already caused interoperability issues. But issuing an errata (whether for 4226 or 6238) might cause people to again write non-interoperable implementations.
> 
> That is, I honestly don't know if rejecting or accepting an errata on this topic might make things better or worse.
> 
> Does anyone know some implementers of this? If so, which flavour did they use? Or do they try both to work around this issue?
> 
> Should we do a short Update: for 6238 that tells people to "try both" to resolve this issue?
> 

I would, and I’d probably add a section 5.3 to explain, given the large number of already deployed implementations.
> Paul
> 
> From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
> Subject: Re: [saag] errata dilemma for HOTP: An HMAC-Based One-Time Password Algorithm
> Date: August 2, 2023 at 9:16:13 PM PDT
> To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, IETF SAAG <saag@ietf.org>
> 
> 
> Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org> writes:
> 
>> The main issue now is if anyone has implemented the 6238 TOTP with the SHA2 
>> variant, did they interpret the reference to RFC 4226 as to be using the 
>> 19th byte of the HMAC-SHA2 string or the last byte?
> 
> I haven't, but if I did the logical way to do it would be to take the last 
> byte, not a byte from some arbitrary position inside the hash.  I would 
> accept the erratum but then also write an RFC to cover SHA-2 use rather than
> rely on a sort of COME FROM suggestion in a random different RFC, 6238, to 
> control what's going on in 4226.
> 
> Having said that, there are, probably several billion deployed 
> implementations of HMAC-SHA1 based TOTP and no good reason to use SHA-2
> instead, so it seems like a moot problem.  If anything I'd say "don't use
> HMAC-SHA2 unless you really enjoy trying to boil the ocean".
> 
> Peter.