[saag] errata dilemma for HOTP: An HMAC-Based One-Time Password Algorithm
Paul Wouters <paul.wouters@aiven.io> Thu, 03 August 2023 02:26 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7DE9C15198E for <saag@ietfa.amsl.com>; Wed, 2 Aug 2023 19:26:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qy2s0B9yLXJO for <saag@ietfa.amsl.com>; Wed, 2 Aug 2023 19:26:48 -0700 (PDT)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 541C1C14CF1B for <saag@ietf.org>; Wed, 2 Aug 2023 19:26:48 -0700 (PDT)
Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-52256241c50so479143a12.3 for <saag@ietf.org>; Wed, 02 Aug 2023 19:26:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1691029606; x=1691634406; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=zGiBPCuLiniXjkjn9ey97KasO85bfEr6YqF+6+8Ymmg=; b=F31uxzNnBpwFKglYdZzX7jBYE1XTSsZOvAhYFzR9kk408+ExgvVco/0B1KEC8YnkaJ X++llzyW5Ruhhn/Jhy2uBBliaCW/81eGYFnH2JyA8c1irmAjWvTYnbpEIk9nG42Porvf jMNfXU9Qzr9JTF2w72u2pLiCwppOzN0aoROv0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691029606; x=1691634406; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=zGiBPCuLiniXjkjn9ey97KasO85bfEr6YqF+6+8Ymmg=; b=PUUtfoW1U/7meKbKRLFON3Sii5u+cWqBD9mBViANwzvOjm/FRhZ/2wCvb6DkOnDcfH GHu+uqIM9lBsEkSly6PsN4dExZtFAHXepKD0qmOPKSPphLrUbU8WYX/oWNedHsTKCd/9 3XeGh/QDFHJTV7wnSTIwB3Br5bHE0SYUs4N4BRL86KYFmD6vIbSGXUWvCXYPTZ9M18H2 WGErH1505HLdo/QBFq7eKvA7IKjyV2Gzt2BP+YbVWKtsCyRB8QbLAMCA/HQ4tNRbEV6B I779xDNSXH4OXRnRLhN4MA3nQlZGGiYYnu3w3YowNZA1Ah9P3s/eVPXCWHDbBNuvlF6b Qh1Q==
X-Gm-Message-State: ABy/qLbNOgGqURE8O563VOQldz5qG7hSeZlXO1KoOx11zqSUhSybXArL +IC6ZrJaNXr5gYLYunJtCD/3EHQSEolwPC0HlN35AUHunEaDXz6kpLE=
X-Google-Smtp-Source: APBJJlHTX6qVxVUnFf67cmCaVgF+uOinPN7f3BD3cFTUr7Hx3g2UqqhVeFifa4fIltVPigJ2sOhwLssl4eoQVKxaqCQ=
X-Received: by 2002:a05:6402:3d8:b0:522:2ba9:6fce with SMTP id t24-20020a05640203d800b005222ba96fcemr7295233edw.8.1691029606246; Wed, 02 Aug 2023 19:26:46 -0700 (PDT)
MIME-Version: 1.0
From: Paul Wouters <paul.wouters@aiven.io>
Date: Wed, 02 Aug 2023 22:26:35 -0400
Message-ID: <CAGL5yWZk-D72XAwzBrOBZ3W22534tiXAVWA9sC+xBnQZwA6_3A@mail.gmail.com>
To: IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fc74f90601fb82fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/ftC3GfJdrknbo1HVkttc9S8nBSA>
Subject: [saag] errata dilemma for HOTP: An HMAC-Based One-Time Password Algorithm
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2023 02:26:52 -0000
I looked at some erratas (to do my part of reducing our list) and noticed this interesting errata: https://www.rfc-editor.org/errata/eid6756 It talks about the HOTP algorithm and the errata proposal points out: Section 5.3 says: Let OffsetBits be the low-order 4 bits of String[19] It should say: Let OffsetBits be the low-order 4 bits of the last byte of String For the HMAC-SHA1 case, the last byte is string[19], but for the newer SHMAC-SHA2 cases this is not true. These are specified in RFC 6238 where it states: TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, based on SHA-256 or SHA-512 [SHA2 <https://datatracker.ietf.org/doc/html/rfc6238#ref-SHA2>] hash functions, instead of the HMAC-SHA-1 function that has been specified for the HOTP computation in [RFC4226 <https://datatracker.ietf.org/doc/html/rfc4226>]. The main issue now is if anyone has implemented the 6238 TOTP with the SHA2 variant, did they interpret the reference to RFC 4226 as to be using the 19th byte of the HMAC-SHA2 string or the last byte? This might have already caused interoperability issues. But issuing an errata (whether for 4226 or 6238) might cause people to again write non-interoperable implementations. That is, I honestly don't know if rejecting or accepting an errata on this topic might make things better or worse. Does anyone know some implementers of this? If so, which flavour did they use? Or do they try both to work around this issue? Should we do a short Update: for 6238 that tells people to "try both" to resolve this issue? Paul
- [saag] errata dilemma for HOTP: An HMAC-Based One… Paul Wouters
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Peter Gutmann
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Simon Josefsson
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Paul Wouters
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Tero Kivinen
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Simon Josefsson
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Alan DeKok
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Paul Wouters
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… Carsten Bormann
- Re: [saag] errata dilemma for HOTP: An HMAC-Based… aebecke@uwe.nsa.gov