Re: [saag] errata dilemma for HOTP: An HMAC-Based One-Time Password Algorithm

Paul Wouters <paul.wouters@aiven.io> Fri, 04 August 2023 14:33 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67E2DC14EB1E for <saag@ietfa.amsl.com>; Fri, 4 Aug 2023 07:33:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lRowrSSUtlVS for <saag@ietfa.amsl.com>; Fri, 4 Aug 2023 07:33:23 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD1F3C15108A for <saag@ietf.org>; Fri, 4 Aug 2023 07:33:07 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-52222562f1eso2826746a12.3 for <saag@ietf.org>; Fri, 04 Aug 2023 07:33:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1691159585; x=1691764385; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=X6Jx/Jkqjj3QX5yKta8+4GUF4TG6l/SZBThV5qtNz1U=; b=enpmuaSWJRgKfJacl4Zb2ukW9GJaL8tR0Zzvty+2NTmEqINMCJtLhA9mJFFoKwC9Ua z/KuAhWMBBlifyglH99cqt8XjjkgBKA+tbq/Sat5W/+3tHP3QDc9jr4KVbSzIaTSEzmB psHhLkUQ5vZ2d5s8VbYg9mDNmfrunCSUn77jI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691159585; x=1691764385; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=X6Jx/Jkqjj3QX5yKta8+4GUF4TG6l/SZBThV5qtNz1U=; b=D5iONgi2auEppiFRzQKTIaKyRt79IJ/PZeXi0RNoGJ/nv00HL61jo0IKtB2v9NW5nx WXNa25pamEgOb4ioBFauC7WlqWu5cRx8sJ/BMKUo8e8aAWmZpbzn3rG3J+8fof6vvNO+ s5BTgYGn3Tp4WtrGo3D9tJ+TtYA2W+jF6EQJAmdZLWFoy6sMnmLzrn5D8Dun6WDNs9nE rr9xpoYDY6rshWZq8FVEbFMXFgh2rK5QYYox/bd2U6QV25b+uzgDWhA+2VNR47g1Jg/l 9xfxzJv49+63++CgCFM97qpAhDnHMkDp0qTInyR4yupSx63H4D+Hg315XDjmYn8a6ivJ D1kA==
X-Gm-Message-State: AOJu0YzvJ50hKEPZ1HliCriHk2B5Lld2tqwNiFHEo0Zge0xoVCHMheby 4zgVv8uJVJ0Cmog4WJaaDMnixUG1P0+M3NFkAGldmwcuXEl96HlVIfo=
X-Google-Smtp-Source: AGHT+IFOXteTtOxZn2x66lUdXeBKOyNhjkxRGL1Oa5ba/0L702IHr+SCROB5wl2mhVlHf3Omy9L1naWrf1ZDyVcwYHQ=
X-Received: by 2002:aa7:d358:0:b0:51d:f5bd:5a88 with SMTP id m24-20020aa7d358000000b0051df5bd5a88mr1758558edr.38.1691159585512; Fri, 04 Aug 2023 07:33:05 -0700 (PDT)
MIME-Version: 1.0
References: <CAGL5yWZk-D72XAwzBrOBZ3W22534tiXAVWA9sC+xBnQZwA6_3A@mail.gmail.com> <871qgj2332.fsf@kaka.sjd.se>
In-Reply-To: <871qgj2332.fsf@kaka.sjd.se>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Fri, 04 Aug 2023 10:32:54 -0400
Message-ID: <CAGL5yWb4zCkvKAAPbwnTy3qCCnJ2J+K=fVeNmiVEcGKv_G+S9g@mail.gmail.com>
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>
Cc: IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005b0f33060219c6c3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/kqty8xVsWeUkycQBj9Fd54UaTOU>
Subject: Re: [saag] errata dilemma for HOTP: An HMAC-Based One-Time Password Algorithm
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Aug 2023 14:33:28 -0000

Simon,

I think your proposal is the right fix, especially since you have interop
cases that work, and we have no one speaking up about having used the other
interpretation. I'll give it a few more days for people to respond, and if
I hear no other views, will proceed with that.

Thanks!

Paul

On Thu, Aug 3, 2023 at 6:07 PM Simon Josefsson <simon=
40josefsson.org@dmarc.ietf.org> wrote:

> Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org> writes:
>
> > I looked at some erratas (to do my part of reducing our list) and noticed
> > this interesting errata:
> >
> > https://www.rfc-editor.org/errata/eid6756
> >
> > It talks about the HOTP algorithm and the errata proposal points out:
> >
> > Section 5.3 says:
> >
> > Let OffsetBits be the low-order 4 bits of String[19]
> >
> > It should say:
> >
> > Let OffsetBits be the low-order 4 bits of the last byte of String
>
> I disagree -- this wording in the HOTP RFC is not the source of the
> problem.  HOTP is not specified for non-SHA1.
>
> > For the HMAC-SHA1 case, the last byte is string[19], but for the newer
> > SHMAC-SHA2 cases this is not true.
> > These are specified in RFC 6238 where it states:
> >
> >    TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions,
> >    based on SHA-256 or SHA-512 [SHA2
> > <https://datatracker.ietf.org/doc/html/rfc6238#ref-SHA2>] hash
> > functions, instead of the
> >    HMAC-SHA-1 function that has been specified for the HOTP computation
> >    in [RFC4226 <https://datatracker.ietf.org/doc/html/rfc4226>].
>
> This part of the TOTP RFC is the problem.  That is not a sufficiently
> precise specification of how to use HOTP with SHA-256 or SHA-512.
>
> > The main issue now is if anyone has implemented the 6238 TOTP with the
> SHA2
> > variant, did they interpret the reference to RFC 4226 as to be using the
> > 19th byte of the HMAC-SHA2 string or the last byte?
>
> OATH Toolkit uses the last byte:
>
>
> https://gitlab.com/oath-toolkit/oath-toolkit/-/blob/7ba54a8e08ceb1b958d66cee0dd42b187a7a69c3/liboath/hotp.c#L120
>
> TOTP with SHA256/512 is not as widely used as SHA1 but I think we have
> interop with several implementations.
>
> > This might have already caused interoperability issues. But issuing an
> > errata (whether for 4226 or 6238) might cause people to again write
> > non-interoperable implementations.
>
> I think we should add an errata for 6238, after the paragraph you quote
> above:
>
>   In section 5.1 of HOTP, we intend String[19] to be interpreted as
>   String[HashSize - 1] where Hashsize is 32 for HMAC-SHA-256 and 64 for
>   HMAC-SHA-512.
>
> > That is, I honestly don't know if rejecting or accepting an errata on
> this
> > topic might make things better or worse.
> >
> > Does anyone know some implementers of this? If so, which flavour did they
> > use? Or do they try both to work around this issue?
> >
> > Should we do a short Update: for 6238 that tells people to "try both" to
> > resolve this issue?
>
> If we don't have evidence of wide-spread deployment of both approaches,
> please let's not encourage the "try both" approach.  It may sound like a
> simple protocol change but results in awful increase in complexity for
> implementaters.
>
> /Simon
>