[saag] Please review/comment on draft-moskowitz-hip-new-crypto-02

Robert Moskowitz <rgm-sec@htt-consult.com> Thu, 03 October 2019 15:48 UTC

Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C643E120850 for <saag@ietfa.amsl.com>; Thu, 3 Oct 2019 08:48:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G7O6YcFT558e for <saag@ietfa.amsl.com>; Thu, 3 Oct 2019 08:48:08 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C1E91200B6 for <saag@ietf.org>; Thu, 3 Oct 2019 08:48:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id A19B362116 for <saag@ietf.org>; Thu, 3 Oct 2019 11:48:06 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Axnio4UuHhen for <saag@ietf.org>; Thu, 3 Oct 2019 11:48:02 -0400 (EDT)
Received: from lx140e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 6475762124 for <saag@ietf.org>; Thu, 3 Oct 2019 11:48:01 -0400 (EDT)
From: Robert Moskowitz <rgm-sec@htt-consult.com>
To: saag@ietf.org
Message-ID: <b1b1fc1e-b75a-06ac-6f17-290a179b991d@htt-consult.com>
Date: Thu, 3 Oct 2019 11:48:00 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------CDDAC90D38E6F5E929D9C56B"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/uUiCbJs62ArjAC2bH4PNu9FKO3Y>
Subject: [saag] Please review/comment on draft-moskowitz-hip-new-crypto-02
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Oct 2019 15:48:10 -0000

This draft adds support of EdDSA, EC25519/EC448, and Keccak hashes and 
cipher (Keyak) to HIP (rfc 7401).

The interest to this group, is I believe this is the 1st? major adoption 
of Keccak (FIPS 202, sp800-185, and sp800-56Cr1) in IETF drafts.

KMAC vs HMAC is perhaps the simplest change.  It would seem that KMAC 
(sp800-185) is more efficient than HMAC and might be of advantage to 
high capacity situations.

Then there is the KDF based on sp800-56Cr1 (called KEYMAT in HIP 
lingo).  This is a significant change from RFC5869 and sp800-108. But I 
have assurances? that it meets the needed strength requirements.

Finally I am perhaps 'jumping the gun' on NIST's lightweight crypto 
competition with specifying Keyak, but for a constrained device 
developer, it means one underlying engine to support.

TBD is a separate draft to amend RFC7402 to add Keyak to HIP's use of 
ESP (and include diet-ESP).

The only 'hidden' gotcha is EdDSA25519 using SHA512 rather than a 
cSHAKE256 with 512 bits output (see KEYMAT above).  This has code-size 
implications to constrained system developers.  Otherwise it is all 
'new' crypto.

======================================

A new version of I-D, draft-moskowitz-hip-new-crypto-02.txt
has been successfully submitted by Robert Moskowitz and posted to the
IETF repository.

Name:		draft-moskowitz-hip-new-crypto
Revision:	02
Title:		New Cryptographic Algorithms for HIP
Document date:	2019-10-03
Group:		Individual Submission
Pages:		12
URL:https://www.ietf.org/internet-drafts/draft-moskowitz-hip-new-crypto-02.txt
Status:https://datatracker.ietf.org/doc/draft-moskowitz-hip-new-crypto/
Htmlized:https://tools.ietf.org/html/draft-moskowitz-hip-new-crypto-02
Htmlized:https://datatracker.ietf.org/doc/html/draft-moskowitz-hip-new-crypto
Diff:https://www.ietf.org/rfcdiff?url2=draft-moskowitz-hip-new-crypto-02

Abstract:
    This document provides new cryptographic algorithms to be used with
    HIP.  The Edwards Elliptic Curve and the Keccak sponge functions are
    the main focus.  The HIP parameters and processing instructions
    impacted by these algorithms are defined.

                                                                                   


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat