[secdir] Sector review of draft-josefsson-scrypt-kdf-03

Joseph Salowey <joe@salowey.net> Sun, 13 September 2015 23:36 UTC

Return-Path: <joe@salowey.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EA941B3BB7 for <secdir@ietfa.amsl.com>; Sun, 13 Sep 2015 16:36:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.079
X-Spam-Level:
X-Spam-Status: No, score=-0.079 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ryyJt84Yy-oR for <secdir@ietfa.amsl.com>; Sun, 13 Sep 2015 16:36:31 -0700 (PDT)
Received: from mail-la0-f43.google.com (mail-la0-f43.google.com [209.85.215.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20D741B3A80 for <secdir@ietf.org>; Sun, 13 Sep 2015 16:36:31 -0700 (PDT)
Received: by lanb10 with SMTP id b10so76456562lan.3 for <secdir@ietf.org>; Sun, 13 Sep 2015 16:36:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=sdXX26OhtXuY7R3GKYQWyedEa6bZxL1lBAVNWTvpyek=; b=lHyHhBFte4bx277ek0Ah1Y9AXmbtfXy/8edZQn9ucH2LCQiilY9Gr0VoKTaAWNdAlN sPoLwRVY+WJG9wDfVPr2DOatNnJzAB6RN3bqLDzTwGckLwDjXQgYxhVTwPSQO/Ofyp0O lrlYd4gmBZk+2wdzef0LR2o5rI+DXU19tgFQmsBxoyFIaaBhWX7JqSBkjZG9lTt41aqH EDFTGX5JPa87fv6owH5lVZFxx9Fi4k3dWhhiNkppAJWTmP0ZGCs0hX1kPCvM8nBOaYNq e+oAxqFASDYvtpYHN5Lxi6Ded1JLrMauSTnhnYk7u2cYdeBdxh9aakS2QbaJnHHQ5QfC T0OA==
X-Gm-Message-State: ALoCoQltSjCicYYzf5RTRCRSC1WoD5iJy9noRHsCEMk2hH3L0fdZ1BH82lMnc4u2YaFqlBvlPZ2Q
MIME-Version: 1.0
X-Received: by 10.112.138.170 with SMTP id qr10mr10649334lbb.14.1442187389202; Sun, 13 Sep 2015 16:36:29 -0700 (PDT)
Received: by 10.112.168.233 with HTTP; Sun, 13 Sep 2015 16:36:29 -0700 (PDT)
Date: Sun, 13 Sep 2015 16:36:29 -0700
Message-ID: <CAOgPGoBY9V-z5emqU6e=2QCGb_wfEUM-eE+KKgzDqg9jLAYVVw@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
To: draft-josefsson-scrypt-kdf.all@tools.ietf.org, secdir <secdir@ietf.org>, The IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary=089e011610300888c8051fa96bd9
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/8Nps0TK9rxGVLj5UsbJwP_F1rMA>
Subject: [secdir] Sector review of draft-josefsson-scrypt-kdf-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Sep 2015 23:36:33 -0000

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors and document authors.

I think this document is ready with issues.   The document describes a
password to key function, scrypt, based on memory hard functions to make it
more expensive and difficult to develop specialized hardware to obtain the
password from a recovered key.  I'd like to see this document published.  A
few issues are listed below.

First, I think Paul Kyzivat's GenArt review.
http://mailarchive.ietf.org/arch/msg/gen-art/fToZiioHo-6x5ZRQWNcTr-aUYVk
<https://mailarchive.ietf.org/arch/msg/gen-art/fToZiioHo-6x5ZRQWNcTr-aUYVk>,
raised
some points that could help the readability of the document.

Second, the script algorithm has several parameters, but the document has
very little discussion on how to choose those parameters or what they
affect (this is also pointed out in Paul's message).  It would be good to
have some discussion or guidance for parameter selection in the security
considerations.

Cheers,

Joe