IETF Logo Mail Archive

Re: [secdir] secdir review of draft-baeuerle-netnews-cancel-lock-05

David Mandelberg <david@mandelberg.org> Mon, 03 July 2017 19:21 UTC

Return-Path: <david@mandelberg.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DCC712ECCB for <secdir@ietfa.amsl.com>; Mon, 3 Jul 2017 12:21:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AWhcoYqMRQGs for <secdir@ietfa.amsl.com>; Mon, 3 Jul 2017 12:20:59 -0700 (PDT)
Received: from nm18-vm4.access.bullet.mail.bf1.yahoo.com (nm18-vm4.access.bullet.mail.bf1.yahoo.com [216.109.115.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A5FD12EE8D for <secdir@ietf.org>; Mon, 3 Jul 2017 12:20:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1499109656; bh=nTaECD3rGvTvN1veNSwhneHPMbR4VQGYqQj3L7VrYLE=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=iG6MDln5euDwSqXtrV9W3+SRLWCtLHKwV7M6JtmiRC5OBOQQPK6pRAY4ByoMoyLEiwnK19PDrVAWdjBtj8tVdmskrhUWaovZAd3SK/S2imsG7v3EsZGtcipMVoO+kzn7JhuLgZXTOm4XvqensUSPxX5nE+DBqDskWZpsxXHmNdmVqnuR0SQzjT+mHHokuUQAm4Ugq3g+NtS2vkN4EEKR0EIojIt6LCDVpO7C+SphQFTlcHDyujcKxS6aAx6pxfUjSLdM6es92UuS4iPRVvHfT50RL/qxSGIwZb4vFDQA4WgqCLxoS/gm0ptd+GLQRO3vJpKBsDQV9ZDt14apz46e7g==
Received: from [66.196.81.162] by nm18.access.bullet.mail.bf1.yahoo.com with NNFMP; 03 Jul 2017 19:20:56 -0000
Received: from [10.218.253.203] by tm8.access.bullet.mail.bf1.yahoo.com with NNFMP; 03 Jul 2017 19:20:56 -0000
Received: from [127.0.0.1] by smtp118.sbc.mail.ne1.yahoo.com with NNFMP; 03 Jul 2017 19:20:49 -0000
X-Yahoo-Newman-Id: 292614.31219.bm@smtp118.sbc.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: SQIjSdIVM1lTPmSabs.QX2zKMgHuDUpy6PHdNDst_Thiejw Ia7yKGqT1L8rizikw4_TO3noXrfS2C_C_1GRek6DvYTzp5DB4cw7d3bFo_m7 OK0ZZ1BqNB.sBhhNxWZ0DqicNAUbwBq7gYQ3dAYZibYHkVC6TWUtOYcaoaL. QthtiG2QLqPXe.1iZ4uvMqgOberuzj0yQ2lc33EnCINRyLczNqIgm3IgQcZa nEhejZmDb5Xjlild4dP2MxL5jloMjI9aSsCoULGR6D1X_21E80pueHTX90jw 1iIBBj9N84ch7TFNJUxnjYlqKLzrZLxWnghoAShLGEPZQxFyFgOntjj8SWWa .oDOaDKwJmPQ1..iSJo.5v_iGNutZ5R2w23J0t2RI4knhy1JtWXhsOdD1Z4_ VQue5LQyq8Mco3Y5WNaRmWe4IMDzibVEXdv8AhO5diMWFn7z8QUH8dmeytOG Osv9mW.06pfXvrdzmv.yiJohvcRaeGzE_grgb2jSjSEfe8Y9wefJDZGpk_R0 wrPYmnPVhFBuMjTfxR.Vl3aPop8Q2BZmcg4.r.k4ZRu5TjdFc9g--
X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708-
Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id B39951C6033; Mon, 3 Jul 2017 15:01:36 -0400 (EDT)
To: Michael Bäuerle <michael.baeuerle@stz-e.de>
Cc: iesg@ietf.org, secdir@ietf.org, draft-baeuerle-netnews-cancel-lock.all@ietf.org
References: <79785418-2159-2dba-3beb-b9391a5a2ddf@mandelberg.org> <20170630183122.5b8b10ae@WStation4>
From: David Mandelberg <david@mandelberg.org>
Message-ID: <b6d46d44-bd03-cb32-27ac-bb267056419f@mandelberg.org>
Date: Mon, 03 Jul 2017 15:01:36 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <20170630183122.5b8b10ae@WStation4>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="IvsunHjEKrUwANf4uADpixpBJ1NIJUnkn"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/GjRRSL23-q4KS7euHcKofWIiYKc>
Subject: Re: [secdir] secdir review of draft-baeuerle-netnews-cancel-lock-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jul 2017 19:21:02 -0000

On 06/30/2017 12:31 PM, Michael Bäuerle wrote:
> David Mandelberg wrote:
>>
>> [...]
>> Section 4: I think you should run any user-supplied password through a
>> key derivation function before using it as a MAC key.
> 
> The obvious solution would be HKDF, but RFC5869 says in section 4:
> | 
> | [...] Applications interested
> | in a password-based KDF should consider whether, for example,
> | [PKCS5] meets their needs better than HKDF.
> 
> Would PKCS5 (RFC8018) be a good solution for this purpose?

Sorry, I don't have a lot of experience with KDFs. From what I
understand, I think you want to pick something that is computationally
difficult, and can be made more difficult over time as computers get
more powerful. (To make attacks against the password closer in
complexity to brute-force attacks against the output of the KDF.)

> 
> A workaround would be to change the words from section 4 of the draft:
> | 
> | The local secret <sec> should have a length of at least the output
> | size of the hash function that is used by HMAC (256 bit / 32 octets
> | for SHA256). If the secret is not a random value, but e.g. some sort
> | of human readable password, it should be much longer. In any case it
> | is important that this secret can not be guessed.
> 
> to:
> 
>    The local secret <sec> should have a length of at least the output
>    size of the hash function that is used by HMAC (256 bit / 32 octets
>    for SHA256) and must be a random value.
> 
> This would simply push the problem beyond the scope of the document.

Yup, that would work if you don't need to support passwords.

> 
>> Section 7: As I understand the terms, you care about preimage
>> resistance, but not second preimage. (I think preimage covers finding
>> any input that results in the specified output, not only the input that
>> originally generated the specified output. But I might be
>> misunderstanding the terms.)
> 
> If second preimage always is associated with known input, then I have
> used the wrong term and paragraph 1 in section 7 should say:
> 
>    The important property of the hash function used for <scheme> is the
>    preimage resistance. A successful preimage attack either reveals the
>    real Cancel-Key (that was used to create the Cancel-Lock of the original
>    article) or gives a different Cancel-Key (that matches a Cancel-Lock too).
>    This would break the authentication system defined in this document.

Looks good.


-- 
David Eric Mandelberg / dseomn
http://david.mandelberg.org/

v2.23.0 | Report a Bug | By Email