Re: [secdir] Secdir review of draft-herzog-static-ecdh-05

Brian Weis <bew@cisco.com> Tue, 08 March 2011 17:12 UTC

Return-Path: <bew@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DCF803A6906; Tue, 8 Mar 2011 09:12:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.848
X-Spam-Level:
X-Spam-Status: No, score=-109.848 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_OBFU_ALL=0.751, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TApMZ-2GgiMV; Tue, 8 Mar 2011 09:12:11 -0800 (PST)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 87A323A68C5; Tue, 8 Mar 2011 09:12:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=bew@cisco.com; l=6711; q=dns/txt; s=iport; t=1299604406; x=1300814006; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=NelAVHGDKta/at5DrJUsE5ig0mpEbdhPsbFkxPJ8/kM=; b=FHG6cxOXM9bm4yYIDCi3sxzOff6M89NZj5H6WH3fDzl43Ot8x/0E1bZ/ gb+8pdOW3FVad6F82sDFIzPmAzh/qEAYhUwtYQS4I9omBwxYmF6T6qM8q qxFWWRbbWZBC6d1RPgk6uQy2pd47+cBcXtK41N+iBE5aMtG5FHHESYfni k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAKbydU2rRN+K/2dsb2JhbACmT3Sjd5w3gxiCSwSFHYcVjCM
X-IronPort-AV: E=Sophos;i="4.62,285,1297036800"; d="scan'208";a="272604843"
Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-4.cisco.com with ESMTP; 08 Mar 2011 17:13:26 +0000
Received: from stealth-10-32-244-213.cisco.com (stealth-10-32-244-213.cisco.com [10.32.244.213]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id p28HDQRe020098; Tue, 8 Mar 2011 17:13:26 GMT
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset=us-ascii
From: Brian Weis <bew@cisco.com>
In-Reply-To: <47CF9528-81A1-49D7-8D4B-B1DCC136581E@ll.mit.edu>
Date: Tue, 8 Mar 2011 09:13:26 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <3E69AF7B-D325-4FC5-A003-FEBA1997D67E@cisco.com>
References: <D858A225-D1D1-497D-BA40-A66D3F55AD57@cisco.com> <552BBAA9-712F-49B4-8A5F-C671C3817C05@ll.mit.edu> <AA323705-436C-4B71-8B51-D2CA9E4E140C@cisco.com> <47CF9528-81A1-49D7-8D4B-B1DCC136581E@ll.mit.edu>
To: "Herzog, Jonathan - 0668 - MITLL" <jherzog@ll.mit.edu>
X-Mailer: Apple Mail (2.1082)
Cc: "draft-herzog-static-ecdh@tools.ietf.org" <draft-herzog-static-ecdh@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-herzog-static-ecdh-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2011 17:12:13 -0000

Hi Jonathan,

On Mar 8, 2011, at 8:10 AM, Herzog, Jonathan - 0668 - MITLL wrote:

> 
> On Mar 8, 2011, at 12:15 AM, Brian Weis wrote:
> 
>> Hi Jonathan,
>> 
>> On Mar 6, 2011, at 1:43 PM, Herzog, Jonathan - 0668 - MITLL wrote:
>>> 
>>> I plan to address these comments and submit a new draft in the next few days. Before I do, however, do you mind if I asked you a few questions?
> 
> 
> [snip]
> 
> 
>>> 
>>> And the rest of the introduction remains the same. Do you think this will be enough to orient the reader correctly?
>> 
>> That'll do the trick nicely, I think.
> 
> Excellent. Thanks.
> 
> 
> 
>>> 
>>>> 2. Reference [SEC1] is heavily referenced in this document, for both a definition of ECDH and specific methods for using ECDH. But it would be good to also mention RFC 6090, which is the best IETF document describing ECDH.
>>> 
>>> I was not previous aware of this RFC-- my bad. I have added it as an informative reference, but continued to refer to [Sec1] as the normative reference for the ECDH operation. Or do you think that RFC 6090 should be the normative reference?
>> 
>> I would suggesting using RFC 6090 for a normative reference to ECDH if you need such a reference. But I don't believe RFC 6090 discusses static-static consideration or issues at all, so for that [Sec1] seems to be the appropriate normative reference.
> 
> I'm a little uneasy with using RFC 6090 as a normative reference for ECDH, as my impression is that the rest of CMS uses SEC1 as the normative reference. (See RFC 5753.) This may be because RFC 6090 is so new, but I'm worried that switching to RFC 6090 as the normative reference for ECDH will introduce subtle incompatibilities.
> 
> Also, RFC 6090 doesn't seem to include the cofactor ECDH operation (I think), or the use of the SharedInfo/ukm value.
> 
> Given this, do you mind if I keep SEC1 as normative and use RFC 6090 as informative?

Sure, that's fine.

[snip]

> 
>>> Do I need to explicitly require that the SharedInfo value be used?
>> 
>> I think your requirements are fine. But because you discuss both ukm and SharedInfo, I would clarifying their linkage. For example, in your Security Considerations you could mention the role of SharedInfo to permute the session so that two sessions setup between the same entities will be keyed independently, point out that CMS specifies that ukm is to be the value used in SharedInfo, and how ukm is determined so that it will properly do its job. This is also rationale for the SHOULD in section 2.1.
> 
> Good point. What do you think of the following change?

Bingo! That explanation seems both complete and clear to me. With that inclusion, I think its ready to publish.

Thanks,
Brian

> 
> WAS
> 
> 
>   Extreme care must be used when using static-static Diffie-Hellman
>   (either standard or cofactor) without the use of some per-message
>   value in ukm.  If no message-specific information is used (such as a
>   counter value, or a fresh random string) then the resulting secret
>   key could be used in more than one message.  Under some
>   circumstances, this will open the sender to the 'small subgroup'
>   attack [MenezesUstaoglu] or other, yet-undiscovered attacks on re-
>   used Diffie-Hellman keys.  Applications that cannot tolerate the
>   inclusion of per-message information in ukm (due to bandwidth
>   requirements, for example) SHOULD NOT use static-static ECDH for a
>   recipient without ascertaining that the recipient knows the private
>   value associated with their certified Diffie-Hellman value. 
> 
> IS NOW
> 
> 
>   Extreme care must be used when using static-static Diffie-Hellman
>   (either standard or cofactor) without the use of some per-message
>   value in ukm.  As described in [RFC5753], the ukm value (if present)
>   will be embedded in a ECC-CMS-SharedInfo structure and the DER-
>   encoding of this structure will be used as the 'SharedInfo' input to
>   the ECDH key-agreement operation in [SEC1], Section 6.1.3.  The
>   purpose of this input is to add a message-unique value to the key-
>   distribution function so that two different sessions of static-static
>   ECDH between a given pair of agents result in independent keys.  If
>   the ukm value is not used or is re-used, on the other hand, then the
>   ECC-CMS-SharedInfo structure (and 'SharedInfo' input) will likely not
>   vary from message to message.  In this case, the two agents will re-
>   use the same keying material across multiple messages.  This is
>   considered to be bad cryptographic practice and may open the sender
>   to attacks on Diffie-Hellman (e.g., the 'small subgroup' attack
>   [MenezesUstaoglu] or other, yet-undiscovered attacks).
> 
>   It is for these reasons that Section 2.1 states that message-senders
>   SHOULD include the ukm and SHOULD ensure that the value of ukm is
>   unique to the message being sent.  One way to ensure the uniqueness
>   of ukm is for the message sender to choose a 'sufficiently long'
>   random string for each message (where, as a rule of thumb, a
>   'sufficiently long' string is one at least as long as the keys used
>   by the key-wrap algorithm identified in the keyEncryptionAlgorithm
>   field of the KeyAgreeRecipientInfo structure).  However, other
>   methods (such as a counter) are possible.  Also, applications which
>   cannot tolerate the inclusion of per-message information in ukm (due
>   to bandwidth requirements, for example) SHOULD NOT use static-static
>   ECDH for a recipient without ascertaining that the recipient knows
>   the private value associated with their certified Diffie-Hellman
>   value.
> 
> 
> 
>> BTW, the RFC Index search engine says that RFC 3278 has been obsoleted by RFC 5753. You should reference that one (which hopefully makes the same statements regarding ukm).
> 
> Whoops! Good catch. Fortunately, the draft already did reference RFC 5753. My brain, on the other hand, seem to be taking longer to catch up. ;-)
> 
> 
> 
> Thanks.
> 
> -- 
> Jonathan Herzog							voice:  (781) 981-2356
> Technical Staff							fax:    (781) 981-7687
> Cyber Systems and Technology Group		email:  jherzog@ll.mit.edu
> MIT Lincoln Laboratory               			www:    http://www.ll.mit.edu/CST/
> 244 Wood Street    
> Lexington, MA 02420-9185
> 


-- 
Brian Weis
Security Standards and Technology, ARTG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com