Re: [secdir] secdir review of draft-moriarty-pkcs5-v2dot1-01

["Xialiang (Frank)" <frank.xialiang@huawei.com>]

Hi all,
Thanks for your response and clarification.
I have no more comments right now.

B.R.
Frank

From: Rusch, Andreas [mailto:andreas.rusch@rsa.com]
Sent: Friday, September 02, 2016 12:53 PM
To: Kaliski, Burt; Xialiang (Frank); draft-moriarty-pkcs5-v2dot1.all@tools.ietf.org
Subject: RE: secdir review of draft-moriarty-pkcs5-v2dot1-01

Hi Frank,

I don't have any additional things, I completely agree with Burt's responses.

I will do the changes today and post a new version (v02).

Thanks a lot for the great review, very much appreciated!

Cheers,
Andreas


From: Kaliski, Burt [mailto:bkaliski@verisign.com]
Sent: 02 September 2016 06:40
To: Xialiang (Frank); draft-moriarty-pkcs5-v2dot1.all@tools.ietf.org<mailto:draft-moriarty-pkcs5-v2dot1.all@tools.ietf.org>
Subject: RE: secdir review of draft-moriarty-pkcs5-v2dot1-01

Thanks for the detailed review, Frank.  My responses are included below, prefixed [BK].

I appreciate your taking the time to review this document.

The RSA/EMC co-authors may have additional responses.


n  Burt

From: Xialiang (Frank) [mailto:frank.xialiang@huawei.com]
Sent: Wednesday, August 31, 2016 6:03 AM
To: 'iesg@ietf.org'; 'secdir@ietf.org'; draft-moriarty-pkcs5-v2dot1.all@tools.ietf.org<mailto:draft-moriarty-pkcs5-v2dot1.all@tools.ietf.org>
Subject: secdir review of draft-moriarty-pkcs5-v2dot1-01

Hello,

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.


This document provides recommendations for the implementation of password-based cryptography, covering key derivation functions, encryption schemes, message-authentication schemes, and ASN.1 syntax identifying the techniques. And this document represents a republication of PKCS #5 v2.1 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing this RFC, change control is transferred to the IETF.


In general, this draft is based on [RFC2898] (PKCS #5) and RSA new released PKCS #5 V2.1 specification, and includes some minor updates to them. So, it has a solid security basis. Regarding to the new introduced contents, there are no more new security threats identified.


Summary: this document appears in reasonably good shape, with minor issues that should be addressed before publication.


Below is a series of my comments, nits for your consideration.


comments:

Section 5.1
"S    salt, an eight-octet string": This sentence is not accurate. The Salt used in the PBKDF1 algorithm should be an octet string with more than 8 bytes length here;

[BK]  The text appears in both the source document* and RFC 2898.  However, in both places, the guidance on salt is that it should be "at least eight octets" long.  In other words, it should be at least eight octets long, but it could be exactly eight octets or shorter.  In any case, the error is an old one.  Although the authors' intent is to republish the source document essentially as is, I'd recommend to drop "eight-octet" here since it conflicts with the internal guidance.

* http://www.emc.com/collateral/white-papers/h11302-pkcs5v2-1-password-based-cryptography-standard-wp.pdf

section 5.2
"applied to the password P and the concatenation of the salt S and the block index i:": this sentence seems to be not clear to explain the following series of equations, for example:
1. how to use "i" in them?
2. how to use "Salt" in them?
Would you please clarify the issue and improve the content to be more clear?

[BK] The password P is input to every iteration.  The salt S and the block index i are only input to the first iteration.  However, P and S || INT(i) are collectively the inputs to the process of computing all the iterates.  Better text would be: "first c iterates of the underlying pseudorandom function PRF under the password P, where the first iterate is applied to the concatenation of the salt S and the block index i:"  However, I'm inclined to keep it as is because it is not incorrect, and the intent is to republish.

[BK] As you've noted below, the text was missing the line "F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c".  This covers the "exclusive-or sum of the iterates".

nits:

Abstract
1. PKCS #8 should have a reference of [PKCS8][RFC5958];


[BK] Agreed.

2. The second "-" in "password-based-key" should be removed;

[BK] Good catch.

3. If there is PKCS #5 V2.1 specification, the reference of it should be added after the content of "PKCS #5 V2.1";

[BK] OK.  The source document can be added as a final reference.

Section 1
Please split the last two words of "compatibletechniques.".

[BK] OK.

Section 2
Miss "\xor" before "bit-wise exclusive-or of two octet strings".

[BK]  Good catch.

Section 5.1
"DK = Tc<0..dkLen-1>": Tc should be T_c.

[BK]  Another good one.

Section 5.2
1. The title of Section 5.2 should be "PBKDF2";

[BK]  Thanks.

2. A calculation equation is missed here: "F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c".

[BK] Good catch.

Section 6.1.1
The title of the Section should be "PBES1 Encryption Operation".

[BK] Yes.  In table of contents as well.

Appendix A.1
"for PBES1" should be changed to "for PBKDF1".

[BK]  PBKDF1 doesn't need an algorithm identifier because PBES1 defines a different algorithm identifier for each underlying password-based key derivation function.  PBKDF2, in contrast, needs one because PBES2's algorithm identifier is modularized.   This is the reason the text says "the object identifiers for PBES1 are sufficient."  So no change is needed (and the change would be incorrect).

Thanks!

B.R.
Frank