Re: [secdir] Secdir review of draft-herzog-static-ecdh-05
Uri Blumenthal <uri@MIT.EDU> Tue, 15 March 2011 20:26 UTC
Return-Path: <uri@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 40B8A3A6E44; Tue, 15 Mar 2011 13:26:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_OBFU_ALL=0.751]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1C90LM7IaovT; Tue, 15 Mar 2011 13:26:12 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU [18.7.68.36]) by core3.amsl.com (Postfix) with ESMTP id 0700F3A6A8B; Tue, 15 Mar 2011 13:26:11 -0700 (PDT)
X-AuditID: 12074424-b7b0bae000000a05-c7-4d7fcbb885ec
Received: from mailhub-3.mit.edu ( [18.9.21.44]) by dmz-mailsec-scanner-7.mit.edu (Symantec Brightmail Gateway) with SMTP id DC.2B.02565.8BBCF7D4; Tue, 15 Mar 2011 16:27:36 -0400 (EDT)
Received: from outgoing-legacy.mit.edu (OUTGOING-LEGACY.MIT.EDU [18.7.22.104]) by mailhub-3.mit.edu (8.13.8/8.9.2) with ESMTP id p2FKRZYh005498; Tue, 15 Mar 2011 16:27:36 -0400
Received: from webmail-8.mit.edu (WEBMAIL-8.MIT.EDU [18.9.23.18]) ) by outgoing-legacy.mit.edu (8.13.6/8.12.4) with ESMTP id p2FKSsfM014965; Tue, 15 Mar 2011 16:28:54 -0400 (EDT)
Received: from webmail-8.mit.edu (webmail-8.mit.edu [127.0.0.1]) by webmail-8.mit.edu (8.13.8) with ESMTP id p2FKRTEw002007; Tue, 15 Mar 2011 16:27:29 -0400
Received: (from nobody@localhost) by webmail-8.mit.edu (8.13.8/8.13.8/Submit) id p2FKROcF002002; Tue, 15 Mar 2011 16:27:24 -0400
X-Authentication-Warning: webmail-8.mit.edu: nobody set sender to uri@mit.edu using -f
Received: from c-24-63-227-189.hsd1.ma.comcast.net (c-24-63-227-189.hsd1.ma.comcast.net [24.63.227.189]) (User authenticated as uri@ATHENA.MIT.EDU) by webmail.mit.edu (Horde MIME library) with HTTP; Tue, 15 Mar 2011 16:27:24 -0400
Message-ID: <20110315162724.dv4j170hkw8oooo0@webmail.mit.edu>
X-Priority: 3 (Normal)
Date: Tue, 15 Mar 2011 16:27:24 -0400
From: Uri Blumenthal <uri@MIT.EDU>
To: "Herzog, Jonathan - 0668 - MITLL" <jherzog@ll.MIT.EDU>
References: <D858A225-D1D1-497D-BA40-A66D3F55AD57@cisco.com> <552BBAA9-712F-49B4-8A5F-C671C3817C05@ll.mit.edu> <AA323705-436C-4B71-8B51-D2CA9E4E140C@cisco.com> <47CF9528-81A1-49D7-8D4B-B1DCC136581E@ll.mit.edu> <3E69AF7B-D325-4FC5-A003-FEBA1997D67E@cisco.com> <FFD02A42-A10C-4AE7-A763-5C2D1E1DFADA@ll.mit.edu> <65D56695-894D-458E-A9C4-6DCF6A38F196@cisco.com> <29C1F1D5-6EF0-4055-BA88-03F03E3F0A84@ll.mit.edu> <A2B7EC12-25AA-4D0A-ACA3-A5E67C14E596@cisco.com> <63667400-81DF-438E-869F-247222DECA18@ll.mit.edu> <7EA8F35D-5D31-472E-BE37-3789470D059A@cisco.com> <CEC0B26E-57CD-400E-8B2C-A31413C4EA2C@ll.mit.edu> <AC6A0275-B484-45F5-B23A-2D0E6DEF50E6@ll.mit.edu>
In-Reply-To: <AC6A0275-B484-45F5-B23A-2D0E6DEF50E6@ll.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.0.3)
X-Brightmail-Tracker: AAAAAReea6k=
Cc: "iesg@ietf.org" <iesg@ietf.org>, "draft-herzog-static-ecdh@tools.ietf.org" <draft-herzog-static-ecdh@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-herzog-static-ecdh-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2011 20:26:13 -0000
Without diving into the details of various KDF and their cryptographic soundness - I think the proposal to cite X9.63 as normative and SEC1 as informative is good. Thanks! -- <Disclaimer> Quoting "Herzog, Jonathan - 0668 - MITLL" <jherzog@ll.mit.edu>: > On Mar 11, 2011, at 4:13 PM, Herzog, Jonathan - 0668 - MITLL wrote: >> On Mar 11, 2011, at 3:32 PM, David McGrew wrote: >>> >>> I hope that the KDF from X9.63 that is referenced in SEC1 is the >>> Concatenation Key Derivation Function (Section 5.8.1 of SP800-56A), or >>> if not, the ASN.1 Key Derivation Function (Section 5.8.2). >> >> >> Mostly 'yes,' but just enough 'no' to be a real problem for us. Both >> the KDF in SEC1/X9.63 and the KDFs in 800-56A take the Diffie >> Hellman secret and some Other Stuff, and produce keying material as >> output. But they are not the exact same KDF. From SP 800-56A, >> Appendix A ("Summary of Differences between this Recommendation and >> ANS X9 Standards"): >> >> [Begin quote] >> >> 8. Regarding the key derivation function (KDF): >> >> a. This recommendation specifies two Approved KDFs, the >> concatenation KDF specified in Section 5.8.1 and the ASN.1 KDF >> specified in Section 5.8.2. Other key derivation methods may be >> temporarily allowed for backward compatibility. These other >> allowable methods and any restrictions on their use will be >> specified in FIPS 140-2 Annex D. >> >> b. ANS X9.42 provides a concatenation KDF and an ASN.1 KDF, while >> ANS X9.63 provides only the concatenation KDF. However, the Approved >> KDFs of this Recommendation require that the counter appears before >> the shared secret as input to the hash function, whereas the ANSI >> KDFs place the counter after the shared secret >> >> c. The Approved KDFs in this Recommendation require the input of the >> identifiers of the communicating parties; such information is not >> required in ANS X9.42 and X9.63. >> >> d. In this Recommendation, the shared secret is zeroized after a >> single call to a key derivation function, before the key agreement >> scheme releases any portion of the DerivedKeyingMaterial for use by >> relying applications.. The ANS X9.42 and X9.63 standards do not >> indicate when the shared secret needs to be zeroized. An implication >> of this Recommendation?s requirement concerning zeroization is that >> all of the keying material directly derived from the shared secret >> must be computed during one call to the KDF. >> >> [End quote] >> >> Point (d) is not an issue for this discussion, and point (a) is just >> informative. But points (b) and (c) are both show-stoppers. Point >> (b) says that SEC1/X9.63 and SP 800-56A disagree on how to turn the >> inputs into keying material. Point (c) says that they disagree on >> what the Other Stuff must contain. Specifically, SP 800-56A requires >> that the Other Stuff contain: >> >> * ID of the algorithm, >> * ID of the sender, >> * ID of the receiver, >> * Sender randomness (optional), and >> * Receiver randomness (optional). >> >> SEC1 places no restriction on the Other Stuff. But RFC 5753 says >> that the Other Stuff must be the DER encoding of an >> ECC-CMS-SharedInfo structure, which contains: >> >> * ID of the algorithm, >> * Sender randomness (optional), and >> * Length of output key (optional). >> >> So unless I'm wrong (again, more than likely) the SEC1/X9.63 and SP >> 800-56A KDFs are not compatible. And in fact, we can't switch to the >> SP 800-56A KDFs without introducing some tricky incompatibilities >> with RFC 5753. (Implementors would have to implement one KDF for >> ephemeral-static ECDH and a different one for static-static ECDH). >> >> Given this, what do people think of citing X9.63 for the KDF? And >> about citing SEC1 as an informative reference so that people can >> find the KDF without having to buy an ANSI standard? > > I was advised to submit an updated draft over the weekend, even if > some issues were still up in the air. So, > draft-herzog-static-ecdh-06.txt has been submitted and is awaiting > manual posting. In the meantime, a copy is attached to this mail. As > you can see, I went ahead and made the change I proposed above: > citing X9.63 as the normative standard for the KDF in RFC 5753, wit > SEC1 as an informative reference. > > Thoughts? > > Cheers. > > -- > Jonathan Herzog voice: (781) 981-2356 > Technical Staff fax: (781) 981-7687 > Cyber Systems and Technology Group email: jherzog@ll.mit.edu > MIT Lincoln Laboratory www: http://www.ll.mit.edu/CST/ > 244 Wood Street > Lexington, MA 02420-9185 >
- [secdir] Secdir review of draft-herzog-static-ecd… Brian Weis
- Re: [secdir] Secdir review of draft-herzog-static… Brian Weis
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Brian Weis
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Brian Weis
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Stephen Farrell
- Re: [secdir] Secdir review of draft-herzog-static… David McGrew
- Re: [secdir] Secdir review of draft-herzog-static… David McGrew
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Stephen Farrell
- Re: [secdir] Secdir review of draft-herzog-static… David McGrew
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… David McGrew
- Re: [secdir] Secdir review of draft-herzog-static… Sean Turner
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Uri Blumenthal
- Re: [secdir] Secdir review of draft-herzog-static… Sean Turner
- Re: [secdir] Secdir review of draft-herzog-static… Stephen Farrell
- Re: [secdir] Secdir review of draft-herzog-static… Stephen Farrell
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Uri Blumenthal