[secdir] Secdir review of draft-sheffer-emu-eap-eke-06
Brian Weis <bew@cisco.com> Wed, 26 May 2010 00:41 UTC
Return-Path: <bew@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F8C03A6B46; Tue, 25 May 2010 17:41:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.999
X-Spam-Level:
X-Spam-Status: No, score=-7.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BGe9-zmasrIr; Tue, 25 May 2010 17:41:38 -0700 (PDT)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 0FA233A6E74; Tue, 25 May 2010 16:19:21 -0700 (PDT)
Authentication-Results: sj-iport-6.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAIf3+0urR7H+/2dsb2JhbACeGXGmWZl1hRMEg0I
X-IronPort-AV: E=Sophos;i="4.53,300,1272844800"; d="scan'208";a="535195453"
Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-6.cisco.com with ESMTP; 25 May 2010 23:19:10 +0000
Received: from dhcp-128-107-163-73.cisco.com (dhcp-128-107-163-73.cisco.com [128.107.163.73]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id o4PNJAvJ018454; Tue, 25 May 2010 23:19:10 GMT
Message-Id: <81F9B37E-EDA2-445F-9980-7A468D9172F5@cisco.com>
From: Brian Weis <bew@cisco.com>
To: secdir@ietf.org, iesg@ietf.org
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Tue, 25 May 2010 16:19:04 -0700
X-Mailer: Apple Mail (2.936)
Cc: draft-sheffer-emu-eap-eke@tools.ietf.org
Subject: [secdir] Secdir review of draft-sheffer-emu-eap-eke-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2010 00:41:42 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes a new EAP method based on the Encrypted Key Exchange (EKE) protocol. The well-defined EKE exchange is preceded by a new crypto policy negotiation exchange, several of the payloads are protected by authenticated encryption, and a cryptographic confirmation that both the server and peer have seen identical messages has been added. The document and Security Considerations are comprehensive, and I see no issues that need to be addressed. I do have the following suggestions for improvement. Section 3.1. The schematic of the EAP-EKE messages (bottom of page 6) defines a number of terms for the first time, without explanation. The single sentence following it (top of page 7) seems intended to point the reader to Section 5 to find those terms. It ought to be a little more descriptive. At a minimum, I suggest something like "Section 5 explains the various cryptographic values and how they are derived." Section 5.1. The strength of x_s is significantly determined by the choice of randomness method deriving x_s. It seems that a weak source of randomness would be a significant implementation flaw for EAP-EKE. This section does refer to RFC 4086 for randomness recommendations, which should certainly be helpful to implementors. But perhaps also referencing some well-known methods (e.g., NIST SP 800-90) would be even better. Section 7.3. The sentence following the table seems to be trying to define a PRF as something with a "K" and an "S", but doesn't define what those values mean. This should either be clarified, or have the section point to a better external definition of a PRF. Section 7.6. Defining a registry without any standardized values (other than a "reserved" value of 0x0) isn't very useful for interoperability. If the expectation is that private use values will be mainly used, perhaps the channel binding value should be treated as a vendor-id payload rather than a registry. Brian
- [secdir] Secdir review of draft-sheffer-emu-eap-e… Brian Weis
- Re: [secdir] Secdir review of draft-sheffer-emu-e… Yaron Sheffer
- Re: [secdir] Secdir review of draft-sheffer-emu-e… Sam Hartman