[secdir] draft-ietf-avtcore-aria-srtp-06

Ben Laurie <benl@google.com> Mon, 15 September 2014 18:39 UTC

Return-Path: <benl@google.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 69CFF1A87E3 for <secdir@ietfa.amsl.com>; Mon, 15 Sep 2014 11:39:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.031
X-Spam-Status: No, score=-3.031 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id k2-sm5-LAa2c for <secdir@ietfa.amsl.com>; Mon, 15 Sep 2014 11:39:11 -0700 (PDT)
Received: from mail-qc0-x231.google.com (mail-qc0-x231.google.com [IPv6:2607:f8b0:400d:c01::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71BB91A8991 for <secdir@ietf.org>; Mon, 15 Sep 2014 11:12:03 -0700 (PDT)
Received: by mail-qc0-f177.google.com with SMTP id o8so4246272qcw.22 for <secdir@ietf.org>; Mon, 15 Sep 2014 11:12:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=DJXh3W07zYF5kmiBYhNYsR9jF9Xx4aMEgYJcc30/c8Y=; b=IW7eLVgFHTPZ3bgVRibyb98jZVA3qM8AaAYZ15McRL37uL7nXfhUISUPEAVZZ5A/FK 6vJax0FzQtQpdtshNA0coupxo66XHNSaJbx23G3cFnwy2ZZskbKLjLDGFCWKdxI0m2WP A4IFZ6Zx3XVLV18ZyeHm9GHTmIxxMq771DA0cZe/pQFoBj4U3kU5hgNm91gM2BRMNiPH IgnTRzok2I6cZzlc6DZa92HDSo6NIGaMjUVON0WLazdlL+UPOYYd6OaoHGHAVFjRGeuy C9fshwErn1bJoEzoh5LyKF2FPDqq14PjcNOJwuwlIoTXp41QkM/ojl/AAK+itHs7TNId 6seQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=DJXh3W07zYF5kmiBYhNYsR9jF9Xx4aMEgYJcc30/c8Y=; b=KqBQMLFkUwb+J8LutnzhuRdmIaZle6e91Q6bcTVn24kf9KfvaI3zJcYjQGbSIsu74d Mp1AgGSJ8hpF6g3W98V4fNyfSvJTDWUPsxULRZbTMXD7gh/LCEi28EVzV15+exkf7RWF ZxjRKZoTTdiuMZlJa9yhajafE4wtFsvGZHl2ScoLhd5h1fqjfqNSBgHlVhAvrV7x78JJ juwPecWCeDe9VgxZYva1LHknZuy14lrtCgTy+05hUm9htp1KY92hlXDgP3Yk/gBPc4lw EX9XNwX/toICtLicuQa9CP2uV1Z9d1B/biMqDOvA9GBK7kJ4ljuiEQgx+76W+gNnizEI u1cg==
X-Gm-Message-State: ALoCoQlqgu6SXTuMWEtmrVBvosyLb5BRAOWxS9ASORabFrgDGJKbQQrmXOO5fIFBrj/G/51do/DU
MIME-Version: 1.0
X-Received: by with SMTP id 17mr5046109qgo.30.1410804720253; Mon, 15 Sep 2014 11:12:00 -0700 (PDT)
Received: by with HTTP; Mon, 15 Sep 2014 11:12:00 -0700 (PDT)
Date: Mon, 15 Sep 2014 19:12:00 +0100
Message-ID: <CABrd9SRu8B0ZkfPTdKsuL0LXusONYgS0pFiamfLLEq3Y4axc=Q@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-avtcore-aria-srtp.all@tools.ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/gg_NnFaTTRVfSEXF02nu9GHzEmY
Subject: [secdir] draft-ietf-avtcore-aria-srtp-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Sep 2014 18:39:12 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Summary: ready with issues, or maybe not ready (AD's choice!)

Firstly, I'm not generally keen on RFCs for "vanity" ciphers - or,
indeed, any cipher that's been as lightly reviewed as ARIA has. The
Security ADs may feel differently, so I defer to them.

Secondly, ARIA-CTR and ARIA-GCM both use SHA-1 as a hash function, and
I believe we are trying to deprecate that practice.

Thirdly, I am not familiar enough with SRTP to understand why short
authentication tags are needed, but in general its a bad idea, so I
feel the Security Considerations should explain more fully than
"Ciphersuites with short tag length may be
   considered for specific application environments stated in 7.5 of
   [RFC3711], but the risk of weak authentication described in
   Section 9.5.1 of [RFC3711] should be taken into account."

How would I take this risk into account?

Finally, given that short tags are a risk, why are there no modes with
full-length tags?