Re: [secdir] 答复: Secdir review of draft-ietf-webpush-encryption-08
Martin Thomson <martin.thomson@gmail.com> Tue, 25 July 2017 04:31 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44150126BFD; Mon, 24 Jul 2017 21:31:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MKtCfeyoXjOJ; Mon, 24 Jul 2017 21:31:43 -0700 (PDT)
Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04D2D1200F3; Mon, 24 Jul 2017 21:31:43 -0700 (PDT)
Received: by mail-it0-x236.google.com with SMTP id v205so27909591itf.1; Mon, 24 Jul 2017 21:31:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=pZEors5ZP1kpB0Pe4JQvcZ5g/Rl9RdvnDUzNFj2kaRk=; b=JytyeWd/If+pwfwxWVmLoGsMwivAN8raxmCa14EDrPN82zipY6wTXeB3IKIuBdljxu R4H5Zn6E55n4cTwLukDUK8A9Q8YV6xUvp/l6vnoVoOgGJwCzWrH3Qg3E7m/0i3Do2uci UFrk4JlcSRvpb14vb2l2zTX3AIM4YswUKWsX3iTILD9AOnjbZ14LyKYiBKIpdMD3aZ0y niZp54C73QcRNBMnjMgG9cBu7Cz2QZfaMWbGt8FVj40YlHqVU6UzXdkSgw/p7UopEGDq GQBxmc+dmtTfKm0MZoY889K74GKW8NQ5Qnr+bWGGTnKylg8xkw35gN2PeHnIItOGe0XU S7JQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=pZEors5ZP1kpB0Pe4JQvcZ5g/Rl9RdvnDUzNFj2kaRk=; b=VsT5i23HRkeSyc7WR6UcrUvflGisqWDCihyGOo7vLNdgFWzG6aGaawerSJthcjlNBF h0XU4GdWUOrtDm8aLewyklXEqMQZaEmxW7Qzvn7tbi3pjioaJYHdf9vB/XYCN1/MUc3e weGeaIHri9DF5dmb3VCKsYIUWNXBqx11P6C2hl7HXAzETYZgUGiQifBIQfl9OmMg/HRe OSzUcRH4aBwpe4pKRoC+QZq25dp2CQyX6Rs+NEJ+bW4YzDT1A9Qd6NPY3tc0Y8m59kzM TvCnqvRWAxPNoOKe93O56YHszt9eGV6t0+5QBE8mRrb1mZkCbg+BUwH/gtcXKUBm79g3 +O0A==
X-Gm-Message-State: AIVw1127jDLwGCR9M1ycNvMVO9VAWKsn8P9uI/EbcmQmh1DpFn0SUjm9 04a+zWIIoJOoMf7/YgCVl5oNhig5KA==
X-Received: by 10.36.5.68 with SMTP id 65mr9801045itl.140.1500957102258; Mon, 24 Jul 2017 21:31:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.164.42 with HTTP; Mon, 24 Jul 2017 21:31:41 -0700 (PDT)
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F12BB278AF@DGGEML502-MBX.china.huawei.com>
References: <C02846B1344F344EB4FAA6FA7AF481F12BB2742F@DGGEML502-MBX.china.huawei.com> <CABkgnnWzNX8mO+9q73RRySdStDmmi5ifOY55+QwkMH1e_BVRtw@mail.gmail.com> <C02846B1344F344EB4FAA6FA7AF481F12BB278AF@DGGEML502-MBX.china.huawei.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 25 Jul 2017 14:31:41 +1000
Message-ID: <CABkgnnXbLm_93mUv64WXypEt0E+myZWaZ4XaTpQSdV15mvNtzA@mail.gmail.com>
To: "Xialiang (Frank)" <frank.xialiang@huawei.com>
Cc: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-webpush-encryption.all@ietf.org" <draft-ietf-webpush-encryption.all@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/rNxoEFiWFNjLFDxjlYONqVf3rOc>
Subject: Re: [secdir] 答复: Secdir review of draft-ietf-webpush-encryption-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jul 2017 04:31:45 -0000
No, there is only one authentication secret. The second salt doesn't carry any significance (it just helps avoid key and IV reuse). On 25 July 2017 at 12:28, Xialiang (Frank) <frank.xialiang@huawei.com> wrote: > Hi Martin, > Thanks for your quick response and actions to my comments. > > I only have one question left: so you mean there are two authentication secrets generated respectively in UA and AS? > > B.R. > Frank > > -----邮件原件----- > 发件人: Martin Thomson [mailto:martin.thomson@gmail.com] > 发送时间: 2017年7月25日 10:16 > 收件人: Xialiang (Frank) > 抄送: iesg@ietf.org; secdir@ietf.org; draft-ietf-webpush-encryption.all@ietf.org > 主题: Re: Secdir review of draft-ietf-webpush-encryption-08 > > Hi Frank, > > Thanks for the review. I've put changes on github here: > https://github.com/webpush-wg/webpush-encryption/pull/16 > > On 24 July 2017 at 20:38, Xialiang (Frank) <frank.xialiang@huawei.com> wrote: >> 1. The word “falsification” is used in the section 1, I am not sure if >> you see any essential difference between it and the “modification”. >> Can you clarify it? > > The word was used intentionally to include protection against the ability to generate an inauthentic message. > >> 2. In section 2.1, the sentence “Most applications that use push >> messaging have a pre-existing relationship with an Application >> Server”: what is the exact meaning of “pre-existing relationship”? >> From the context, I assume it’s a mutual authenticated and encrypted >> connection between the UA and AS, right? More texts to clarify this >> term seem good here; > > I've expanded this a little. > >> 3. The second phase listed in section 3 (“The shared secret is then >> combined with the application secret to produce the input keying >> material”) seems to be described in details in section 3.4, not >> section 3.3. Please check it. And the term “application secret” can be >> changed to “authentication secret” for accuracy; > > Section 3.3 is correct. Section 3.4 is an overview of the entire process. > > "authentication secret" is a good catch there. > >> 4. In last paragraph of section 3.1, is “An Application Server” more >> appropriate? > > Yes, thanks. > >> 5. For the HKDF, should the salt be the authentication secret, or a >> random (16)? > > In the case that you refer to, the authentication secret is correct. > There are two randomized inputs in the entire process: the authentication secret is generated by the User Agent, and the salt is generated by the Application Server. Both are random(16) when generated, but then they are distributed to the other side. > >> 6. For formula of IKM = HMAC-SHA-256(PRK_cek, key_info || 0x01), >> should the “PRK_cek” be “PRK_key” which is calculated before from >> auth_secret and ecdh_secret? > > Obviously PRK_cek isn't generated until after this point, so you are right. (That's an editing error on my part.) > >> 7. In Security Considerations section, the potential threats (e.g., >> eavesdropping, tempering, etc) of unprotected HTTP header fields have >> been identified, but the according protection measures are not discussed here. >> Would it be better to have them? > > This is implied, but the mitigation is to discard them. I've made this clearer.
- [secdir] Secdir review of draft-ietf-webpush-encr… Xialiang (Frank)
- Re: [secdir] Secdir review of draft-ietf-webpush-… Martin Thomson
- [secdir] 答复: Secdir review of draft-ietf-webpush-… Xialiang (Frank)
- Re: [secdir] 答复: Secdir review of draft-ietf-webp… Martin Thomson
- [secdir] 答复: 答复: Secdir review of draft-ietf-webp… Xialiang (Frank)