Re: [secdir] Secdir review of draft-herzog-static-ecdh-05
"Herzog, Jonathan - 0668 - MITLL" <jherzog@ll.mit.edu> Tue, 08 March 2011 16:08 UTC
Return-Path: <prvs=20488723d3=jherzog@ll.mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2FB253A6936; Tue, 8 Mar 2011 08:08:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.847
X-Spam-Level:
X-Spam-Status: No, score=-5.847 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_OBFU_ALL=0.751, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aoi2Lmoco07G; Tue, 8 Mar 2011 08:08:54 -0800 (PST)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by core3.amsl.com (Postfix) with ESMTP id A72A33A6933; Tue, 8 Mar 2011 08:08:53 -0800 (PST)
Received: from LLE2K7-HUB01.mitll.ad.local (LLE2K7-HUB01.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id p28GA53Y029092; Tue, 8 Mar 2011 11:10:05 -0500
From: "Herzog, Jonathan - 0668 - MITLL" <jherzog@ll.mit.edu>
To: Brian Weis <bew@cisco.com>
Date: Tue, 08 Mar 2011 11:10:05 -0500
Thread-Topic: Secdir review of draft-herzog-static-ecdh-05
Thread-Index: Acvdq0nTW9g/1+l8QpWWcECA90OY7Q==
Message-ID: <47CF9528-81A1-49D7-8D4B-B1DCC136581E@ll.mit.edu>
References: <D858A225-D1D1-497D-BA40-A66D3F55AD57@cisco.com> <552BBAA9-712F-49B4-8A5F-C671C3817C05@ll.mit.edu> <AA323705-436C-4B71-8B51-D2CA9E4E140C@cisco.com>
In-Reply-To: <AA323705-436C-4B71-8B51-D2CA9E4E140C@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/signed; boundary="Apple-Mail-128--829141881"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.2.15, 1.0.148, 0.0.0000 definitions=2011-03-08_06:2011-03-08, 2011-03-08, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=8 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-1012030000 definitions=main-1103080076
X-Mailman-Approved-At: Tue, 08 Mar 2011 08:18:12 -0800
Cc: "draft-herzog-static-ecdh@tools.ietf.org" <draft-herzog-static-ecdh@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-herzog-static-ecdh-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2011 16:08:55 -0000
On Mar 8, 2011, at 12:15 AM, Brian Weis wrote: > Hi Jonathan, > > On Mar 6, 2011, at 1:43 PM, Herzog, Jonathan - 0668 - MITLL wrote: >> >> I plan to address these comments and submit a new draft in the next few days. Before I do, however, do you mind if I asked you a few questions? [snip] >> >> And the rest of the introduction remains the same. Do you think this will be enough to orient the reader correctly? > > That'll do the trick nicely, I think. Excellent. Thanks. >> >>> 2. Reference [SEC1] is heavily referenced in this document, for both a definition of ECDH and specific methods for using ECDH. But it would be good to also mention RFC 6090, which is the best IETF document describing ECDH. >> >> I was not previous aware of this RFC-- my bad. I have added it as an informative reference, but continued to refer to [Sec1] as the normative reference for the ECDH operation. Or do you think that RFC 6090 should be the normative reference? > > I would suggesting using RFC 6090 for a normative reference to ECDH if you need such a reference. But I don't believe RFC 6090 discusses static-static consideration or issues at all, so for that [Sec1] seems to be the appropriate normative reference. I'm a little uneasy with using RFC 6090 as a normative reference for ECDH, as my impression is that the rest of CMS uses SEC1 as the normative reference. (See RFC 5753.) This may be because RFC 6090 is so new, but I'm worried that switching to RFC 6090 as the normative reference for ECDH will introduce subtle incompatibilities. Also, RFC 6090 doesn't seem to include the cofactor ECDH operation (I think), or the use of the SharedInfo/ukm value. Given this, do you mind if I keep SEC1 as normative and use RFC 6090 as informative? [snip] >> So I'm under the impression that our Draft requires a ukm value (with a SHOULD), and that RFC 3278 requires that this ukm value be included in a SharedInfor value which is used to derive keys. But did I misread RFC 3278? > > I did notice the text regarding ukm in your I-D, but definitely missed linkage you quote from RFC 3278 above. So rather than misreading RFC 3278 you've clarified it for me. :-) Your explanation makes sense to me. Ah, good. >> Do I need to explicitly require that the SharedInfo value be used? > > I think your requirements are fine. But because you discuss both ukm and SharedInfo, I would clarifying their linkage. For example, in your Security Considerations you could mention the role of SharedInfo to permute the session so that two sessions setup between the same entities will be keyed independently, point out that CMS specifies that ukm is to be the value used in SharedInfo, and how ukm is determined so that it will properly do its job. This is also rationale for the SHOULD in section 2.1. Good point. What do you think of the following change? WAS Extreme care must be used when using static-static Diffie-Hellman (either standard or cofactor) without the use of some per-message value in ukm. If no message-specific information is used (such as a counter value, or a fresh random string) then the resulting secret key could be used in more than one message. Under some circumstances, this will open the sender to the 'small subgroup' attack [MenezesUstaoglu] or other, yet-undiscovered attacks on re- used Diffie-Hellman keys. Applications that cannot tolerate the inclusion of per-message information in ukm (due to bandwidth requirements, for example) SHOULD NOT use static-static ECDH for a recipient without ascertaining that the recipient knows the private value associated with their certified Diffie-Hellman value. IS NOW Extreme care must be used when using static-static Diffie-Hellman (either standard or cofactor) without the use of some per-message value in ukm. As described in [RFC5753], the ukm value (if present) will be embedded in a ECC-CMS-SharedInfo structure and the DER- encoding of this structure will be used as the 'SharedInfo' input to the ECDH key-agreement operation in [SEC1], Section 6.1.3. The purpose of this input is to add a message-unique value to the key- distribution function so that two different sessions of static-static ECDH between a given pair of agents result in independent keys. If the ukm value is not used or is re-used, on the other hand, then the ECC-CMS-SharedInfo structure (and 'SharedInfo' input) will likely not vary from message to message. In this case, the two agents will re- use the same keying material across multiple messages. This is considered to be bad cryptographic practice and may open the sender to attacks on Diffie-Hellman (e.g., the 'small subgroup' attack [MenezesUstaoglu] or other, yet-undiscovered attacks). It is for these reasons that Section 2.1 states that message-senders SHOULD include the ukm and SHOULD ensure that the value of ukm is unique to the message being sent. One way to ensure the uniqueness of ukm is for the message sender to choose a 'sufficiently long' random string for each message (where, as a rule of thumb, a 'sufficiently long' string is one at least as long as the keys used by the key-wrap algorithm identified in the keyEncryptionAlgorithm field of the KeyAgreeRecipientInfo structure). However, other methods (such as a counter) are possible. Also, applications which cannot tolerate the inclusion of per-message information in ukm (due to bandwidth requirements, for example) SHOULD NOT use static-static ECDH for a recipient without ascertaining that the recipient knows the private value associated with their certified Diffie-Hellman value. > BTW, the RFC Index search engine says that RFC 3278 has been obsoleted by RFC 5753. You should reference that one (which hopefully makes the same statements regarding ukm). Whoops! Good catch. Fortunately, the draft already did reference RFC 5753. My brain, on the other hand, seem to be taking longer to catch up. ;-) Thanks. -- Jonathan Herzog voice: (781) 981-2356 Technical Staff fax: (781) 981-7687 Cyber Systems and Technology Group email: jherzog@ll.mit.edu MIT Lincoln Laboratory www: http://www.ll.mit.edu/CST/ 244 Wood Street Lexington, MA 02420-9185
- [secdir] Secdir review of draft-herzog-static-ecd… Brian Weis
- Re: [secdir] Secdir review of draft-herzog-static… Brian Weis
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Brian Weis
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Brian Weis
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Stephen Farrell
- Re: [secdir] Secdir review of draft-herzog-static… David McGrew
- Re: [secdir] Secdir review of draft-herzog-static… David McGrew
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Stephen Farrell
- Re: [secdir] Secdir review of draft-herzog-static… David McGrew
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… David McGrew
- Re: [secdir] Secdir review of draft-herzog-static… Sean Turner
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Uri Blumenthal
- Re: [secdir] Secdir review of draft-herzog-static… Sean Turner
- Re: [secdir] Secdir review of draft-herzog-static… Stephen Farrell
- Re: [secdir] Secdir review of draft-herzog-static… Stephen Farrell
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Herzog, Jonathan - 0668 - MITLL
- Re: [secdir] Secdir review of draft-herzog-static… Uri Blumenthal