IETF Logo Mail Archive

Re: [secdir] [Cfrg] ISE seeks help with some crypto drafts

Tony Arcieri <bascule@gmail.com> Fri, 08 March 2019 18:45 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F7431295D8 for <secdir@ietfa.amsl.com>; Fri, 8 Mar 2019 10:45:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JOv07WzY0qNz for <secdir@ietfa.amsl.com>; Fri, 8 Mar 2019 10:45:49 -0800 (PST)
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E32412958B for <secdir@ietf.org>; Fri, 8 Mar 2019 10:45:48 -0800 (PST)
Received: by mail-oi1-x22c.google.com with SMTP id t206so16644266oib.3 for <secdir@ietf.org>; Fri, 08 Mar 2019 10:45:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Cp+dEMQ/IerEvC2cXX+Xzy+lMQEJRxsa79kjOmZxP8M=; b=oJ+vE5R43ajKDY3v+woxeDoirEme/9+1EgZcEY3ZoWBBzB/BdiZBuTGk5kwstojupT HoWJAuXLSCgOQ3lcMVFwJY0eulra8phLqmHIe8v+6OXK55eO4w38Pz4/YGonZTuroPPh Miw9foVMbMmuQ5y190VDuQEJtjTpwYDRlXhWigtHi/n8L/SvjAOZQzsHvtIT1i5BLNOO eQaP5sAObBp7kmGUk2wLNYN2CWrkOfh/k3NB6RIri/Wfy6WX76lmgemo6odQwMqqGotU p5BFonAwq1yWs5lFyGIL+1vRajcbgp0IT0De0kAd4XmDROdP/7knydxhnnk5DptZ1Z/l YObA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Cp+dEMQ/IerEvC2cXX+Xzy+lMQEJRxsa79kjOmZxP8M=; b=gUmBLAt0F/DdnTI73ojKXGPe1df4lxhKdmHd/Gh1THTWIa2gDxxV3Buclwqi4+ODH8 foVBlc+LrDnFKVkbxa4vZC+bkPSZ6qx++ag/GKH5wT/lch2GLBhf+eyMCo5A21dCbbkf RMgmgC8npxpBSzpBxHtAxaV8i66BD4m7+8CiL8ZKugMzUUA6Qwsgc8OVxnv259aKNa3P x9NQ7OauWER8xFsG5EAHe+Ad5yJDfi69M+hx6NgpfMogZvqpJFyVGsNZkQrlD0kAKjN2 aoushUQzY6lqCMZMyntoj/zGYTshDcsK4RKh+BwKyw9UW8OwWj1Vo2FZfxzaGgz4RNFK 8YIw==
X-Gm-Message-State: APjAAAWXIwJcXRwE4Mj/YYVwM6v9IvmCup0PrrM4LUKc1AGmECM0mhtQ 40hUFr7c8G2eL+PIRXJ3LpttL6xe5BNLyqyHaqMksQ==
X-Google-Smtp-Source: APXvYqyM8N39B/IrWKshBmpzk1lwsa2a1CAhYxlI6LW+jv4fyMMMikZnctgBsaFR9JfA6DCUw82GwkgwF81suYkwOHE=
X-Received: by 2002:aca:c745:: with SMTP id x66mr8831365oif.44.1552070747605; Fri, 08 Mar 2019 10:45:47 -0800 (PST)
MIME-Version: 1.0
References: <1d8de489fc976b63a911573300a431d4.squirrel@www.amsl.com> <alpine.LRH.2.21.1903081227200.30421@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1903081227200.30421@bofh.nohats.ca>
From: Tony Arcieri <bascule@gmail.com>
Date: Fri, 08 Mar 2019 10:45:36 -0800
Message-ID: <CAHOTMVLtjVxZNy3bFRn09xH+cOw+tPi2CL3BkaQuJEqxAzGOJg@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: "RFC ISE (Adrian Farrel)" <rfc-ise@rfc-editor.org>, CFRG <cfrg@irtf.org>, secdir <secdir@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000093d233058399a1dc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/vDcPbGVLJraHp1wxTbqjXrwDNxQ>
Subject: Re: [secdir] [Cfrg] ISE seeks help with some crypto drafts
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2019 18:45:53 -0000

On Fri, Mar 8, 2019 at 9:53 AM Paul Wouters <paul@nohats.ca> wrote:

> I have strong reservations about the ocb draft. Rogaway has patents
> on OCB, and has put constrains on its use and there is no generic IPR
> statement that the IETF normally likes to see for work published as
> RFC. Until such a time, I do not think publishing RFC's with OCB is
> advised. A few years ago I asked the TLS OCB authors about extending
> their allowed usage to IKE/IPsec and they told me this use was not
> covered by Rogaway's license to them. While this has since changed a bit,
> and there is no longer a specific TLS-only license, other constrains are
> still in place.  Specifying OCB documents that cannot be implemented or
> deployed indiscriminatory is troublesome.
>

I would agree the IPR story for OCB is presently bad.

Rogaway had previously voiced interest in completely resolving the patent
situation (i.e. disavowing the patents, with an attorney's assistance)
however sadly it seems he never completed this work. Perhaps I can attempt
to get the ball rolling on that again...

Second, I'm not a cryptographer, but it seems OCB has recently seen some
> attacks that might impact the security of OCB:
>
> Cryptanalysis of OCB2
> https://eprint.iacr.org/2018/1040
>
> Breaking the confidentiality of OCB2
> https://eprint.iacr.org/2018/1087
>
> Plaintext Recovery Attack of OCB2
> https://eprint.iacr.org/2018/1090


There are three variants of OCB: OCB1, OCB2, and OCB3.

These attacks apply to OCB2. They do not apply to OCB1 or OCB3.

OCB3 is realistically what we should be using provided the IPR story can be
cleared up.

-- 
Tony Arcieri

v2.23.0 | Report a Bug | By Email