IETF Logo Mail Archive

Re: [lamps] Benjamin Kaduk's Discuss on draft-ietf-lamps-cms-mix-with-psk-06: (with DISCUSS and COMMENT)

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 23 August 2019 18:10 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C54B120044; Fri, 23 Aug 2019 11:10:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Level:
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YBANUMwBJHeW; Fri, 23 Aug 2019 11:10:24 -0700 (PDT)
Received: from mail-oi1-f193.google.com (mail-oi1-f193.google.com [209.85.167.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CA9012006A; Fri, 23 Aug 2019 11:10:24 -0700 (PDT)
Received: by mail-oi1-f193.google.com with SMTP id n1so7686473oic.3; Fri, 23 Aug 2019 11:10:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EcYZPdQOwY+Dcx8QW/TTeeOwE4fhgTMcF/r2zeBHSbw=; b=GU0m9fK2MS6C3StW9Dt2tifdSM6lUUkX6aMEmUn74/PfU40vMoFcmZzOFdqSArRiRh qDq1eWCnC4isPFSGo4giKd+OXq5YNH5e6fGLXnZT4j4sQnUDFXpdF/jotbmN7tEucwe7 dIuYCQ1qYq6WwmigtzflZWBazkD7/13Tcoo43MpTsYPi0YombzjV910EMSrSmR/+I0Jl NyIi8njfYUFFEEmIs6NOcnqTo6WJVNDxIK53KiC4xXWUTKxebwIJbu/Q6xKklCbsiVsF FAIspKcZEtmZZjJXAVJNWzjkCCluABjvum/zKIsvwi3+Hip5E0R3FXm9boyPxqr4oHUG OvxQ==
X-Gm-Message-State: APjAAAX6emrivW3vHK2zly9HMDQD+axThHCadxKQ+M/ScpYRHOOkCT3T fZ15aI7kbpu3xpaZlcfIK+6e34GRCa18TuMMOww=
X-Google-Smtp-Source: APXvYqx+IaAZh+5FkkDOOanpZRfavItnpETIrHda1TnHKpklmiHSi9Mg4ur5mAPDPSSezoacD++pwtL6Dcc3/O1Oklw=
X-Received: by 2002:aca:bfd4:: with SMTP id p203mr4146196oif.95.1566583823736; Fri, 23 Aug 2019 11:10:23 -0700 (PDT)
MIME-Version: 1.0
References: <156597611893.31967.2500700648100356711.idtracker@ietfa.amsl.com> <B73FED9C-8983-4CFE-AD66-E548CEEAD45B@vigilsec.com> <20190823020007.GZ60855@kduck.mit.edu> <CAMm+Lwhs5HKsQ3EQ+cZ5m8GLF7XvDY803x9WX=HKsgEN9hH+7w@mail.gmail.com> <20190823165842.GB60855@kduck.mit.edu>
In-Reply-To: <20190823165842.GB60855@kduck.mit.edu>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 23 Aug 2019 14:10:11 -0400
Message-ID: <CAMm+LwjcsnmHkYm=mL=m3j5MWKHARgDSn87DXjQELXq3-mob6A@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Russ Housley <housley@vigilsec.com>, LAMPS WG <spasm@ietf.org>, IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000532a0e0590ccb883"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/L2qVJyuWdLbHayWn-Y3_j28OpH0>
Subject: Re: [lamps] Benjamin Kaduk's Discuss on draft-ietf-lamps-cms-mix-with-psk-06: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2019 18:10:26 -0000

On Fri, Aug 23, 2019 at 12:58 PM Benjamin Kaduk <kaduk@mit.edu> wrote:

> Hi Phill,
>
> On Thu, Aug 22, 2019 at 11:07:12PM -0400, Phillip Hallam-Baker wrote:
> > On Thu, Aug 22, 2019 at 10:00 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
> >
> > > Hi Russ,
> > >
> > > I think my main question is whether we're comfortable using a KDF
> > > abstraction like the above (KDF(secret, otherInput)) in a fully general
> > > sense, and asking for this mix-with-psk to work properly for all
> possible
> > > KDFs.  For example, would you be comfortable using the construction in
> this
> > > document with PBKDF1 as the KDF?  I don't even see where we could slot
> in
> > > the PSK from this document into PBKDF1 -- the API just doesn't seem to
> be
> > > flexible enough.  PBKDF2 allows a more-than-8-octet salt, but is that
> going
> > > to provide the kind of mixing that we need?
> > >
> > > I just don't know if all KDFs are going to guarantee the contributory
> > > behavior from the otherInput that we need in order for this scheme to
> work.
> > >
> >
> > The ability to change algorithm is a good thing. But proliferation of
> > mechanisms is not. I really dislike the fact that we have three dozen
> SASL
> > mechanisms that do the same thing.
> >
> > The ability to use a KDF keyed by a different hash function seems like it
> > is useful agility.
> >
> > I really cannot imagine a situation in which we discovered an urgent need
> > to move away from HKDF that didn't require us to think really hard about
> > the replacement algorithm as well.
>
> While I agree with you, I'm not entirely sure what you see as the
> consequences for this document.  Are you proposing that we just restrict
> its usage to HKDF-based KDFs for now?
>

Given your comments, I think that works better than trying to abstract out
an API and then map other KDFs onto it.

Since we build KDFs on a hash function, the API pretty much defines the KDF
structure. There are design choices in a KDF but I really hope they are not
security concerns because that would suggest HMAC is broken or we don't
know how to use a MAC.

I see the choice of KDF as being a part of the CMS specification that just
happens to be available for re-use in other specifications. While there may
be good reason to add to the number of KDFs supported, I don't think we
need to anticipate or plan for that.

v2.23.0 | Report a Bug | By Email