IETF Logo Mail Archive

[tcpm] Re: Feedback on draft-ietf-tcpm-tcp-ao-algs-00

Eric Biggers <ebiggers@google.com> Wed, 29 April 2026 22:16 UTC

Return-Path: <ebiggers@google.com>
X-Original-To: tcpm@mail2.ietf.org
Delivered-To: tcpm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 42175E5FD4E8 for <tcpm@mail2.ietf.org>; Wed, 29 Apr 2026 15:16:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777500982; bh=mz2ClRkPc6UsvtCnuBVsTzyPSsZNWVyCHDkEQnamRJ8=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=i3C4Q3yn1oXy+4ZPwikGaWeU2dxym1KEqN4cTBE7loFwx4sYuAmM1KoHTKtLqqx5W r6M8aKofUpl0CPtobL9Zlc8oCh6pfGAWntlUDq8lv0T00+AOw1YrArbGSZPQZczLWG 0LdE15uTWmDKcEToT/WzoGV88laJ927zY9CFnfBo=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -17.601
X-Spam-Level:
X-Spam-Status: No, score=-17.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IRIO6d2wzdGg for <tcpm@mail2.ietf.org>; Wed, 29 Apr 2026 15:16:22 -0700 (PDT)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 07612E5FD4E3 for <tcpm@ietf.org>; Wed, 29 Apr 2026 15:16:22 -0700 (PDT)
Received: by mail-pl1-x62b.google.com with SMTP id d9443c01a7336-2ab232cc803so1087275ad.3 for <tcpm@ietf.org>; Wed, 29 Apr 2026 15:16:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1777500980; x=1778105780; darn=ietf.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=FlUsVdMoGHcAlZxBfcqpNiLGKF7yKubLMUvlnQY7ohY=; b=LZoVjgWPycVv3pZ1cTbrLTvsaI858gka2rpL5hvZlHg9DxPAbgF4cTh6epBS6F5Ndm mfwTbywS9+g3UPaqmuLTj67cYqZH9fPZ9VwV2y5nRo62VQ0++M1JJfBICaXHF9doPJRU 76bOaTMA+viSBFjAdZ3/8y5CN+ngIkO2hJDRpRk4cnZIJvTbqXi6VE5LowfV8beyWS9M opiA06sN6JVoFY36yqrD+CD2LUbYlG0ddhVsa7G0MgViodp+mTqhYNdZv0SEb9ABnw7p xwqyTojnimo3pOThlPvEaLXw82qc9LCsLkJulif3GYvnc6Lb+Pn1nKBpH2p/RRl+oCGn GYaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777500980; x=1778105780; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FlUsVdMoGHcAlZxBfcqpNiLGKF7yKubLMUvlnQY7ohY=; b=Zqzi3tFwIWXDgv/ZlJIdNYnfiWLzECKOf1FvpyAcg3MEvA9z+83thT+tb4MviryMpu lj4gU8ozf/mteas5RQlH7G7kKMK58miVEKKSs0N3i2dSunP1JtYZsHGkR2Nw8plfJlvi 0kalgFMGXBoHJC2WtrIrnGFR6Qe1uceIBAoRCfMVHQcf3F/myuoeHIBfjl6IkDPQDJlB fKmHUruoj6Q7xHqx9sHnUwN8nqLVIWYY0DqDIZNMD4lEjdpEOgEp07Urk+ujOqzCdwiX c781CFYwqwXrp5hfcA6X77vLA9CkEp/z7sTrC60HvbGvS9AO2ewL+LvCVvMqzJQuZPyf OK+w==
X-Forwarded-Encrypted: i=1; AFNElJ9FAI/mjL7mN29eNc7vaCHi2n/yDo+LraBB1zLt21rwAWEpkmebzBD0Sq6RSNNLK2tmNQK0@ietf.org
X-Gm-Message-State: AOJu0YyIVIRAdg2h4iQWgZlUDwdb0NnkWmrijgyi6/isyYDMrQnUscKP NBOQmsSQmCmXJwfh77AlKZSfDpNxa8Q3SdV/L+2O7s/xLpRUiMZkA1T10Iq3rdSDOxtzvr0ubUJ Y8oBVmg==
X-Gm-Gg: AeBDies4RABea9xAa/3ifprXranS0MbhPHFbylPcji7ge4khTApIigkhFD8qCJZfcea iTnkQCRs1HR/Yf5qXEDccyKHnmTbnttwduQSWY4n8nMSDmadQPDvi/5jNQDZAa04Y8u1j0KBKY+ P6B2rwec1pYHf2JJN6dV2ePJMVYQZP7M+gfkCjlY1Xq4F9pLbPWWInrGWCRAncLb+0K5Zc43+xC KHUiQPLE+g+dSlz8NB6+Zd84T3ypgBJxM/mfNzL/VXCfGxBoOG4YectGCC82JzK0bNol1ONP4TG wvVaZuT/IPhG3ttcj71PasCF8d6T60hpxVy9JhjnlioIBCOhZ6vpkapwBQktQ/u7SSfRKFJYqKG So2T/MA7scNQtYdhlSsXYWktn/ue2+To5jLNHKU4XgAqetKlxm3jGBlnu+IocgjXxQ8xn67k9Xw Tr8drUXKZQi0Wd0M+wpedmrB8pifezNtkJVQ/2betmk856uVJNxvQdNBLLEVxFVM8lDvZz3bP0i LeYIAo/Dsw=
X-Received: by 2002:a17:902:7c18:b0:2b2:5503:1b8c with SMTP id d9443c01a7336-2b9a23161dbmr1873405ad.11.1777500979703; Wed, 29 Apr 2026 15:16:19 -0700 (PDT)
Received: from google.com (252.169.16.34.bc.googleusercontent.com. [34.16.169.252]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b988772e79sm31944635ad.12.2026.04.29.15.16.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Apr 2026 15:16:19 -0700 (PDT)
Date: Wed, 29 Apr 2026 22:16:15 +0000
From: Eric Biggers <ebiggers@google.com>
To: "Bonica, Ron" <ronald.bonica=40hpe.com@dmarc.ietf.org>
Message-ID: <20260429221615.GA746420@google.com>
References: <20260428065832.GB3813922@google.com> <DM4PR84MB231066C41AAFD689B58D21FFF4372@DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM> <20260428171608.GA42950@google.com> <DM4PR84MB23107B9C52B76D0859820A63F4372@DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DM4PR84MB23107B9C52B76D0859820A63F4372@DM4PR84MB2310.NAMPRD84.PROD.OUTLOOK.COM>
Message-ID-Hash: WNJOYAKBD22MZXP46HZRCKFUSJUEUWB5
X-Message-ID-Hash: WNJOYAKBD22MZXP46HZRCKFUSJUEUWB5
X-MailFrom: ebiggers@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tcpm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Bonica, Ron" <ronald.bonica@hpe.com>, "tcpm@ietf.org" <tcpm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [tcpm] Re: Feedback on draft-ietf-tcpm-tcp-ao-algs-00
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/3rT4qeCnq9NBYNm9G3YvnrM4fyA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Owner: <mailto:tcpm-owner@ietf.org>
List-Post: <mailto:tcpm@ietf.org>
List-Subscribe: <mailto:tcpm-join@ietf.org>
List-Unsubscribe: <mailto:tcpm-leave@ietf.org>

On Tue, Apr 28, 2026 at 05:42:14PM +0000, Bonica, Ron wrote:
> Folks,
> 
> I would be happy to trim the draft down to 1 KDF (HMAC-SHA236) and one MAC (HMAC-SHA256-128).
> 
> Does the WG agree?

Is the missing entropy extraction planned to be fixed as well, or is
that issue planned to be carried over from the HMAC-SHA1 support?

RFC5926 is clear that the user-provided "key" doesn't necessarily
contain full entropy for its length:

    "The Master_Key is used as the seed for the KDF.  We assume that
    this is a human-readable pre-shared key (PSK); thus, we assume it is
    of variable length."

Yet, TCP-AO uses Master_Key directly as an HMAC-SHA1 key, without first
running an entropy extractor on it (e.g., passing it as the message into
HMAC-SHA1 with an all-zeroes key).  The proposed additional algorithms
carry over this same issue.

This doesn't follow cryptographic best practices, and it makes the
system hard to analyze.  Specifically its security depends on the
internal structure of HMAC, rather than on HMAC simply being a PRF.
I think it's probably okay in practice, but it's an odd quirk that
shouldn't really exist, especially in a new proposal.

It can be fixed by adding an entropy extraction step, like what TCP-AO
already specifies for AES-128-CMAC.

Alternatively it could be required that the user-provided key has full
entropy.  But I wouldn't recommend that: it would be error-prone to
introduce that usage requirement into TCP-AO now, when it didn't have it
from the beginning.

- Eric

v2.41.0 | Report a Bug | By Email | System Status