[tcpm] TCP-AO crypto, SHA-2 MAC_Length (was: "Re: SHA-2 auth draft on TCP-AO")
Gregory Lebovitz <gregory.ietf@gmail.com> Tue, 30 September 2014 23:19 UTC
Return-Path: <gregory.ietf@gmail.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B95011ACD19 for <tcpm@ietfa.amsl.com>; Tue, 30 Sep 2014 16:19:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.999
X-Spam-Level:
X-Spam-Status: No, score=-101.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gy-mLF6J81F4 for <tcpm@ietfa.amsl.com>; Tue, 30 Sep 2014 16:19:06 -0700 (PDT)
Received: from mail-qc0-x231.google.com (mail-qc0-x231.google.com [IPv6:2607:f8b0:400d:c01::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2BF51ACD18 for <tcpm@ietf.org>; Tue, 30 Sep 2014 16:19:05 -0700 (PDT)
Received: by mail-qc0-f177.google.com with SMTP id c9so9338qcz.36 for <tcpm@ietf.org>; Tue, 30 Sep 2014 16:19:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=OiZ9rl+yZSx8tlEgmbIfhBCSADdpIeTdaPOfJHvIvIY=; b=DeUHE/TCP+fULL19bWfIBUzAcb8LqYaQrN1APDQ/43+PtQVe+qRgMW5qo3hhr7caM2 TmIqMkJbOSyYvE7pqicPuEYonOQOzmb+uWA3QNjHK9+idh1IcqXybs3ZF7Ocsy1E3miS DBfeyii4AygUJ9/nlMcXL8h3sErvtIK+rhavJQRfGZWS0At0SqzqHeNNUs1znVL/6TVB 9OquJq+MEEzCRh4WqjHgU/GirVr5L50uFYGic75PVoB67diZ3fQ3+IT/DIDkDaT4hdgi L2qw5QzDpxoSSvmIF8buUyaANnaWN1L7W4slMAFNJ2uKY1KRnpQm8wwZz/y1AK6swLXc bEsw==
MIME-Version: 1.0
X-Received: by 10.224.11.132 with SMTP id t4mr17028749qat.98.1412119145136; Tue, 30 Sep 2014 16:19:05 -0700 (PDT)
Received: by 10.140.81.166 with HTTP; Tue, 30 Sep 2014 16:19:05 -0700 (PDT)
Date: Tue, 30 Sep 2014 16:19:05 -0700
Message-ID: <CALG4KobLVfnpBWDbAyqxkJj5xw7+bTaURYvXJ0pdWtZ+1DOnJw@mail.gmail.com>
From: Gregory Lebovitz <gregory.ietf@gmail.com>
To: Joe Touch <touch@isi.edu>
Content-Type: multipart/alternative; boundary="001a11c2c20a06d1c90504509caa"
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/DdEh5ZtiJ0iE8KVnZncPtCf1qbM
Cc: "tcpm@ietf.org" <tcpm@ietf.org>
Subject: [tcpm] TCP-AO crypto, SHA-2 MAC_Length (was: "Re: SHA-2 auth draft on TCP-AO")
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2014 23:19:08 -0000
On Fri, Jun 20, 2014 at 11:04 AM, Joe Touch <touch@isi.edu> wrote: > > > On 6/20/2014 9:11 AM, Brian Weis wrote: > >> Hi Joe, >> >> On Jun 18, 2014, at 11:53 AM, Joe Touch <touch@isi.edu> wrote: >> >> >>> >>> On 6/18/2014 11:46 AM, Brian Weis wrote: >>> >>>> Hi Joe & Brandon, >>>> >>>> On Jun 18, 2014, at 10:37 AM, Joe Touch <touch@isi.edu> wrote: >>>> >>>> >>>>> >>>>> On 6/18/2014 6:29 AM, Brandon Williams wrote: >>>>> >>>>>> Hi Sunjeet, >>>>>> >>>>>> The mac lengths of the algorithms specified here increase the option >>>>>> size, don't they? There is a detailed discussion of the option space >>>>>> tradeoffs for tcp-ao in rfc5925 section 7.6, which is based on the >>>>>> fact >>>>>> that all mac lengths would be 96 bits. An I.D. that increases the >>>>>> possible mac lengths should probably revisit that discussion. >>>>>> >>>>> >>>>> +1. >>>>> >>>>> I ought to be trivial to have this approach truncate the MAC, as other >>>>> algorithms do, and for the same reason. >>>>> >>>> >>>> The proposed methods do already truncate the output down to the >>>> minimum recommended by HMAC (RFC 2104), which is 1/2 the size of the MAC >>>> output. >>>> >>> >>> IMO if they cannot be truncated to 96 bits for this use then they >>> are not appropriate for TCP-AO. Using a longer HMAC directly in the >>> TCP-AO field would require this doc to UPDATE RFC 5925, as well as >>> addressing the comments already made on the impact of using the >>> additional space, and I don't think that's a good idea. >>> >> >> I understand the concerns of using too much option space. But can >> you point me to the requirements language requires a maximum of 96 >> bits for the MAC? Although that may have been your intent, I can find >> no such requirement in either RFC 5925 or RFC 5926. >> > > You're correct; TCP-AO allows MACs of (nearly) any length. We had a > discussion on the lengths specified for the specific algorithms in RFC > 5926, and came up with 96 bits. The key question here is "why should these > algorithms be different"? GML> 5296, 3.2 states: - MAC_Length: The final length of the bits used in the TCP-AO MAC field. This value may be a truncation of the MAC function's original output length. GML> and An important aspect to note about these algorithms' definitions for use in TCP-AO is the fact that the MAC outputs are truncated to 96 bits. AES-128-CMAC-96 produces a 128-bit MAC, and HMAC SHA-1 produces a 160-bit result. The MAC output is then truncated to 96 bits to provide a reasonable trade-off between security and message size, for fitting into the TCP-AO option field. GML> we clearly didn't say "MUST be 96 bits, no more", but the last sentence was meant to guide people toward a truncation of the MAC down to 96-bits in order to fit nicely into the -AO option field. There was security review and consensus that truncating a MAC output > 96 bits would be fine. GML> Further, we specifically used known and crypto-industry-vetted specifications for MACs with 96 bit output truncations, to ensure that there would be no crypto issues truncating either MAC down to 96 bits. GML> I haven't researched it, but is there a published NIST spec for HMAC-SHA-256-96. I know there is HMAC-SHA-256-128 in RFC 4868. Are there issues simply truncating further from 128 to 96? (Though I authored the doc, I'm not a cryptographer, so if this is a ridiculous statement to said community, pls forgive my ignorance :-) GML> NOTE: Regardless of the HMAC truncation, the variant PRF (e.g. PRF-HMAC-SHA256) would be un-truncated. GML> Gregory > > > Joe > > > _______________________________________________ > tcpm mailing list > tcpm@ietf.org > https://www.ietf.org/mailman/listinfo/tcpm > -- ---- IETF related email from Gregory M. Lebovitz
- [tcpm] TCP-AO crypto, SHA-2 MAC_Length (was: "Re:… Gregory Lebovitz
- Re: [tcpm] TCP-AO crypto, SHA-2 MAC_Length (was: … Joe Touch
- Re: [tcpm] TCP-AO crypto, SHA-2 MAC_Length (was: … Gregory Lebovitz