[tcpm] handling variable length keys with AES-128-CMAC in TCP-AO-crypto draft
"Gregory M. Lebovitz" <gregory.ietf@gmail.com> Thu, 23 July 2009 01:59 UTC
Return-Path: <gregory.ietf@gmail.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B530B3A6B86 for <tcpm@core3.amsl.com>; Wed, 22 Jul 2009 18:59:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.411
X-Spam-Level:
X-Spam-Status: No, score=-2.411 tagged_above=-999 required=5 tests=[AWL=0.188, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QEsjOCNrtxcW for <tcpm@core3.amsl.com>; Wed, 22 Jul 2009 18:59:30 -0700 (PDT)
Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.176]) by core3.amsl.com (Postfix) with ESMTP id DABE73A693F for <tcpm@ietf.org>; Wed, 22 Jul 2009 18:59:30 -0700 (PDT)
Received: by wa-out-1112.google.com with SMTP id v27so81074wah.5 for <tcpm@ietf.org>; Wed, 22 Jul 2009 18:59:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:x-mailer :x-priority:date:to:from:subject:cc:mime-version:content-type; bh=U14YaYhJwHmntjtTaDyx9skzwM//9m8tNFn6A8PzevE=; b=kZ/04c6OR5Eaxj7AdBdAZgP0Vifl8Aqrha/dszAkY6lAgiFGTNI8bZPnpqzHC1M9Cx DLDOUgZATTCOuijCYtR5ZaPeBiRyr7Ao7p6E54YTRHPdlvGNDIuFKGu09TdR+fg6C2/L rRgJ9KIbVJMr81LAF3LEzkEO9S8SfghPm4O5o=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:x-mailer:x-priority:date:to:from:subject:cc:mime-version :content-type; b=I02LRX9tmaMTkC+YRtzNzvkKcCkEjYwTJ80er0z5+uH/GfgX0hoCl345aHnTB2t/Nk AI7QhFJHc6qMVz+SKOTxdJJtme77jBVMRYsaiz6G61oftjFYVmPtYghSQxAJTYirFJUn h/1qsnp3zAlM7siflMzE5VNI61RhrG5dW0UIw=
Received: by 10.114.72.12 with SMTP id u12mr1505096waa.28.1248314361941; Wed, 22 Jul 2009 18:59:21 -0700 (PDT)
Received: from Gregory-T60.gmail.com (natint3.juniper.net [66.129.224.36]) by mx.google.com with ESMTPS id n33sm2302846wag.21.2009.07.22.18.59.20 (version=SSLv3 cipher=RC4-MD5); Wed, 22 Jul 2009 18:59:21 -0700 (PDT)
Message-ID: <4a67c3f9.21d7720a.312b.ffffbc9d@mx.google.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
X-Priority: 1 (Highest)
Date: Wed, 22 Jul 2009 18:59:18 -0700
To: Eric Rescorla <ekr@rtfm.com>, David McGrew <mcgrew@cisco.com>, Brian Weis <bew@cisco.com>, Tim Polk <tim.polk@nist.gov>
From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: tcpm@ietf.org
Subject: [tcpm] handling variable length keys with AES-128-CMAC in TCP-AO-crypto draft
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2009 01:59:31 -0000
Team,
So, Dave McGrew doesn't like the idea of using the variable length
master key in the input portion of AES-128-CMAC, and using some fixed
128 bit blob in the key portion in a key-sizing pre-run, in order to
get a 128 bit key from a variable length key in order to feed that
back into the AES-128-CMAC a second time to get the traffic key.
(i.e. the method currently documented in
draft-lebovitz-ietf-tcpm-tcp-ao-crypto-01, and used in rfc 4615)
We are trying to handle the case where MK is the *variable length*
master key, and sometimes MK < 128 bits, and sometimes MK > 128 bits,
and sometimes VK = 128 bits.
If we constrain the problem to:
- we need to show people what to do if they get variable length keys
- we don't want to use any other PRF in the AES-128-CMAC case (i.e.
mandating the use of yet another algo like SHA256 increases the
burden on implementations, and, for agility reasons we don't want the
AES KDF to be built atop SHA1),
- the same variable length master key entered on two different
implementations MUST produce the same traffic key for any given connection,
then, could we solve it like this:
- Normative text: AES-128-CMAC needs a 128-bit key. Therefore
administrators SHOULD use a suitable key of exactly 128 bits, as
represented by a 16 character ASCII string. Implementation UI's
SHOULD force the administrators to enter a 128-bit key when selecting
AES-128-CMAC as the KDF. UI's SHOULD reject with an error any key not
equal in length to 128 bits. If, for whatever reason this is not
acceptable for certain environments, implementations MAY consider
accepting keys from the UI with lengths not equal to 128bits and
using AES-128-CMAC as described in appendix A to create a 128-bit key
from a non-128-bit string.
- Appendix A (non-Normative):
- if the UI will allow strings of length not equal to 128 bits, and
- if you get a string > 128-bit or <128-bit, then
- if > 128-bit, truncate the string to 128-bits, and use them as the key
- if < 128-bit, pad the end of the string with zeros until the
string length equals 128-bit, and use that as the key string.
I realize this isn't great, but I'm not sure how else to solve the
problem that hasn't already been shot down. If neither the method in
draft-01 nor the above work for you, then PLEASE send text for
something better. Remember, we need to get this done asap, and I'd
like to have a scrubbed proposal for the TCPM WG meeting in Stockholm.
Thanks,
Gregory.
+++++++++++++++++++++++
IETF-related email from
Gregory M. Lebovitz
Juniper Networks
g r e go r y d o t i e tf a t g m a i l do t c o m
- [tcpm] handling variable length keys with AES-128… Gregory M. Lebovitz
- Re: [tcpm] handling variable length keys with AES… Eric Rescorla