IETF Logo Mail Archive

Re: [tcpm] handling variable length keys in draft-lebovitz-ietf-tcpm-tcp-ao-crypto

Eric Rescorla <ekr@networkresonance.com> Mon, 27 July 2009 15:05 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8D6083A6AE8 for <tcpm@core3.amsl.com>; Mon, 27 Jul 2009 08:05:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[AWL=-0.513, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iQqJOcXWt3Aq for <tcpm@core3.amsl.com>; Mon, 27 Jul 2009 08:05:31 -0700 (PDT)
Received: from kilo.networkresonance.com (74-95-2-169-SFBA.hfc.comcastbusiness.net [74.95.2.169]) by core3.amsl.com (Postfix) with ESMTP id B1EB73A6A7B for <tcpm@ietf.org>; Mon, 27 Jul 2009 08:05:31 -0700 (PDT)
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id 42E941D2F19; Mon, 27 Jul 2009 08:08:19 -0700 (PDT)
Date: Mon, 27 Jul 2009 08:08:18 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: "Polk, William T." <william.polk@nist.gov>
In-Reply-To: <D7A0423E5E193F40BE6E94126930C49307859925B8@MBCLUSTER.xchange.nist.gov>
References: <D7A0423E5E193F40BE6E94126930C49307859925B8@MBCLUSTER.xchange.nist.gov>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20090727150819.42E941D2F19@kilo.networkresonance.com>
Cc: "Pasi.Eronen@nokia.com" <Pasi.Eronen@nokia.com>, "housley@vigilsec.com" <housley@vigilsec.com>, "mcgrew@cisco.com" <mcgrew@cisco.com>, "tcpm@ietf.org" <tcpm@ietf.org>
Subject: Re: [tcpm] handling variable length keys in draft-lebovitz-ietf-tcpm-tcp-ao-crypto
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2009 15:05:32 -0000

At Sun, 26 Jul 2009 11:40:50 -0400,
Polk, William T. wrote:
> 
> Gregory,
> 
> As requested, Pasi and I took a look at how draft-lebovitz-ietf-tcpm-tcp-ao-crypto
> handles the AES-CMAC case when the master key is not 128 bits.
> 
> The method currently used (using AES-CMAC with a known fixed key as a
> "randomness extractor") is basically the same as used in IKEv2 (RFC
> 4615 and 4434), except IKEv2 uses all-zeroes key (but the specific
> value of the known fixed key shouldn't matter much -- just pick one).
> 
> Using the same method in TCP-AO would be acceptable us, and seems
> strongly preferable to requiring network admins to configure exactly
> 128 bit keys.
> 
> Other methods of getting from "what the admin configures" to 128 bits
> could work, too. Since the output of this step is *only* used as the
> key for further PRF calculations (and for *nothing* else), the
> requirements for it are very limited. If all keys were <= 128 bits,
> even something trivial such as padding with zeroes would work -- so
> this step doesn't even have to be one-way.

It seems like you're putting a lot of weight on AES to assume that
a key that is 24 random bits and 104 bits of zeros at the end
really has strength 2^24

-Ekr

v2.23.0 | Report a Bug | By Email