IETF Logo Mail Archive

Re: [tcpm] [Technical Errata Reported] RFC5926 (5267)

Joe Touch <touch@strayalpha.com> Wed, 28 February 2018 14:57 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D81C12D952 for <tcpm@ietfa.amsl.com>; Wed, 28 Feb 2018 06:57:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iHVg1Y1WJL-k for <tcpm@ietfa.amsl.com>; Wed, 28 Feb 2018 06:57:05 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6784212D94E for <tcpm@ietf.org>; Wed, 28 Feb 2018 06:57:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=caSTmcVTeLab/Qyhz/wsB2d3nyknoB6bMxeR9plnpA4=; b=1vWZv75XJSj9NNtDdZH1cKkHQ /nGeLA/99TmEfAi0nogYTN1Bfb9pFzGdcyuvima033k11/LWyHrJh9r6wJvT5FFFy+Ktpid3esNvO Bn3pKpvRkOD/kRAK+a3eyIORP8qXXN9/Lb8RHhrdlVaR8OiQN9AeyM0LkY68d1l/waxwVIAnXvV1d b8KoO3r0sdp+oNjxPKyRlvO49FWwxjJ69Ebty1SZ2wJrRuFAz+L1khIo6To2J7F2DWv+qCwk2rVZl zGap9YrIB+WALkTk+BJm7NRmHUuJgHCU0cfxVzT7qqehQvP0xKoRaymROG1WWuEpMrJAz+uvdviso CgzQuM1UQ==;
Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:55779 helo=[192.168.1.87]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89_1) (envelope-from <touch@strayalpha.com>) id 1er39c-000psF-1E; Wed, 28 Feb 2018 09:56:26 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_89F55F3A-87C0-4631-A7B5-0B63C8215D7C"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Joe Touch <touch@strayalpha.com>
In-Reply-To: <20180226190209.F3D43B80E1F@rfc-editor.org>
Date: Wed, 28 Feb 2018 06:56:22 -0800
Cc: gregory.ietf@gmail.com, ekr@rtfm.com, spencerdawkins.ietf@gmail.com, ietf@kuehlewind.net, michael.scharf@nokia.com, tuexen@fh-muenster.de, nishida@sfc.wide.ad.jp, tcpm@ietf.org
Message-Id: <A1D80502-1BFA-4F12-9978-D74DE20EB4CA@strayalpha.com>
References: <20180226190209.F3D43B80E1F@rfc-editor.org>
To: RFC Errata System <rfc-editor@rfc-editor.org>
X-Mailer: Apple Mail (2.3445.5.20)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/LXy12HZx3epjgf6LpB6sExn4PPg>
Subject: Re: [tcpm] [Technical Errata Reported] RFC5926 (5267)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2018 14:57:08 -0000

Hi, all,

This errata should be rejected.

NIST-SP800-108 does not require the use of 0x00 (see cited text below). It only requires that the length and order of each field be defined unambiguously. 

The length of “TCP-AO” is clearly and unambiguously 6 octets, as defined in the existing RFC text. The method of providing that length unambiguously to the KDF algorithm is an implementation issue.

Joe

The following text is clear that 0x00 is optional:
> 12) 0x00 – An all zero octet. An optional data field used to indicate a separation of different variable length data fields1.
> 
> 1 This indicator may be considered as a part of the encoding method for the input data and can be replaced by other indicators, for example, an indicator to represent the length of the variable length field. If, for a specific KDF, only data fields with identical length are used, then the indicator may be omitted.
> 
and later, 0x00 is given as a choice used in the example presented, not as a requirement:
> The length for each data field and an order shall be defined unambiguously. For example, the length and the order may be defined as a part of a KDF specification or by the protocol where the KDF is used. In each of the following sections, a specific order for the feedback value, the counter, the Label, the separation indicator 0x00, the Context, and [L]2 is used, assuming that each of them is represented with a specific length. This Recommendation specifies several families of KDFs. Alternative orders for the input data fields may be used for different KDFs. 
> 

---------------------


> On Feb 26, 2018, at 11:02 AM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
> 
> The following errata report has been submitted for RFC5926,
> "Cryptographic Algorithms for the TCP Authentication Option (TCP-AO)".
> 
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata/eid5267
> 
> --------------------------------------
> Type: Technical
> Reported by: Brian Weis <bew@cisco.com>
> 
> Section: 3.1.1
> 
> Original Text
> -------------
> - Label:     A binary string that clearly identifies the purpose
>                   of this KDF's derived keying material.  For TCP-AO,
>                   we use the ASCII string "TCP-AO", where the last
>                   character is the capital letter "O", not to be
>                   confused with a zero.  While this may seem like
>                   overkill in this specification since TCP-AO only
>                   describes one call to the KDF, it is included in
>                   order to comply with FIPS 140 certifications.
> 
> 
> Corrected Text
> --------------
> - Label:     A binary string that clearly identifies the purpose
>                   of this KDF's derived keying material.  For TCP-AO,
>                   we use the ASCII string "TCP-AO", where the last
>                   character is the capital letter "O", not to be
>                   confused with a zero. The ASCII string is terminated
>                   with a null octet (0x00). While this may seem like
>                   overkill in this specification since TCP-AO only
>                   describes one call to the KDF, it is included in
>                   order to comply with FIPS 140 certifications.
> 
> Notes
> -----
> This section states that "Both of these KDFs are based on the iteration-mode KDFs specified in [NIST-SP800-108].", which is later clarified to be the "counter mode" KDF defined in that document. The definition of the "Label" input to the KDF in the original text is not clear.
> 
> [NIST-SP800-108] specifies that a 0x00 octet should follow the Label. This 0x00 octet is important when the KDF does not have control over the Context given it, which is the case here -- RFC 5926 depends on the definition in RFC 5925. RFC 5925 currently declares two fixed-size inputs for the Context (See Figures 7 & 8 of RFC 5925), so the Context length differs. Also, RFC 5925 RFC could be updated over over time to include other Contexts that are variable sized. The risk of excluding 0x00 is enabling an attacker to choose a specially-crafted Context that violates the clean separation between the Label and Context arguments. Therefore, it is important to include the 0x00 octet for TCP-AO.
> 
> I believe this 0x00 is implied in the specification of the string "TCP-AO", since conventionally many string definitions include a trailing 0x00 octet, The text should state that the 0x00 octet is present as part of the string.
> 
> If this errata does not result in adding the 0x00 octet, then its omission needs to be justified.
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party  
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC5926 (draft-ietf-tcpm-tcp-ao-crypto-03)
> --------------------------------------
> Title               : Cryptographic Algorithms for the TCP Authentication Option (TCP-AO)
> Publication Date    : June 2010
> Author(s)           : G. Lebovitz, E. Rescorla
> Category            : PROPOSED STANDARD
> Source              : TCP Maintenance and Minor Extensions
> Area                : Transport
> Stream              : IETF
> Verifying Party     : IESG
> 
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email