Re: [tcpm] Comments on draft-ietf-tcpm-tcp-ao-crypto-01
Gregory Lebovitz <gregory.ietf@gmail.com> Wed, 10 February 2010 08:52 UTC
Return-Path: <gregory.ietf@gmail.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B120F3A768D for <tcpm@core3.amsl.com>; Wed, 10 Feb 2010 00:52:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.401
X-Spam-Level:
X-Spam-Status: No, score=-102.401 tagged_above=-999 required=5 tests=[AWL=0.197, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uLTgs4H9abN9 for <tcpm@core3.amsl.com>; Wed, 10 Feb 2010 00:52:28 -0800 (PST)
Received: from mail-bw0-f219.google.com (mail-bw0-f219.google.com [209.85.218.219]) by core3.amsl.com (Postfix) with ESMTP id 1888B3A768B for <tcpm@ietf.org>; Wed, 10 Feb 2010 00:52:27 -0800 (PST)
Received: by bwz19 with SMTP id 19so1674352bwz.28 for <tcpm@ietf.org>; Wed, 10 Feb 2010 00:53:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=Lt1e0SwFMQxoJmCtIXAtgspWi7WK3Amkom6w5g/ASN0=; b=TF+4QHMjVZa3Et9IP4Z4VFrI/gk4YV+xGTv62b2G+dFDA8Egvg3o5aYZPJT9IbrMfo 8atr3YwWDx2ncLFyCdhHr3kwCqlMFhlN9yJJ4L5jiEXdt0JiAzxjSJQ7k6dSwGT6tInG RzcrRbLLvdrakuYe5W6mLinP+L4llf7E3frpg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=DYo/TJyZ/YC9B1MqPqff3pXTs7vomXn1ZRjEFr/OJRrLIjKS752XRXGStZTsZh66uV VKXD8Pu8+HFcVC87aa3/GS2uvIvvLoyG2ftaJG0XeUDTXTam6A8+s8D+H9T5JZzeHlKw DsnhBZsBwR+qQjIWHLy+BrvFp3MKGAwy6+Qjc=
MIME-Version: 1.0
Received: by 10.204.5.140 with SMTP id 12mr2471828bkv.36.1265792014139; Wed, 10 Feb 2010 00:53:34 -0800 (PST)
In-Reply-To: <2ACBDA51-146B-4E60-8656-2C96F1ADDEA0@cisco.com>
References: <2ACBDA51-146B-4E60-8656-2C96F1ADDEA0@cisco.com>
Date: Wed, 10 Feb 2010 00:53:34 -0800
Message-ID: <f1548841002100053o7b7c04f0n7185b5f2920d619d@mail.gmail.com>
From: Gregory Lebovitz <gregory.ietf@gmail.com>
To: Brian Weis <bew@cisco.com>
Content-Type: multipart/alternative; boundary="0015175907dc5cc2c1047f3b2bac"
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Comments on draft-ietf-tcpm-tcp-ao-crypto-01
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2010 08:52:29 -0000
Hey Brian, Thanks a ton for the very thoughtful review. Comments inline.. On Thu, Jan 14, 2010 at 9:49 AM, Brian Weis <bew@cisco.com> wrote: > Hi Gregory, > > In prototyping TCP-AO, I noticed the following relatively minor issues with > this draft, but not fixing them has interoperability consequences. > > 1. In order to have an interoperable KDF, the number of bytes for "i" (the > counter) and "Output_length" need to be defined. If one side hashes a 4 byte > value and the other a 1 byte value, the resulting KDF output will differ. I > suggest amending the text something similar to as follows: > > * In the description of "i", after the sentence "A counter, a binary > string that is an input to each > iteration of the PRF in counter mode." add the following sentence: "The > counter is represented in a single octet." > Yup. Great catch. In NIST SP-800-108, this is called "r" and it is a fixed value that must be indicated for a KDF in counter mode, and is defined as "The length of the binary representation of the counter i. " So I'll add your suggested text, with this minor modification: s/counter is/counter "i" is/ done. > * In the description of "Output_length" add a sentence after "The length > in bits of the key that the KDF will produce." add "The Output_length is > represented within two octets." > done. I'm hoping that 2 octets, or 65535 bits, as a max length is enough for a key length 10 or 20 years from now. If not, someone say so and we can change it during IETF last call. > I believe 255 iterations ought to be enough for an KDF, which is why I > suggest one octect for "i". Also, the overall length of key being produce > shouldn't be larger than 65535 bytes. It's length in *bits* not *bytes*, big difference. Still think 65535 bits is big enough to outlast the protocol's useful life on the wire? > If you're concerned with arbitrary limiting the size of the values for all > KDFs that might be defined in the future, you could instead make these > statements part of the definition of KDF_HMAC_SHA1 and KDF_AES_128_CMAC. I > doesn't matter to me, I just have observed that if everyone doesn't do it > the same way there are issues! > > 2. This example in Section 3.1.1 doesn't match SP 800-108: > > Traffic_Key = KDF_alg(Master_Key, 0 || Label || Context || > Output_length) || > KDF_alg(Master_Key, 1 || Label || Context || > Output_length) > > All of the KDFs in SP 800-108 start the counter at "1", not "0". I just read through SP 800-108 again, and you are 100% right, all the KDF examples have "for i = 1 to n". Excellent catch. Not sure where I got "0" from. > It would be very helpful to start the counter here at "1" as well. As one > data point, I could not use my general-purpose KDF that conforms with SP > 800-108 for TCP-AO, which was annoying. I also think this singly > inconsistency could easily lead to errors in implementations that don't > noticed the difference. > Agreed. In 3.1.1 I changed the example you showed above so that s/0/1/ and s/1/2/. I also changed and text in the paragraph ahead of it to match. Last, I added this text to the definition of "i": "i" always starts = 1 Thanks for catching these very small, but enormously imactful little bugs. Much appreciated. Look for -02 to publish shortly after this email is sent. Gregory. > Thanks, > Brian > > -- > Brian Weis > Router/Switch Security Group, ARTG, Cisco Systems > Telephone: +1 408 526 4796 > Email: bew@cisco.com > > > > -- ---- IETF related email from Gregory M. Lebovitz Juniper Networks
- [tcpm] Comments on draft-ietf-tcpm-tcp-ao-crypto-… Brian Weis
- Re: [tcpm] Comments on draft-ietf-tcpm-tcp-ao-cry… Gregory Lebovitz