[tcpm] [Errata Rejected] RFC5926 (5267)
RFC Errata System <rfc-editor@rfc-editor.org> Wed, 28 March 2018 14:58 UTC
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5161128954; Wed, 28 Mar 2018 07:58:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qtn1hpLqXRxb; Wed, 28 Mar 2018 07:58:41 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EC20124F57; Wed, 28 Mar 2018 07:58:41 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 36E77B822EB; Wed, 28 Mar 2018 07:58:12 -0700 (PDT)
To: bew@cisco.com, gregory.ietf@gmail.com, ekr@rtfm.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: ietf@kuehlewind.net, iesg@ietf.org, tcpm@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20180328145812.36E77B822EB@rfc-editor.org>
Date: Wed, 28 Mar 2018 07:58:12 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/VGoL7KcW6-ThYu739SKvO9saRaw>
Subject: [tcpm] [Errata Rejected] RFC5926 (5267)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2018 14:58:43 -0000
The following errata report has been rejected for RFC5926, "Cryptographic Algorithms for the TCP Authentication Option (TCP-AO)". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata/eid5267 -------------------------------------- Status: Rejected Type: Technical Reported by: Brian Weis <bew@cisco.com> Date Reported: 2018-02-26 Rejected by: Mirja Kühlewind (IESG) Section: 3.1.1 Original Text ------------- - Label: A binary string that clearly identifies the purpose of this KDF's derived keying material. For TCP-AO, we use the ASCII string "TCP-AO", where the last character is the capital letter "O", not to be confused with a zero. While this may seem like overkill in this specification since TCP-AO only describes one call to the KDF, it is included in order to comply with FIPS 140 certifications. Corrected Text -------------- - Label: A binary string that clearly identifies the purpose of this KDF's derived keying material. For TCP-AO, we use the ASCII string "TCP-AO", where the last character is the capital letter "O", not to be confused with a zero. The ASCII string is terminated with a null octet (0x00). While this may seem like overkill in this specification since TCP-AO only describes one call to the KDF, it is included in order to comply with FIPS 140 certifications. Notes ----- This section states that "Both of these KDFs are based on the iteration-mode KDFs specified in [NIST-SP800-108].", which is later clarified to be the "counter mode" KDF defined in that document. The definition of the "Label" input to the KDF in the original text is not clear. [NIST-SP800-108] specifies that a 0x00 octet should follow the Label. This 0x00 octet is important when the KDF does not have control over the Context given it, which is the case here -- RFC 5926 depends on the definition in RFC 5925. RFC 5925 currently declares two fixed-size inputs for the Context (See Figures 7 & 8 of RFC 5925), so the Context length differs. Also, RFC 5925 RFC could be updated over over time to include other Contexts that are variable sized. The risk of excluding 0x00 is enabling an attacker to choose a specially-crafted Context that violates the clean separation between the Label and Context arguments. Therefore, it is important to include the 0x00 octet for TCP-AO. I believe this 0x00 is implied in the specification of the string "TCP-AO", since conventionally many string definitions include a trailing 0x00 octet, The text should state that the 0x00 octet is present as part of the string. If this errata does not result in adding the 0x00 octet, then its omission needs to be justified. --VERIFIER NOTES-- NIST-SP800-108 does not require the use of 0x00. It only requires that the length and order of each field be defined unambiguously. The method of providing that length unambiguously to the KDF algorithm is an implementation issue. -------------------------------------- RFC5926 (draft-ietf-tcpm-tcp-ao-crypto-03) -------------------------------------- Title : Cryptographic Algorithms for the TCP Authentication Option (TCP-AO) Publication Date : June 2010 Author(s) : G. Lebovitz, E. Rescorla Category : PROPOSED STANDARD Source : TCP Maintenance and Minor Extensions Area : Transport Stream : IETF Verifying Party : IESG
- [tcpm] [Errata Rejected] RFC5926 (5267) RFC Errata System