IETF Logo Mail Archive

Re: [tcpm] handling variable length keys in draft-lebovitz-ietf-tcpm-tcp-ao-crypto

"Polk, William T." <william.polk@nist.gov> Mon, 27 July 2009 06:45 UTC

Return-Path: <william.polk@nist.gov>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 64B6D28C11B for <tcpm@core3.amsl.com>; Sun, 26 Jul 2009 23:45:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.779
X-Spam-Level:
X-Spam-Status: No, score=-6.779 tagged_above=-999 required=5 tests=[AWL=-0.180, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vavhXZlIyDAN for <tcpm@core3.amsl.com>; Sun, 26 Jul 2009 23:45:24 -0700 (PDT)
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by core3.amsl.com (Postfix) with ESMTP id 6183A28C10A for <tcpm@ietf.org>; Sun, 26 Jul 2009 23:45:24 -0700 (PDT)
Received: from WSXGHUB1.xchange.nist.gov (wsxghub1.nist.gov [129.6.18.96]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id n6R6jHfU010864; Mon, 27 Jul 2009 02:45:17 -0400
Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB1.xchange.nist.gov ([2002:8106:1260::8106:1260]) with mapi; Mon, 27 Jul 2009 02:45:17 -0400
From: "Polk, William T." <william.polk@nist.gov>
To: Eric Rescorla <ekr@networkresonance.com>, "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
Date: Mon, 27 Jul 2009 02:40:55 -0400
Thread-Topic: [tcpm] handling variable length keys in draft-lebovitz-ietf-tcpm-tcp-ao-crypto
Thread-Index: AcoOSAr8DJq7sEDlTDGDQCn2PGg96AAPSYP3
Message-ID: <D7A0423E5E193F40BE6E94126930C49307859925BA@MBCLUSTER.xchange.nist.gov>
References: <D7A0423E5E193F40BE6E94126930C49307859925B8@MBCLUSTER.xchange.nist.gov>, <20090726232624.B2E5050822@romeo.rtfm.com>
In-Reply-To: <20090726232624.B2E5050822@romeo.rtfm.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: william.polk@nist.gov
X-Mailman-Approved-At: Mon, 27 Jul 2009 08:02:15 -0700
Cc: "Pasi.Eronen@nokia.com" <Pasi.Eronen@nokia.com>, "tcpm@ietf.org" <tcpm@ietf.org>, "mcgrew@cisco.com" <mcgrew@cisco.com>, "housley@vigilsec.com" <housley@vigilsec.com>
Subject: Re: [tcpm] handling variable length keys in draft-lebovitz-ietf-tcpm-tcp-ao-crypto
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2009 06:45:25 -0000

Ekr,

Your objections on the magic number are well taken.  Since zeroes would
be a holdover from 4615 and 4434, that value won't introduce any new
issues.  I think that would be the best course of action.

Tim

________________________________________
From: Eric Rescorla [ekr@networkresonance.com]
Sent: Sunday, July 26, 2009 7:26 PM
To: Gregory M. Lebovitz
Cc: Polk, William T.; mcgrew@cisco.com; housley@vigilsec.com; tcpm@ietf.org; Pasi.Eronen@nokia.com
Subject: Re: [tcpm] handling variable length keys in draft-lebovitz-ietf-tcpm-tcp-ao-crypto

At Sun, 26 Jul 2009 12:43:37 -0700,
Gregory M. Lebovitz wrote:
>
> Tim,
> This is helpful, thanks. We will proceed toward WG LC with the
> mechanism as represented in draft v-01.

I'll be sending my comments on v-01 shortly, but I object to
the magic number in the current mechanism. If we're going to
use a magic key, it should be zero or some other anchor point.
The use of a random number pulled out of the air is highly
inappropriate in cryptographic systems [I refer you to the
contrroversy over the DES S-boxes].

-Ekr



> If later, after further discussions within the cryptographic
> community, it is decided that the randomness extraction mechanism to
> go from a variable-length user-given string to a 128-bit key would be
> better accomplished some other way, then we can always do a quick
> -bis on the RFC and update the mechanism. That's easy enough for a
> small RFC like this.


> Gregory.
>
> At 08:40 AM 7/26/2009, Polk, William T. wrote:
> >Gregory,
> >
> >As requested, Pasi and I took a look at how
> >draft-lebovitz-ietf-tcpm-tcp-ao-crypto
> >handles the AES-CMAC case when the master key is not 128 bits.
> >
> >The method currently used (using AES-CMAC with a known fixed key as a
> >"randomness extractor") is basically the same as used in IKEv2 (RFC
> >4615 and 4434), except IKEv2 uses all-zeroes key (but the specific
> >value of the known fixed key shouldn't matter much -- just pick one).
> >
> >Using the same method in TCP-AO would be acceptable us, and seems
> >strongly preferable to requiring network admins to configure exactly
> >128 bit keys.
> >
> >Other methods of getting from "what the admin configures" to 128 bits
> >could work, too. Since the output of this step is *only* used as the
> >key for further PRF calculations (and for *nothing* else), the
> >requirements for it are very limited. If all keys were <= 128 bits,
> >even something trivial such as padding with zeroes would work -- so
> >this step doesn't even have to be one-way.  Since we need to handle
> >also keys >128 bits, simple padding isn't enough, of course. If the WG
> >wants AES-only method, the one that's in the draft now seems OK to us.
> >
> >I hope this was helpful.
> >
> >Tim Polk
> >Pasi Eronen
>
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email