[tcpm] Review of draft-lebovitz-ietf-tcpm-tcp-ao-crypto-01
Eric Rescorla <ekr@networkresonance.com> Sun, 26 July 2009 23:43 UTC
Return-Path: <ekr@networkresonance.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE1803A68E7 for <tcpm@core3.amsl.com>; Sun, 26 Jul 2009 16:43:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.634
X-Spam-Level:
X-Spam-Status: No, score=-1.634 tagged_above=-999 required=5 tests=[AWL=0.965, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPjbf0mA+Xz5 for <tcpm@core3.amsl.com>; Sun, 26 Jul 2009 16:43:15 -0700 (PDT)
Received: from romeo.rtfm.com (romeo.rtfm.com [74.95.2.173]) by core3.amsl.com (Postfix) with ESMTP id A6CE33A6866 for <tcpm@ietf.org>; Sun, 26 Jul 2009 16:43:15 -0700 (PDT)
Received: from romeo.rtfm.com (localhost.rtfm.com [127.0.0.1]) by romeo.rtfm.com (Postfix) with ESMTP id 18D7A50822 for <tcpm@ietf.org>; Sun, 26 Jul 2009 16:46:51 -0700 (PDT)
Date: Sun, 26 Jul 2009 16:46:51 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: tcpm@ietf.org
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20090726234651.18D7A50822@romeo.rtfm.com>
Subject: [tcpm] Review of draft-lebovitz-ietf-tcpm-tcp-ao-crypto-01
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jul 2009 23:43:16 -0000
$Id: draft-lebovitz-ietf-tcpm-tcp-ao-crypto-01-rev.txt,v 1.1 2009/07/26 22:40:47 ekr Exp $
TECHNICAL
S 3.1.
This mixing of the KDF interface and the NIST 800-108 interface
is extraordinarily confusing.
To recap:
The input to the KDF requires:
- Master Key
- Context (i.e., the conn-data)
- Output length
Now, as it happens, you're constructing your KDFs a la SP800-108,
so you then use the relevant PRF with an input block constructed
as:
( i || Label || Context || Output_Length)
But that is not a meaningful part of the interface to the KDF
as far as AO is concerned. If you were (for instance) to define
a new TLS PRF based KDF, you would not use i internally because
the TLS PRF generates an arbitrary length string. Again, it's
important to distinguish between the TCP-AO requirements and
what this document happens to do.
S 3.1.3.
Wait, I don't remember agreeing to this. I'm happy to use these
as labels in soem IANA registry, byt people's UI is not our
business.
EDITORIAL
S 2.2.
The security issues driving the migration from SHA-1 to SHA-256 for
digital signatures [HMAC-ATTACK] [HMAC-ATTACK]do not immediately
render SHA-1 weak for this application of SHA-1 in HMAC mode. The
security strength of SHA-1 HMACs should be sufficient for the
foreseeable future, especially given that the tags are truncated to
96 bits. However, while it's clear that the attacks aren't practical
on SHA-1, these types of analysis are mounting and could potentially
pose a concern for HMAC forgery if they were significantly improved,
over time. In anticipation of SHA-1's growing less dependable over
time, but given its wide deployment and current strength, it is a
"MUST" for TCP-AO today. AES-128 CMAC is considered to be far
stronger algorithm, but may not yet have very wide implementation.
It is also a "MUST" to implement, in order to drive vendors toward
its use.
This is simply not true. It's not at all clear that AES-128-CMAC is
stronger than HMAC-SHA1, and I don't believe you could get anything
like a consensus of cryptographers to say that it was. The
MUST-MUST was taken on the basis of a WG hum. I'm fine with that,
but this justification needs to be removed.
S 2.3.
(1) Key Derivation Functions (KDFs) which name a pseudorandom
function (PRF) and use a Master_Key and some connection-
specific Input with that PRF to produce Conn_Keys, the keys
suitable for authenticating and integrity checking
individual TCP segments.
This is confusing. KDFs may or may not be constructed with PRFs.
However, THESE KDFs are so constructed. If you're giong to have
a document which applies to future KDFs, don't say PRF here.
S 3.1.
An octet of all zeros. An optional data field
used to indicate a separation of different
variable length data fields.
This is just dangling.
When invoked, a KDF runs a certain PRF, using the Master_Key as the
seed, and Input as the message input and produces a result of
Output_Length bits. This result may then be used as a cryptographic
key for any algorithm which takes an Output_Length length key as its
seed. A KDF MAY specify a maximum Output_Length parameter.
Again, misplaced concreteness.
Woah, I think my numbered list cut and paste here seems needs some
major re-editing. It was intended for the mailing list, not for
direct import into the document.
S 3.1.1.
It's a mistake to talk about "Output Length" as a property of the KDF.
In principle, this KDF could generate any output length of your
choice by using i=0, i=1, etc.. Why are you nailing it down?
S 3.1.2.
I strongly object to the use of this magic key string here.
S 3.2.
This whole Conn_Key(KDF) thing is confusing. What's it doing?
- [tcpm] Review of draft-lebovitz-ietf-tcpm-tcp-ao-… Eric Rescorla
- Re: [tcpm] Review of draft-lebovitz-ietf-tcpm-tcp… Gregory M. Lebovitz
- Re: [tcpm] Review of draft-lebovitz-ietf-tcpm-tcp… Eric Rescorla