IETF Logo Mail Archive

Re: [tcpm] [Technical Errata Reported] RFC5926 (5267)

"Brian Weis (bew)" <bew@cisco.com> Wed, 28 March 2018 19:42 UTC

Return-Path: <bew@cisco.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C9F412762F for <tcpm@ietfa.amsl.com>; Wed, 28 Mar 2018 12:42:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.8
X-Spam-Level:
X-Spam-Status: No, score=-6.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: DNS error: SERVFAIL)" header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qQU9GZEj23BA for <tcpm@ietfa.amsl.com>; Wed, 28 Mar 2018 12:42:13 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E607126DC2 for <tcpm@ietf.org>; Wed, 28 Mar 2018 12:42:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=30292; q=dns/txt; s=iport; t=1522266133; x=1523475733; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=02uBg5PP8Xt52W06rImHvceIXDWWOYwoN/S6KkUew98=; b=SPIpkbku+8S4y6VQLm+seGlbAZJJunzQJU+75WOzHlJqLN9masCIoj2w cdzZVvRH4H4h4aCVdbH3jR5fW01dYF4lkI1TEeqAfihgLzzSGOvTsd++q HjAp63hzlclWj0mmPvc1BqAgFEYlPYy2TL8SnRgkXYIXyoMMDl6asl9E5 s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D1AAD07rta/4sNJK1aAxkBAQEBAQEBAQEBAQEHAQEBAQGCTXRhbygKg1KIAI0BgVOBMJJKFIFmCxgBCoRhAhqDcyE0GAECAQEBAQEBAmsohSYCBAEBIUsLEAIBCD8DAgICJQsUEQIEDgWEKmQPq2iCHIhEgimGP4EfghOBDCIMglaBQYFQAQGBKQESATYKJoI5MIIkAociG4VPgzaGcQgCh2U0hg2BL4NWglmEU49QAhETAYEkARw4YXFwFRkhKgGCGAmCI44hb405gSCBFwEB
X-IronPort-AV: E=Sophos; i="5.48,372,1517875200"; d="scan'208,217"; a="91140627"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Mar 2018 19:42:12 +0000
Received: from XCH-RTP-002.cisco.com (xch-rtp-002.cisco.com [64.101.220.142]) by alln-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id w2SJgCvf028023 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 28 Mar 2018 19:42:12 GMT
Received: from xch-rtp-001.cisco.com (64.101.220.141) by XCH-RTP-002.cisco.com (64.101.220.142) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 28 Mar 2018 15:42:11 -0400
Received: from xch-rtp-001.cisco.com ([64.101.220.141]) by XCH-RTP-001.cisco.com ([64.101.220.141]) with mapi id 15.00.1320.000; Wed, 28 Mar 2018 15:42:11 -0400
From: "Brian Weis (bew)" <bew@cisco.com>
To: Joe Touch <touch@strayalpha.com>
CC: RFC Editor <rfc-editor@rfc-editor.org>, "ekr@rtfm.com" <ekr@rtfm.com>, "tuexen@fh-muenster.de" <tuexen@fh-muenster.de>, "tcpm@ietf.org" <tcpm@ietf.org>, "ietf@kuehlewind.net" <ietf@kuehlewind.net>
Thread-Topic: [tcpm] [Technical Errata Reported] RFC5926 (5267)
Thread-Index: AQHTrzRUQnxFC2fU6E29LS3A6LD6RA==
Date: Wed, 28 Mar 2018 19:42:11 +0000
Message-ID: <8B1FAC72-2B18-4406-A3D3-E3BE5524EB59@cisco.com>
References: <20180226190209.F3D43B80E1F@rfc-editor.org> <A1D80502-1BFA-4F12-9978-D74DE20EB4CA@strayalpha.com>
In-Reply-To: <A1D80502-1BFA-4F12-9978-D74DE20EB4CA@strayalpha.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.32.222.150]
Content-Type: multipart/alternative; boundary="_000_8B1FAC722B184406A3D3E3BE5524EB59ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/uH9wlQh66La-sI3e-KFku7cz8VI>
Subject: Re: [tcpm] [Technical Errata Reported] RFC5926 (5267)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2018 19:42:18 -0000

Hi Joe,

Sorry, I missed your reply to this before the errata was rejected.

On Feb 28, 2018, at 6:56 AM, Joe Touch <touch@strayalpha.com<mailto:touch@strayalpha.com>> wrote:

Hi, all,

This errata should be rejected.

NIST-SP800-108 does not require the use of 0x00 (see cited text below). It only requires that the length and order of each field be defined unambiguously.

This is correct. The issue is whether all TCP-AO implementations implementing NIST SP800-108 all add the 0x00 or not. If there is confusion between implementations then they will not generate the same session keys.

The length of “TCP-AO” is clearly and unambiguously 6 octets, as defined in the existing RFC text. The method of providing that length unambiguously to the KDF algorithm is an implementation issue.

I disagree that it is unambiguously 6 octets.  The use of double-quotes is often construed as a null-terminated string. This can be read as a null-terminated 7 octet string. In fact, this is the exact question asked by an implementor, and why I filed the errata. I believe it is a reasonable request to clarify this one way or the other.

If you agree with this, I’ll open another errata indicating the problem more clearly.

My preference for clarifying that it does include the 0x00 is for safety. While the current RFC has only one label field (“TCP-AO”), if another string beginning with ‘TCP-AO’ were also defined then there could be confusion between the two generated keys. Since the cost of adding 0x00 to the calculation is negligible, it seems prudent to  be safe.

Thanks,
Brian



Joe

The following text is clear that 0x00 is optional:

12) 0x00 – An all zero octet. An optional data field used to indicate a separation of different variable length data fields1.

1 This indicator may be considered as a part of the encoding method for the input data and can be replaced by other indicators, for example, an indicator to represent the length of the variable length field. If, for a specific KDF, only data fields with identical length are used, then the indicator may be omitted.

and later, 0x00 is given as a choice used in the example presented, not as a requirement:

The length for each data field and an order shall be defined unambiguously. For example, the length and the order may be defined as a part of a KDF specification or by the protocol where the KDF is used. In each of the following sections, a specific order for the feedback value, the counter, the Label, the separation indicator 0x00, the Context, and [L]2 is used, assuming that each of them is represented with a specific length. This Recommendation specifies several families of KDFs. Alternative orders for the input data fields may be used for different KDFs.

---------------------


On Feb 26, 2018, at 11:02 AM, RFC Errata System <rfc-editor@rfc-editor.org<mailto:rfc-editor@rfc-editor.org>> wrote:

The following errata report has been submitted for RFC5926,
"Cryptographic Algorithms for the TCP Authentication Option (TCP-AO)".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5267

--------------------------------------
Type: Technical
Reported by: Brian Weis <bew@cisco.com<mailto:bew@cisco.com>>

Section: 3.1.1

Original Text
-------------
- Label:     A binary string that clearly identifies the purpose
                  of this KDF's derived keying material.  For TCP-AO,
                  we use the ASCII string "TCP-AO", where the last
                  character is the capital letter "O", not to be
                  confused with a zero.  While this may seem like
                  overkill in this specification since TCP-AO only
                  describes one call to the KDF, it is included in
                  order to comply with FIPS 140 certifications.


Corrected Text
--------------
- Label:     A binary string that clearly identifies the purpose
                  of this KDF's derived keying material.  For TCP-AO,
                  we use the ASCII string "TCP-AO", where the last
                  character is the capital letter "O", not to be
                  confused with a zero. The ASCII string is terminated
                  with a null octet (0x00). While this may seem like
                  overkill in this specification since TCP-AO only
                  describes one call to the KDF, it is included in
                  order to comply with FIPS 140 certifications.

Notes
-----
This section states that "Both of these KDFs are based on the iteration-mode KDFs specified in [NIST-SP800-108].", which is later clarified to be the "counter mode" KDF defined in that document. The definition of the "Label" input to the KDF in the original text is not clear.

[NIST-SP800-108] specifies that a 0x00 octet should follow the Label. This 0x00 octet is important when the KDF does not have control over the Context given it, which is the case here -- RFC 5926 depends on the definition in RFC 5925. RFC 5925 currently declares two fixed-size inputs for the Context (See Figures 7 & 8 of RFC 5925), so the Context length differs. Also, RFC 5925 RFC could be updated over over time to include other Contexts that are variable sized. The risk of excluding 0x00 is enabling an attacker to choose a specially-crafted Context that violates the clean separation between the Label and Context arguments. Therefore, it is important to include the 0x00 octet for TCP-AO.

I believe this 0x00 is implied in the specification of the string "TCP-AO", since conventionally many string definitions include a trailing 0x00 octet, The text should state that the 0x00 octet is present as part of the string.

If this errata does not result in adding the 0x00 octet, then its omission needs to be justified.

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party
can log in to change the status and edit the report, if necessary.

--------------------------------------
RFC5926 (draft-ietf-tcpm-tcp-ao-crypto-03)
--------------------------------------
Title               : Cryptographic Algorithms for the TCP Authentication Option (TCP-AO)
Publication Date    : June 2010
Author(s)           : G. Lebovitz, E. Rescorla
Category            : PROPOSED STANDARD
Source              : TCP Maintenance and Minor Extensions
Area                : Transport
Stream              : IETF
Verifying Party     : IESG

_______________________________________________
tcpm mailing list
tcpm@ietf.org<mailto:tcpm@ietf.org>
https://www.ietf.org/mailman/listinfo/tcpm

_______________________________________________
tcpm mailing list
tcpm@ietf.org<mailto:tcpm@ietf.org>
https://www.ietf.org/mailman/listinfo/tcpm

--
Brian Weis
Security, CSG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com<mailto:bew@cisco.com>

v2.23.0 | Report a Bug | By Email