Re: [TLS] Review comments on draft-rescorla-tls-opaque-prf-input-00.txt
<home_pw@msn.com> Thu, 18 January 2007 04:40 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H7P4p-000792-7y; Wed, 17 Jan 2007 23:40:39 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H7P4n-00078w-OK for tls@ietf.org; Wed, 17 Jan 2007 23:40:37 -0500
Received: from bay0-omc1-s19.bay0.hotmail.com ([65.54.246.91]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H7P4h-00067X-PM for tls@ietf.org; Wed, 17 Jan 2007 23:40:37 -0500
Received: from hotmail.com ([65.55.131.28]) by bay0-omc1-s19.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Wed, 17 Jan 2007 20:40:31 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 17 Jan 2007 20:40:31 -0800
Message-ID: <BAY126-DAV182CE8926FC55166BDEA4092AA0@phx.gbl>
Received: from 70.142.20.165 by BAY126-DAV18.phx.gbl with DAV; Thu, 18 Jan 2007 04:40:29 +0000
X-Originating-IP: [70.142.20.165]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: home_pw@msn.com
To: Wan-Teh Chang <wtchang@redhat.com>, tls mailing list <tls@ietf.org>
References: <45AEA795.2080308@redhat.com>
Subject: Re: [TLS] Review comments on draft-rescorla-tls-opaque-prf-input-00.txt
Date: Wed, 17 Jan 2007 20:40:27 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail desktop 8.0.1223
X-MimeOLE: Produced By Microsoft MimeOLE V8.0.1223
X-OriginalArrivalTime: 18 Jan 2007 04:40:31.0182 (UTC) FILETIME=[C8E04EE0:01C73ABA]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: b2809b6f39decc6de467dcf252f42af1
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Lets reference RFC4347, and http://www.ietf.org/internet-drafts/draft-rescorla-tls-suiteb-00.txt, and see where some analysis takes us. It cannot be that hard, if Peter can make some sense of it - to build a reasoning context. (1) we should probably link suiteb-00.txt with opaque-prf-input. - SuiteB starts with the core claim that "However, all those cipher suites use SHA-1 as their MAC algorithm, which makes them unsuitable for some applications." Something about SHA-1 means someone can't use them. Perhaps, its because they have to use SHA-256? E.G. http://www.cast-inc.com/cores/sha-256/index.shtml - SuiteB goes on to assert that guess: "A key ingredient of SuiteB not found in RFC4492--or the definition of TLS itself prior to 1.2--is the use of SHA256 or SHA384 for key derivation." And, not only is it disclosing not an issue of MACs (re SHA-1), now it's the KDF. So, there is a ciphersuite issue with MAC *and* KDFs, I'm guessing - SuiteB goes on to define not only some ciphersuites, around the Suite B Algorithms, but also focuses on AEAD-related notions specific to DTLS, probably - which needs such things, being connectionless. It cites and profiles the Galois mode CCM method, defining a nonce form. We should recall that NIST only addressed AES-CCM for 802.11, not wider. It was VERY specifically worded , I recall. I think this is implying that the Galois mode is required, for SuiteB compliance. -Suite B focuses itself a lot on DTLS, links up with its seq_number constructs (that presumably have to worry like TCP seq-nos have to similarly worry), cites RFC3686, and notes that "Because GCM does not use HMAC as a MAC function, the hash function for the TLS PRF must be explicitly specified." - Well, I'm going to guess that draft-rescorla-tls-opaque-prf-input-00.txt is the follow up to the specification need. - SuiteB finishes off with material about EC curves, and how curve selection is being addressed as a function of protocol. (This is quite interesting of itself, note; I have to think about that for a connectioness setting) Ok. I don't see any great mystery or conspiracy going on here (apart from the conspiracy of silence in mailing list discussion by the authors to 3 sets of comments, now, all asserting the same thing, essentially: "Explain & Participate! We cannot be a rubber stamp!" Have the RFC Editor just issue these documents as is, and avoid TLS WG - if it is just too sensitive for USG to be seen arguing over policy stuff, in public standards forums. The RFC Editor has that power, and its not a bad reason to exploit it) Now to (2) lets look at opaque-prf-input. - First we focus on the nonce discussion. So, aha. 28 + 4 = 32. That clears up one mystery for me! Only 28 of the 32 bytes come from a suitable PRNG process fit for nonces; the other 4 are not random, as another part of the TLS spec implied. They are current time. Hmm. Random does not require any particular random properties; Random is just a type name - We can quote now "The client and server each contribute a Random value which is then mixed with secret keying material to produce the final per-association keying material." One should note the use of the term "keying material", associated with the term secret. He didn't say key. He also refers to "keying material" as being the output of the final KDF, having done the classical mix type operation. - Let's contrast now, with fortezza_dms from SSLv3 days. There, they didn't generate keying material for the mac process; it generated mac_secrets (i.e. note the change in doctrinal naming; the former "mac_secret" is now probably goin to be referred to as "keying material", but only in a SuiteB context). This would normally tell you that the mac process has to go through the HSM now, no more soft-mac'ing. For a wired/wireless NIC or layer 3 router doing DTLS, this is not that unusual, where the hard logic of the FPGA cryptocore can handle the overhead of generating the GCM key schedule (using Galois mode math) and doing multiply-expensive SHA-384 mac operations, at high data packet/frame flow rates. - In terms of language usage, it then focuses not on SuitB rationale, but on the actual applications, when asserting: In a number of United States Government applications, it is desirable to have some material with the following properties: 1. It is contributed both by client and server. 2. It is arbitrary-length. 3. It is mixed into the eventual keying material. 4. It is structured and decodable by the receiving party. - It then whine a bit about the current definition of Random, which is "too small" and doesn't have the properties above. Then, it defines the core claim: opaque PRF will address this, basically by having an enhanced Random sent as extensions. - Ok. So mystery over. They cannot fix the Random type definition, so they are passing a better one as an extension. And, its values SHALL have the defined properties, and get used in the final KDF for the SuiteB ciphersuites disclosed in the other document. - There is some confusion in my mind tho. The documents are not really consistent. They also imply that the opaque PRF is also used in the GCM, used to setup the key schedule for the AEAD stream cipher. Some writing clarity is required here. The big picture needs laying out, if TLS WG is to add any IETF value, not available be having the RFC Editor issue it. So, my outstanding issues are: Is the opaque PFR only for the KDF for generating connection state, or is it also for the generating the key schedule? ok. we need to drop the spookiness, and just interact. There is nothing wrong with any of this material in IETF, so long as average joes can read and understand it. _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Review comments on draft-rescorla-tls-opaqu… Wan-Teh Chang
- Re: [TLS] Review comments on draft-rescorla-tls-o… home_pw
- Re: [TLS] Review comments on draft-rescorla-tls-o… home_pw
- Re: [TLS] Review comments on draft-rescorla-tls-o… Eric Rescorla
- Re: [TLS] Review comments on draft-rescorla-tls-o… home_pw
- Re: [TLS] Review comments on draft-rescorla-tls-o… Eric Rescorla