Re: [kitten] I-D Action: draft-ietf-kitten-aes-cts-hmac-sha2-05.txt
Michael Jenkins <m.jenkins.364706@gmail.com> Wed, 04 February 2015 03:04 UTC
Return-Path: <m.jenkins.364706@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F13FB1A1BBD for <kitten@ietfa.amsl.com>; Tue, 3 Feb 2015 19:04:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3MzcV5cc1YM6 for <kitten@ietfa.amsl.com>; Tue, 3 Feb 2015 19:04:23 -0800 (PST)
Received: from mail-qc0-x22b.google.com (mail-qc0-x22b.google.com [IPv6:2607:f8b0:400d:c01::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8A1B1A1BA9 for <kitten@ietf.org>; Tue, 3 Feb 2015 19:04:22 -0800 (PST)
Received: by mail-qc0-f171.google.com with SMTP id s11so38803864qcv.2 for <kitten@ietf.org>; Tue, 03 Feb 2015 19:04:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fJcO8WHIGylVMhTNv6B4xCJolp2lVgUB2tSQ3IZgJWk=; b=KvNcGgMAaobvo7WAHexfH5FL0GzygFc7bdprPmdJx5DYGSog+zaTlPCad5kdmWhGgr 5lR9s2WcNDC+P9hdAagpabc76B6kIhJg9/A4j2Vx+aXzmprWtQ1Hn6xdusc085bcZr+I 0aLuGZIX6wzeHR4/s1GFUYhRkDVGUPGTRVU/cOPsvm9W3F2WrSKPKhzK1LSz079Qux7p qfg2Xp6Qs9ZgZbPbYw71BPbOW1v/ozM8tZ2LEaWML7tBLy99eKg6/WFETKbCWTFETZlB C5w0pj9wTTQg79SZOrsk0AMWRIKfmAqvla4LS5Y6C9qlSf+wHQxku6+Eq4eJ/oieFUjj WT6g==
MIME-Version: 1.0
X-Received: by 10.224.96.130 with SMTP id h2mr59493560qan.85.1423019061972; Tue, 03 Feb 2015 19:04:21 -0800 (PST)
Received: by 10.229.177.133 with HTTP; Tue, 3 Feb 2015 19:04:21 -0800 (PST)
In-Reply-To: <alpine.GSO.1.10.1502031328390.22079@multics.mit.edu>
References: <20140923122546.30735.53089.idtracker@ietfa.amsl.com> <20140930141040.271b6205@willson.usersys.redhat.com> <CAC2=hncRCQoDMgAVunuqugDi1UozH+oWxZX-T5KgMFdXHmLXUA@mail.gmail.com> <alpine.GSO.1.10.1502031328390.22079@multics.mit.edu>
Date: Tue, 03 Feb 2015 22:04:21 -0500
Message-ID: <CAC2=hnfg8g-3p+0FPnvcfWKB6bb5bOJWBD0-=uD9vHidTxXM9g@mail.gmail.com>
From: Michael Jenkins <m.jenkins.364706@gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Content-Type: multipart/alternative; boundary="001a11c34fa6b295d8050e3a7179"
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/2I7lyGVPRc4Gd5bVkv4IYVm_su4>
Cc: kitten@ietf.org, "mjjenki@tycho.ncsc.mil" <mjjenki@tycho.ncsc.mil>, Simo Sorce <simo@redhat.com>
Subject: Re: [kitten] I-D Action: draft-ietf-kitten-aes-cts-hmac-sha2-05.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Feb 2015 03:04:25 -0000
The "constrains its application" made more sense in the original (unposted) version of this paragraph that explicitly mentioned Suite B, before I convinced myself that it was unnecessary (that it can be left for the informational Suite B document). While I don't think you'd have to be running a Suite B complaint installation for this document to be useful, it is fair to say that the choices of hash and encryption sizes are constraints. I would prefer to eliminate the initial clause than try to rewrite it. So, the paragraph would start with, "This document has been written to be consistent..." As to the 192 bits of security, again this made more sense originally when I had text about the Suite B 192-bit level of security. Perhaps a final sentence, "Note that, as indicated by the enc-type name "aes256-cts-hmac-sha384-192", the use of SHA-384 and AES-256 with a 192-bit key provides only a 192-bit level of security." [There's a NIST special pub under development (says their 2012 Annual Report) that talks about what-you-get-from-what-you-used, but I'm not sure when it might be available.] The resulting paragraph would read: This document has been written to be consistent with common implementations of AES and SHA-2. The encryption and hash algorithm sizes have been chosen to create a consistent level of protection, with consideration to implementation efficiencies. So, for instance, SHA-384, which would normally be matched to AES-192, is instead matched to AES-256 to leverage the fact that there are efficient hardware implementations of AES-256. Note that, as indicated by the enc-type name "aes256-cts-hmac-sha384-192", the use of SHA-384 and AES-256 with a 192-bit key provides only a 192-bit level of security. On Tue, Feb 3, 2015 at 1:35 PM, Benjamin Kaduk <kaduk@mit.edu> wrote: > On Mon, 2 Feb 2015, Michael Jenkins wrote: > > > the document than say "because Suite B". I propose that the following > > paragraph be added to the Security Considerations section (8) to address > > the entire document, rather than to litter the document with in-place > > explanations: > > > > 8.2 Algorithm dimensions > > > > Although there is nothing in this document that constrains its > application, > > It's not entirely clear what "constraints its application" is intended to > mean here; I would prefer an alternate phrasing. > > > it has been written to be consistent with common implementations of AES > and > > SHA-2. The encryption and hash algorithm sizes have been chosen to > create > > a consistent level of protection, with consideration to implementation > > efficiencies. So, for instance, SHA-384, which would normally be matched > to > > AES-192, is instead matched to AES-256 to leverage the fact that there > are > > efficient hardware implementations of AES-256. > > I wonder if there is a way to say that the combination of SHA-384 and > AES-256 as used in this document "only has 192 bits of security" (to the > extent that the concept of bits of security can even be defined). > > > Would this suffice? If so, I'll generate an -06 version and upload it in > > time for Dallas. > > That would be fine for me, but let's give Simo some time to reply as well. > > -Ben > -- Mike Jenkins mjjenki@tycho.ncsc.mil - if you want me to read it only at my desk m.jenkins.364706@gmail.com - to read everywhere else 443-634-3951
- [kitten] I-D Action: draft-ietf-kitten-aes-cts-hm… internet-drafts
- Re: [kitten] I-D Action: draft-ietf-kitten-aes-ct… Simo Sorce
- Re: [kitten] I-D Action: draft-ietf-kitten-aes-ct… Michael Jenkins
- Re: [kitten] I-D Action: draft-ietf-kitten-aes-ct… Benjamin Kaduk
- Re: [kitten] I-D Action: draft-ietf-kitten-aes-ct… Michael Jenkins
- Re: [kitten] I-D Action: draft-ietf-kitten-aes-ct… Simo Sorce