headers
Henderson, Thomas R | 22 Mar 2012 11:39
Picon
Favicon

rfc5201-bis issue 29: Use different RSA mode OAEP/PSS

This is the specific IESG comment:

   HIP defines the usage of RSA in signing and encrypting data.  Current
   recommendations propose usage of, for example, RSA OAEP/PSS for these
   operations in new protocols.  Changing the algorithms to more current
   best practice should be considered.

RFC 4055 defines RSASSA-PSS and RSAES-OAEP keys.  Were these ever discussed/considered as HIP key
formats?  This might be addressed by defining these as new algorithms in 5201-bis.  If someone with
expertise on this topic could clarify what is needed to address this comment, or could provide a pointer to
how other IETF standards have addressed this, I would appreciate it.  Otherwise, I will try to sketch out a
proposed solution.

- Tom
Permalink | Reply |
headers
Tobias Heer | 17 Apr 2012 09:20
Picon
Picon
Favicon

Re: rfc5201-bis issue 29: Use different RSA mode OAEP/PSS

Hi,

Am 22.03.2012 um 11:39 schrieb Henderson, Thomas R:

> This is the specific IESG comment:
> 
>   HIP defines the usage of RSA in signing and encrypting data.  Current
>   recommendations propose usage of, for example, RSA OAEP/PSS for these
>   operations in new protocols.  Changing the algorithms to more current
>   best practice should be considered.
> 
> RFC 4055 defines RSASSA-PSS and RSAES-OAEP keys.  Were these ever discussed/considered as HIP key formats?
I cannot remember any discussion related to this. 

> This might be addressed by defining these as new algorithms in 5201-bis.
I agree. One could easily define a new suite. We could do that now or on demand. We need a new suite anyway to
stay somewhat compatible with the existing HIP implementations.

Tobias

>  If someone with expertise on this topic could clarify what is needed to address this comment, or could
provide a pointer to how other IETF standards have addressed this, I would appreciate it.  Otherwise, I
will try to sketch out a proposed solution.
> 

> - Tom
> _______________________________________________
> Hipsec mailing list
> Hipsec <at> ietf.org
> https://www.ietf.org/mailman/listinfo/hipsec
(Continue reading)

Permalink | Reply |
headers
Henderson, Thomas R | 18 Apr 2012 06:50
Picon
Favicon

Re: rfc5201-bis issue 29: Use different RSA mode OAEP/PSS


> -----Original Message-----
> From: Tobias Heer [mailto:heer <at> cs.rwth-aachen.de]
> Sent: Tuesday, April 17, 2012 12:20 AM
> To: Henderson, Thomas R
> Cc: HIP
> Subject: Re: [Hipsec] rfc5201-bis issue 29: Use different RSA mode
> OAEP/PSS
> 
> Hi,
> 
> Am 22.03.2012 um 11:39 schrieb Henderson, Thomas R:
> 
> > This is the specific IESG comment:
> >
> >   HIP defines the usage of RSA in signing and encrypting data.
> Current
> >   recommendations propose usage of, for example, RSA OAEP/PSS for
> these
> >   operations in new protocols.  Changing the algorithms to more
> current
> >   best practice should be considered.
> >
> > RFC 4055 defines RSASSA-PSS and RSAES-OAEP keys.  Were these ever
> discussed/considered as HIP key formats?
> I cannot remember any discussion related to this.
> 
> > This might be addressed by defining these as new algorithms in 5201-
> bis.
> I agree. One could easily define a new suite. We could do that now or
(Continue reading)

Permalink | Reply |
headers
Henderson, Thomas R | 18 Apr 2012 06:53
Picon
Favicon

Re: rfc5201-bis issue 29: Use different RSA mode OAEP/PSS


> -----Original Message-----
> From: Tobias Heer [mailto:heer <at> cs.rwth-aachen.de]
> Sent: Tuesday, April 17, 2012 12:20 AM
> To: Henderson, Thomas R
> Cc: HIP
> Subject: Re: [Hipsec] rfc5201-bis issue 29: Use different RSA mode
> OAEP/PSS
> 
> Hi,
> 
> Am 22.03.2012 um 11:39 schrieb Henderson, Thomas R:
> 
> > This is the specific IESG comment:
> >
> >   HIP defines the usage of RSA in signing and encrypting data.
> Current
> >   recommendations propose usage of, for example, RSA OAEP/PSS for
> these
> >   operations in new protocols.  Changing the algorithms to more
> current
> >   best practice should be considered.
> >
> > RFC 4055 defines RSASSA-PSS and RSAES-OAEP keys.  Were these ever
> discussed/considered as HIP key formats?
> I cannot remember any discussion related to this.
> 
> > This might be addressed by defining these as new algorithms in 5201-
> bis.
> I agree. One could easily define a new suite. We could do that now or
(Continue reading)

Permalink | Reply |
headers
Henderson, Thomas R | 19 Jun 2012 08:07
Picon
Favicon

Re: rfc5201-bis issue 29: Use different RSA mode OAEP/PSS

This message picks up a thread from April regarding one of our last remaining open issues against RFC5201-bis.

I started some discussion on the crypto-forum research group (CFRG) list about how to handle this comment
from RFC 5201:

   HIP defines the usage of RSA in signing and encrypting data.  Current
   recommendations propose usage of, for example, RSA OAEP/PSS for these
   operations in new protocols.  Changing the algorithms to more current
   best practice should be considered.

There were a few suggestions offered specific to RSA OAEP/PSS.  In the course of the discussion, some other
suggestions were made.  I'll try to summarize below.

For the keys used in HIP, RFC5201bis specifies these types:

        DSA              3 [RFC2536] (RECOMMENDED)
        RSA              5 [RFC3110] (REQUIRED)
        ECDSA            7 [RFC4754] (RECOMMENDED)
        ECDSA_LOW        9 [SECG]    (RECOMMENDED)

The feedback that I received was to follow NIST 800-131A on key strength regarding all of these key types,
and to consider not using ECDSA_LOW.  There was also a suggestion to elevate ECDSA to REQUIRED, to
encourage movement to that key type.  I believe that we'd like to retain ECDSA_LOW, suitably caveated
("defined for devices with low computational capabilities").  For DSA, we could replace the existing
reference to a reference to FIPS 186-3 and also reference RFC 5114 section 2.3 with 2048-bit subgroups for
use with SHA2-256.  Any opinions on either clarifying these constraints on DSA keys, or dropping their
support entirely?  I am somewhat neutral about elevating ECDSA to REQUIRED, but might lean towards
accepting the CFRG suggestion here; would this cause anyone any pain?

For RSA signature padding, the RSAASA-PSS [RFC3447] should replace the reference to RFC3110 above, and
(Continue reading)

Permalink | Reply |
headers
Henderson, Thomas R | 27 Jun 2012 07:10
Picon
Favicon

Re: rfc5201-bis issue 29: Use different RSA mode OAEP/PSS

Regarding this open issue, which I posted about on June 18 [*], I propose the following changes to the RFC
5201-bis text:

1) Section 3

OLD TEXT:

   HIP implementations MUST support the Rivest Shamir Adelman (RSA)
   [RFC3110] public key algorithm, and SHOULD support the Digital
   Signature Algorithm (DSA) [RFC2536] algorithms, and Elliptic Curve
   Digital Signature Algorithm (ECDSA) for generating the HI as defined
   in Section 5.2.9.  Additional algorithms MAY be supported.

NEW TEXT:

   HIP implementations MUST support the Rivest Shamir Adelman (RSA)
   [RFC3110] public key algorithm and Elliptic Curve
   Digital Signature Algorithm (ECDSA) for generating the HI as defined
   in Section 5.2.9.  Additional algorithms MAY be supported.

2) Section 5.2.8, HIP cipher

OLD TEXT:

   The following Cipher IDs are defined:

        Suite ID           Value

        RESERVED           0
        NULL-ENCRYPT       1     ([RFC2410])
(Continue reading)

Permalink | Reply |
headers
René Hummen | 29 Jun 2012 11:02
Picon
Picon
Favicon

Re: rfc5201-bis issue 29: Use different RSA mode OAEP/PSS

A few comments from my side in line.

On 27.06.2012, at 06:10, Henderson, Thomas R wrote:
Regarding this open issue, which I posted about on June 18 [*], I propose the following changes to the RFC 5201-bis text:

1) Section 3

OLD TEXT:

  HIP implementations MUST support the Rivest Shamir Adelman (RSA)
  [RFC3110] public key algorithm, and SHOULD support the Digital
  Signature Algorithm (DSA) [RFC2536] algorithms, and Elliptic Curve
  Digital Signature Algorithm (ECDSA) for generating the HI as defined
  in Section 5.2.9.  Additional algorithms MAY be supported.

NEW TEXT:

  HIP implementations MUST support the Rivest Shamir Adelman (RSA)
  [RFC3110] public key algorithm and Elliptic Curve
  Digital Signature Algorithm (ECDSA) for generating the HI as defined
  in Section 5.2.9.  Additional algorithms MAY be supported.

ECC libraries are available for most consumer-targeting platforms nowadays. Examples are the relic-toolkit [1] and OpenSSL. Hence, I don't see requiring both algorithms as a major concern. However:
1) What exactly are the practical implications of requiring both RSA and ECDSA?
2) Resource-constrained devices may only support ECC crypto. Would it make sense to move away from RSA as REQUIRED (seeing that ECC for PC-grade platforms is widely available) or is this perceived as too drastical of a measure?


2) Section 5.2.8, HIP cipher

OLD TEXT:

  The following Cipher IDs are defined:

       Suite ID           Value

       RESERVED           0
       NULL-ENCRYPT       1     ([RFC2410])
       AES-128-CBC        2     ([RFC3602])
       3DES-CBC           3     ([RFC2451])
       AES-256-CBC        4     ([RFC3602])

NEW TEXT:

  The following Cipher IDs are defined:

       Suite ID           Value

       RESERVED           0
       NULL-ENCRYPT       1     ([RFC2410])
       AES-128-CBC        2     ([RFC3602])
       DEPRECATED         3     
       AES-256-CBC        4     ([RFC3602])

I agree.

3) Section 5.2.9, Host Id:

OLD TEXT:  

  The following HI Algorithms have been defined:

       Algorithm
       profiles         Values

       RESERVED         0
       DSA              3 [RFC2536] (RECOMMENDED)
       RSA              5 [RFC3110] (REQUIRED)
       ECDSA            7 [RFC4754] (RECOMMENDED)
       ECDSA_LOW        9 [SECG]    (RECOMMENDED)

NEW TEXT:

  The following HI Algorithms have been defined:

       Algorithm
       profiles         Values

       RESERVED         0
       DSA              3 [FIPS 186-3] (OPTIONAL)
       RSA              5 [RFC3447]    (REQUIRED)
       ECDSA            7 [RFC4754]    (REQUIRED)
       ECDSA_LOW        9 [SECG]       (RECOMMENDED)

 For DSA, RSA, and ECDSA key types, profiles containing at least 112
 bits of security strength (as defined by [NIST SP 800-131A]) should
 be used.  For RSA signature padding, the PSS method of padding
 [RFC3447] MUST be used.

------------

Note, I decided not to bother with adding OEAP or ECIES to the cipher list, since we already have symmetric keys available and the ENCRYPTED parameter is lightly used.  If someone would like to support it in addition to AES-CBC, please propose a specific text proposal.

The only use case for OEAP that I can see is if the I1 or R1 should contain confidential information for some reason. Further ahead in the handshake, I also don't see the need to use PK crypto for the ENCRYPTED parameter as symmetric keys are already available at this point. However, if an extension of HIP should need confidential information in I1 or R1, it can specify this CIPHER_ID itself.

Regards,
René



--
Dipl.-Inform. Rene Hummen, Ph.D. Student
Chair of Communication and Distributed Systems
RWTH Aachen University, Germany
tel: +49 241 80 21462
web: http://www.comsys.rwth-aachen.de/team/rene-hummen/

Attachment (smime.p7s): application/pkcs7-signature, 4363 bytes
_______________________________________________
Hipsec mailing list
Hipsec <at> ietf.org
https://www.ietf.org/mailman/listinfo/hipsec
Permalink | Reply |
headers
Robert Moskowitz | 13 Jul 2012 17:13

Re: rfc5201-bis issue 29: Use different RSA mode OAEP/PSS

On 06/29/2012 05:02 AM, René Hummen wrote:
A few comments from my side in line.

On 27.06.2012, at 06:10, Henderson, Thomas R wrote:
Regarding this open issue, which I posted about on June 18 [*], I propose the following changes to the RFC 5201-bis text:

1) Section 3

OLD TEXT:

  HIP implementations MUST support the Rivest Shamir Adelman (RSA)
  [RFC3110] public key algorithm, and SHOULD support the Digital
  Signature Algorithm (DSA) [RFC2536] algorithms, and Elliptic Curve
  Digital Signature Algorithm (ECDSA) for generating the HI as defined
  in Section 5.2.9.  Additional algorithms MAY be supported.

NEW TEXT:

  HIP implementations MUST support the Rivest Shamir Adelman (RSA)
  [RFC3110] public key algorithm and Elliptic Curve
  Digital Signature Algorithm (ECDSA) for generating the HI as defined
  in Section 5.2.9.  Additional algorithms MAY be supported.

ECC libraries are available for most consumer-targeting platforms nowadays. Examples are the relic-toolkit [1] and OpenSSL. Hence, I don't see requiring both algorithms as a major concern. However:
1) What exactly are the practical implications of requiring both RSA and ECDSA?
2) Resource-constrained devices may only support ECC crypto. Would it make sense to move away from RSA as REQUIRED (seeing that ECC for PC-grade platforms is widely available) or is this perceived as too drastical of a measure?


2) Section 5.2.8, HIP cipher

OLD TEXT:

  The following Cipher IDs are defined:

       Suite ID           Value

       RESERVED           0
       NULL-ENCRYPT       1     ([RFC2410])
       AES-128-CBC        2     ([RFC3602])
       3DES-CBC           3     ([RFC2451])
       AES-256-CBC        4     ([RFC3602])

NEW TEXT:

  The following Cipher IDs are defined:

       Suite ID           Value

       RESERVED           0
       NULL-ENCRYPT       1     ([RFC2410])
       AES-128-CBC        2     ([RFC3602])
       DEPRECATED         3     
       AES-256-CBC        4     ([RFC3602])

I agree.

3) Section 5.2.9, Host Id:

OLD TEXT:  

  The following HI Algorithms have been defined:

       Algorithm
       profiles         Values

       RESERVED         0
       DSA              3 [RFC2536] (RECOMMENDED)
       RSA              5 [RFC3110] (REQUIRED)
       ECDSA            7 [RFC4754] (RECOMMENDED)
       ECDSA_LOW        9 [SECG]    (RECOMMENDED)

NEW TEXT:

  The following HI Algorithms have been defined:

       Algorithm
       profiles         Values

       RESERVED         0
       DSA              3 [FIPS 186-3] (OPTIONAL)
       RSA              5 [RFC3447]    (REQUIRED)
       ECDSA            7 [RFC4754]    (REQUIRED)
       ECDSA_LOW        9 [SECG]       (RECOMMENDED)

 For DSA, RSA, and ECDSA key types, profiles containing at least 112
 bits of security strength (as defined by [NIST SP 800-131A]) should
 be used.  For RSA signature padding, the PSS method of padding
 [RFC3447] MUST be used.

------------

Note, I decided not to bother with adding OEAP or ECIES to the cipher list, since we already have symmetric keys available and the ENCRYPTED parameter is lightly used.  If someone would like to support it in addition to AES-CBC, please propose a specific text proposal.

The only use case for OEAP that I can see is if the I1 or R1 should contain confidential information for some reason.

Crypto in I1 is a clear resource attack.  That is in large measure why there IS an I1 packet.  I have had to deal with proposals to put signed objects into 802.11 BEACONs and PROBEs.  But thinking.

R1 confidental information is an interesting thought.  It would take a bit to expand on it, but as you note in the end, if someone were to propose this, then they can specify this cipher itself.

Further ahead in the handshake, I also don't see the need to use PK crypto for the ENCRYPTED parameter as symmetric keys are already available at this point. However, if an extension of HIP should need confidential information in I1 or R1, it can specify this CIPHER_ID itself.


_______________________________________________
Hipsec mailing list
Hipsec <at> ietf.org
https://www.ietf.org/mailman/listinfo/hipsec
Permalink | Reply |
headers
Robert Moskowitz | 13 Jul 2012 17:25

Re: rfc5201-bis issue 29: Use different RSA mode OAEP/PSS

On 06/27/2012 01:10 AM, Henderson, Thomas R wrote:
> Regarding this open issue, which I posted about on June 18 [*], I propose the following changes to the RFC
5201-bis text:
>
> 1) Section 3
>
> OLD TEXT:
>
>     HIP implementations MUST support the Rivest Shamir Adelman (RSA)
>     [RFC3110] public key algorithm, and SHOULD support the Digital
>     Signature Algorithm (DSA) [RFC2536] algorithms, and Elliptic Curve
>     Digital Signature Algorithm (ECDSA) for generating the HI as defined
>     in Section 5.2.9.  Additional algorithms MAY be supported.
>
> NEW TEXT:
>
>     HIP implementations MUST support the Rivest Shamir Adelman (RSA)
>     [RFC3110] public key algorithm and Elliptic Curve
>     Digital Signature Algorithm (ECDSA) for generating the HI as defined
>     in Section 5.2.9.  Additional algorithms MAY be supported.

This is a REALLY important shift for a crypto system. I feel we should 
take it. Even with the ever increasing power in processors today, there 
are many reasons of perfer ECDSA keys over RSA. And even with DEX, there 
are 'mid size' systems plus constained communication links where ECDSA 
will seriously outperform RSA.

>
> 2) Section 5.2.8, HIP cipher
>
> OLD TEXT:
>
>     The following Cipher IDs are defined:
>
>          Suite ID           Value
>
>          RESERVED           0
>          NULL-ENCRYPT       1     ([RFC2410])
>          AES-128-CBC        2     ([RFC3602])
>          3DES-CBC           3     ([RFC2451])
>          AES-256-CBC        4     ([RFC3602])
>
> NEW TEXT:
>
>     The following Cipher IDs are defined:
>
>          Suite ID           Value
>
>          RESERVED           0
>          NULL-ENCRYPT       1     ([RFC2410])
>          AES-128-CBC        2     ([RFC3602])
>          DEPRECATED         3
>          AES-256-CBC        4     ([RFC3602])

DES is dead. Long live the new king. I have spoken to a number of 
serious cryptographers, and I am not overly concerned in only having one 
block cipher here.

> 3) Section 5.2.9, Host Id:
>
> OLD TEXT:
>
>     The following HI Algorithms have been defined:
>
>          Algorithm
>          profiles         Values
>
>          RESERVED         0
>          DSA              3 [RFC2536] (RECOMMENDED)
>          RSA              5 [RFC3110] (REQUIRED)
>          ECDSA            7 [RFC4754] (RECOMMENDED)
>          ECDSA_LOW        9 [SECG]    (RECOMMENDED)
>
> NEW TEXT:
>
>     The following HI Algorithms have been defined:
>
>          Algorithm
>          profiles         Values
>
>          RESERVED         0
>          DSA              3 [FIPS 186-3] (OPTIONAL)
>          RSA              5 [RFC3447]    (REQUIRED)
>          ECDSA            7 [RFC4754]    (REQUIRED)
>          ECDSA_LOW        9 [SECG]       (RECOMMENDED)
>
>    For DSA, RSA, and ECDSA key types, profiles containing at least 112
>    bits of security strength (as defined by [NIST SP 800-131A]) should
>    be used.  For RSA signature padding, the PSS method of padding
>    [RFC3447] MUST be used.
>
> ------------
>
> Note, I decided not to bother with adding OEAP or ECIES to the cipher list, since we already have symmetric
keys available and the ENCRYPTED parameter is lightly used.  If someone would like to support it in
addition to AES-CBC, please propose a specific text proposal.

I agree with this. There is ONE case and that is to have the ENCRYPT 
content to have security context outside of the HIP flow. Say to an 
authentication server. But as indicated, we can let the authors of the 
ID that proposes such a use case to add the cipher.

Oh, I do see use cases where the ENCRYPTED parameter gets more use, but 
it will be in NOTIFYs. Think of HIP as a secure messaging channel itself 
without needing the overhead of a full transport protocol. Sort of like 
secure UDP on the cheap.

Tom, thank you for your effort on this.
Permalink | Reply |

Gmane