On Tue, Oct 8, 2019 at 10:46 PM Joseph Salowey <j...@salowey.net> wrote:
> Based on Jouni's analysis the derivation of the S-IMCKs is not well > specified. To me it looks like the solution to handle an arbitrary number > of methods that may or may not make an EMSK available would be fairly > complex. > > I think the most straight forward solution is to either always assume that > for an EMSK generating method the EMSK is either always available or always > unavailable. It seems that it is safer to always assume that the EMSK is > unavailable and will therefore never be used. I think this has the > following implications: > > - The S-IMCK is always generated from the inner method MSK or the > all-zero value if the method does not generate key material. > - The EMSK compound MAC is not used > - Implementations must have a policy that accepts MSK MACs > > It would appear that from a cryptographic analysis point of view the MSK > and EMSK are equivalent since these keys will only be used in these > TEAP calculations and not for other purposes. There are documented > drawbacks of using the MSK described in RFC7029 ( > https://tools.ietf.org/html/rfc7029#page-12). If the properties of the > EMSK binding are needed in the use cases currently under consideration then > I think we could redefine the way the EMSK MAC to be computed from the EMSK > of the inner method changing the above to > > - The S-IMCK is always generated from the inner method MSK or the > all-zero value if the method does not generate key material. > - Compute EMSK MAC from the inner-method EMSK instead of the S-IMCK > Compound-MAC = MAC( EMSK[J], BUFFER ) > - Implementations have a policy that prevents EMSK downgrade to MSK > > Hopefully there is a more elegant solution. Any ideas? > > [Joe] It might be better to do the following: Singe S-IMCK chain, but when an EMSK method is used there are two pre S-IMCK keys generated, one for the EMSK and one for the MSK. These are used to calculate two CMKs for Compound MACs for EMSK and MSK respectively. If the server responds with an EMSK MAC then the pre S-IMCK generated from the EMSK is used as the S-IMCK for future calculations if not then the one from the MSK is used. Modification to section 5.2 Intermediate Compound Key Derivations: When an EMSK generating method is used, then two compound MAC keys are generated, one based on the IMSK with the EMSK from the current method and on from the MSK from the current method as follows: S-IMCK[j-1] = compound session key from previous method: IMSK-EMSK[J] = First 32 octets of TLS-PRF(EMSK, "teapbind...@ietf.org" | "\0" | 64) IMSK-MSK = MSK IMCK-EMSK[j] = TLS-PRF(S-IMCK[j-1], "Inner Methods Compound Keys", IMSK-EMSK[j], 60) S-IMCK-EMSK[j] = first 40 octets of IMCK-EMSK[j] CMK-EMSK[j] = last 20 octets of IMCK-EMSK[j] IMCK-MSK[j] = TLS-PRF(S-IMCK[j-1], "Inner Methods Compound Keys", IMSK-MSK[j], 60) S-IMCK-MSK[j] = first 40 octets of IMCK-EMSK[j] CMK-MSK[j] = last 20 octets of IMCK-EMSK[j] CMK-MSK[J] is used to calculate the MSK compound MAC CMK-EMSK[J] is used to calculate the EMSK compound MAC If the EMSK MAC is returned form the server then the S-IMCK[j] = S-IMCK-EMSK[j] else S-IMCK[j] = S-IMCK-MSK[j] Modifications to 5.3. Computing the Compound MAC The Compound MAC EMSK computation is as follows: CMK-EMSK = CMK-EMSK[j] Compound-MAC-EMSK = MAC( CMK-EMSK, BUFFER ) The Compound MAC MSK computation is as follows: CMK-MSK = CMK-MSK[j] Compound-MAC-MSK = MAC( CMK-MSK, BUFFER ) I think this is more in line with what was originally intended and better than what I originally wrote in the previous message. > Joe >
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
