Hi Ilari, Thanks for your comments.
On May 2, 2015, at 12:22 AM, Ilari Liusvaara <[email protected]> wrote: > On Fri, May 01, 2015 at 04:04:03PM -0700, Dino Farinacci wrote: >> Folks, this draft contains the following changes: >> >> B.1. Changes to draft-ietf-lisp-crypto-01.txt >> >> o Posted May 2015. >> >> o Create cipher suites and encode them in the Security LCAF. >> >> o Add IV to beginning of packet header and ICV to end of packet. >> >> o AEAD procedures are now part of encryption process. > > At least I can follow how the algorithms work. Remaining issues/notes: > - It composes AEAD mode instaed of using ready-made one. The composed > mode is if nothing else slow (SHA-1 is already slower than some > ready-made AEAD modes). These are the algorithms we’re comfortable with for now. We could have specified the combined AEAD mode cipher modes, but they add complexity in the form of maintaining a counter for the nonce. > - Key derivation looks to be missing hashing in important parameters > (like group and exchange keys) into secrets. Not sure which parameters you mean? The DH shared secret is the key for the KDF, I’m not sure why we’d provide any other keys as input to the KDF. > - Some NIST-spec KDF? I think there are RFCs that describe KDFs. Yes, there’s RFC 5869 but the NIST KDFs are also widely used. > - 1024-bit DH is regarded as quite weak nowadays. > - Two new ECDH functions from CFRG were recently annouced[1]. > Should be faster than DH1024/DH2048 with way smaller keys. We do need less computationally demanding ciphers for deices that do crypto in ARM based platforms, which explains the 1024-bit DH (and yes, we realize it is weak). As stated in the Future Work section we will be looking at these ECDH functions and should have some results before the Prague meeting. If we can replace the 1024-bit DH we will. Thanks, Brian > > > > > [1] > > The lower security one (Curve25519, as is): > > v^2 = u^3 + 486662u^2 + u (mod 2^255-19) > > Secret key size: 255 bits. > Secret key masking: Bits 0, 1, 2 off, bit 254 on. > Point encoding: u as 32-octet little-endian base-256 integer. > Base point: u=9. > > The higher security one: > > v^2 = u^3 + 156326u^2 + u (mod 2^448-2^224-1) > > Secret key size: 448 bits. > Secret key masking: Bits 0, 1 off, bit 447 on. > Point encoding: u as 56-octet little-endian base-256 integer. > Base point: u=5. > > _______________________________________________ > lisp mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/lisp -- Brian Weis Security, CSG, Cisco Systems Telephone: +1 408 526 4796 Email: [email protected] _______________________________________________ lisp mailing list [email protected] https://www.ietf.org/mailman/listinfo/lisp
