Hi,
On 06/03/2016 02:20 PM, René Hummen wrote:
This is part 3 of 3.
I am fine with your fixes. Some comments below.
On Mon, Mar 28, 2016 at 10:05 PM, Miika Komu > wrote:
> [...]
> 6.2.1. CMAC Calculation
>
> [...]
>
>
> 5. Set Checksum and Header Length fields in the HIP header to
> original values. Note that the Checksum and Length fields
> contain incorrect values after this step.
I guess also the values following HIP_MAC should be restored since
they were wiped in the step 2.
I also found this description a bit imprecise, but it is taken from
RFC7401. Step 2 already hints at the fact that parameters following
HIP_MAC may still be of interest:
"Remove the HIP_MAC parameter, as well as all other parameters
that follow it with greater Type value, saving the contents if
they will be needed later."
The question is whether we want to fix the description for HIP DEX or to
keep things as they are for consistency reasons. In the former case, I
would prefer to completely rewrite the verification procedure to work on
the received packet without removing any parameters. However, we should
then probably also post an errata to RFC7401. If there are no stong
opinions about that, I would go for the latter option.
Latter option works for me too.
> The CKDF-Extract function is the following operation:
>
> CKDF-Extract(I, IKM, info) -> PRK
What does the arrow operator signify? I thought that it produces PRK,
but PRK is actually defined below.
The arrow is part of a basic mathematical function definition. So yes,
PRK is the output (domain), but we still need to give it a proper name.
I changed the artwork to clearly point out the inputs and outputs.
Thanks, it is now better.
Please check this section again in the updated version and get back to
me if the above changes do not sufficiently help your understanding.
It is good now, thanks!
> Llength of output keying material in octets
> (<= 255*RHASH_len/8)
> |denotes the concatenation
>
> The output keying material OKM is calculated as follows:
>
> N = ceil(L/RHASH_len/8)
> T = T(1) | T(2) | T(3) | ... | T(N)
> OKM = first L octets of T
>
> where
>
> T(0) = empty string (zero length)
> T(1) = CMAC(PRK, T(0) | info | 0x01)
> T(2) = CMAC(PRK, T(1) | info | 0x02)
> T(3) = CMAC(PRK, T(2) | info | 0x03)
> ...
The Expand was a bit more clear, but still didn't understand how to
get to the
Expanded key material due the arrow notation.
Ok, let's clarify this as several comments are related to the arrow
notation. For the function definition we use the mathematical arrow
notation (same as RFC 5869) and for the actual opertation we use the
equals sign (same as RFC 5869). In the end, they denote the same thing:
"assign X to Y".
Ok, this is what I guessed too.
> (where the constant concatenated to the end of each T(n) is a
> single octet.)
Is there a max value?
I am not sure what you mean here. If you refer to the N in T(N) then it
is defined above as N = ceil(L/RHASH_len/8).
Yes, I asked about the maximum value for N (which depends on L), but
never mind.
> 8. The R1 packet may have the A-bit set - in this case, the system
> MAY choose to refuse it by dropping the R1 packet and returning
> to state UNASSOCIATED. The system SHOULD consider dropping the
> R1 packet only if it used a NULL HIT in the I1 packet.
I didn't understand the logic in the last sentence.
Someone must have had a reason for this recommendation, but that someone
wasn't me. This is text from RFC7401. Any suggestions how to proceed?
Fix similarly as the other RFC7401 issue in the beginning of this email.
> 6.7. Processing Incoming I2 Packets
>
> [...]
>
> 5. If the system's state machine is in the I2-SENT state, the
> system MUST make a comparison between its local and sender's
> HITs (similarly as in Section 6.3). If the local HIT is smaller
> than the sender's HIT, it should drop the I2 packet, use the
> peer Diffie-Hellman key, ENCRYPTED_KEY keying material and nonce
> #I from the R1 packet received earlier, and get the local
> Diffie-Hellman key, ENCRYPTED_KEY keying material, and nonce #J
> from the I2 packet sent to the peer earlier. Otherwise, the
> system should process the received I2 packet and drop any
> previously derived Diffie-Hellman keying material Kij and
> ENCRYPTED_KEY keying material it might have generated upon
> sending the I2 packet previously. The peer Diffie-Hellman key,
> ENCRYPTED_KEY, and the nonce #J are taken from the just arrived
> I2 packet. The local Diffie-Hellman key, ENCRYPTED_KEY keying
> material, and the nonce