[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Crypto agility in SCRAM + draft-josefsson-password-auth?

To: ietf-sasl@xxxxxxx
Subject: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
From: "Frank Ellermann" <nobody@xxxxxxxxxxxxxxxxx>
Date: Thu, 20 Mar 2008 13:41:02 +0100
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Organization: <http://purl.net/xyzzy>
References: <877ig12v5g.fsf@xxxxxxxxxxxxxxxxxxx> <frmdmk$h1o$1@xxxxxxxxxxxxx> <87od9dszmh.fsf@xxxxxxxxxxxxxxxxxxx> <frnouh$se3$1@xxxxxxxxxxxxx> <87d4psghws.fsf@xxxxxxxxxxxxxxxxxxx> <froqjb$3v2$1@xxxxxxxxxxxxx> <20080318202323.GG16998@xxxxxxx>
Reply-to: "Frank Ellermann" <hmdmhdfmhdjmzdtjmzdtzktdkztdjz@xxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx

Nicolas Williams wrote:

>>> I think our choice should be between HMAC-SHA-1 and HMAC-SHA-256.
>> I'll ignore it then.
> You're free to.  There's no IETF compliance police you know :)

Fortunately.  Others might be forced to consider NIST compliance:

| Only implementations of the SHA-1 that are validated by NIST
| will be considered as complying with this standard. Information
| about the requirements for validating implementations of this
| standard can be obtained from the National Institute of
| Standards and Technology, Computer Systems Laboratory, Attn: SHS
| Validation, Gaithersburg, MD 20899. 
<http://www.itl.nist.gov/fipspubs/fip180-1.htm>

The statement in FIPS 180-2 is very similar, I found only a PDF.
Ditto the FIPS 180-3 draft published last year, export control,
required validation, patents, IANAL.

On <http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html>
they say:

| After 2010, Federal agencies may use SHA-1 only for the following
| applications: hash-based message authentication codes (HMACs); key
| derivation functions (KDFs); and random number generators (RNGs).
| Regardless of use, NIST encourages application and protocol
| designers to use the SHA-2 family of hash functions for all new
| applications and protocols.

>From that I deduce that nothing is wrong with using SHA-1 in HMAC,
for obvious reasons this Web page won't say anything about using
MD5, but we have (admittedly old) RFCs saying that using MD5 with
HMAC is okay.

Folks wishing that their software can be used by federal agencies
are encouraged to use a validated SHA-2 anyway.  For these folks
SHA-1 is at best obsolescent.

Folks not interested in FIPS legalese and validation might prefer
to use something that is not SHA-anything, and decide that MD5
like SHA-1 is still good enough for HMAC + KDF + RNG.

> If we say "MUST implement HMAC-SHA-256" and everyone else
> deploys only HMAC-MD5, then we'll either wait long enough that
> everyone has upgraded and then declare victory, or we update
> the RFC to say "we got it wrong and it is now MUST implement
> HMAC-MD5."

Nothing is wrong with offering one of HMAC-SHA-256, -512, etc.
The fallacy is to offer SHA-1 as second choice instead of MD5,
because it makes technically + legally no sense for both groups.

 Frank

References:
- Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Simon Josefsson
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Frank Ellermann
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Simon Josefsson
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Frank Ellermann
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Simon Josefsson
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Frank Ellermann
- Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
  - From: Nicolas Williams

Prev by Date: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Previous by thread: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Next by thread: Re: Crypto agility in SCRAM + draft-josefsson-password-auth?
Index(es):
- Date
- Thread