<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
FWIW, I fully agree with Marc's point of view, especially this bit:
<br>
<blockquote type="cite">I think it is an unnecessary leaking of
information. </blockquote>
<br>
Cheers,<br>
Gene<br>
<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 6/9/15 10:05 PM, <a class="moz-txt-link-abbreviated" href="mailto:Marc.Mosko@parc.com">Marc.Mosko@parc.com</a>
wrote:<br>
</div>
<blockquote cite="mid:29E10C3B-EBE7-4A18-9B11-05D369114353@parc.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>Yingdi,</div>
<div><br>
</div>
I do not think using the sha256 digest of a symmetric key is a
security property (in the good sense). I think it is an
unnecessary leaking of information. Symmetric keys must be
rotated, based on the rate at which they are used and based on
time. They are pair-wise associations. So, one only needs to
keep track of keys for the given partner, such as a namespace or
endpoint. And, one usually only needs to keep track of the last,
current, and next keys to handle timing issues (or maybe just the
current and next). So, there should not be a giant library of
keys.
<div><br>
</div>
<div>Because the keys are rotated via a key exchange protocol they
are easily identified by some index that can be
cryptographically unrelated to the given key, preventing any
possible information leakage. It may or may not be a sequential
number, it depends on the key exchange protocol.
<div><br>
</div>
<div>Given that there are only a small number of keys that need
to be maintained and that they are scoped by a namespace or
endpoint, using the first 4-bytes of the key digest is highly
likely to render uniqueness. But, like I said, I don’t think
using a key digest is the right thing to do with symmetric
keys.<br>
<div><br>
</div>
<div>One needs a key exchange protocol because the next key
should not be determined over a channel protected by the
current key. That would break forward secrecy.<br>
<div><br>
</div>
<div>Yes, if one has long-term statically configured keys
one could identify them via their KeyDigest, but I think
that is unwise. Both because they are static and because
you possibly leak information in the KeyDigest.</div>
<div><br>
</div>
<div>The issue of trust is separate from how a key is
identified. The trust must be established by knowing the
identity of the key exchange protocol peer, which is
likely an RSA or EC public key. Trust decisions should
never be made on the KeyDigest or KeyId until after one
has verified the signature and then the remote identity is
uniquely known based on which key verified the signature.
So, even if there were a collision in KeyDigest or KeyID,
one could still have strong authentication based on which
of the colliding keys actually verified.</div>
<div><br>
</div>
<div>Marc</div>
<div><br>
</div>
<div>
<div>
<div>On Jun 9, 2015, at 7:16 PM, Yingdi Yu <<a
moz-do-not-send="true"
href="mailto:yingdi@cs.ucla.edu">yingdi@cs.ucla.edu</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;"
class="">
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Jun 9, 2015, at 8:29 AM,
Thompson, Jeff <<a moz-do-not-send="true"
href="mailto:jefft0@remap.ucla.edu" class="">jefft0@remap.ucla.edu</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;
font-size: 14px; font-family: Calibri,
sans-serif;" class="">
<div class="">> I think the purpose is to
allow both ends to uniquely identify the
key. Is there any particular reason of
using the first 4 bytes of the digest?</div>
<div class=""><br class="">
</div>
<div class="">Using a short identifier (4
bytes) is to keep the packet short for
low-power devices. Making a short
identifier from the digest is an easy way
to get a unique identifier instead of
maintaining a separate list of sequential
ID numbers. Does that answer your
question?</div>
</div>
</div>
</blockquote>
<div><br class="">
</div>
<div>I do not think the first 4-bytes can provide
a “unique” identifier. If uniqueness is the
major concern, we should use digest, given
collision in sha256 has not been found yet. </div>
<div><br class="">
</div>
<div>I did not quite understand what you mean by
“a separate list of sequential ID numbers”. </div>
<div><br class="">
</div>
<div>My concern is about using digest or something
related alone. Given HMAC is about authenticity,
one might not be able to tell from a digest or
even first 4 bytes that the key can be trusted
for a particular data packet. We have to
maintaining an additional mapping between the
privilege of a key (which is usually the key
name) and the key anyway. So using a digest does
not save too much at the device side. </div>
<div><br class="">
</div>
<div>For length of the key locator, given the
packet size is already 1500-byte, I am not sure
if it is a good tradeoff to sacrifice some good
security property for just tens of bytes.</div>
<div><br class="">
</div>
<div class=""><span class="Apple-style-span"
style="border-collapse: separate;
border-spacing: 0px;"><span
class="Apple-style-span"
style="border-collapse: separate; orphans:
2; text-align: -webkit-auto; widows: 2;
border-spacing: 0px;">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;"
class="">
<div class="">Yingdi</div>
<div class=""><br class="">
</div>
</div>
</span><br class="Apple-interchange-newline">
</span><br class="Apple-interchange-newline">
</div>
</div>
<br class="">
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Ndn-interest mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ndn-interest@lists.cs.ucla.edu">Ndn-interest@lists.cs.ucla.edu</a>
<a class="moz-txt-link-freetext" href="http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest">http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest</a>
</pre>
</blockquote>
<br>
</body>
</html>