[Ndn-interest] Adding HMAC to available NDN signature types

Marc.Mosko at parc.com Marc.Mosko at parc.com
Mon Sep 22 10:00:21 PDT 2014


Actually I would say the keyid is the hash of the "functional" key.  If you're using the hash of a long key as the key, I'd put the hash of the hash as the keyid.

Marc

Sent from my telephone

On Sep 22, 2014, at 18:56, "Thompson, Jeff" <jefft0 at remap.UCLA.EDU<mailto:jefft0 at remap.UCLA.EDU>> wrote:

(On a second read, I see now that Marc made the same point…)

From: <Thompson>, Jeff Thompson <jefft0 at remap.ucla.edu<mailto:jefft0 at remap.ucla.edu>>
Date: Monday, September 22, 2014 9:53 AM
To: Yingdi Yu <yingdi at cs.ucla.edu<mailto:yingdi at cs.ucla.edu>>, Adeola Bannis <abannis at ucla.edu<mailto:abannis at ucla.edu>>
Cc: "ndn-interest at lists.cs.ucla.edu<mailto:ndn-interest at lists.cs.ucla.edu>" <Ndn-interest at lists.cs.ucla.edu<mailto:Ndn-interest at lists.cs.ucla.edu>>
Subject: Re: [Ndn-interest] Adding HMAC to available NDN signature types

On Fri, Sep 19, 2014 at 11:18 PM, Yingdi Yu <yingdi at cs.ucla.edu<mailto:yingdi at cs.ucla.edu>> wrote:
> However, when key is longer than the hash output, putting key digest into key locator directly expose the secret to other.

Oh crap, you're right!  Thanks for pointing that out.  I agree that we should prohibit KeyDigest in the case that the key is longer than 32 bytes.  I would reword the reason slightly: "When the key is longer than 32 bytes, the HmacWithSha256 algorithm uses the SHA-256 digest of the key, which would be the same as the KeyDigest, effectively exposing the secret."

- Jeff T

From: Yingdi Yu <yingdi at cs.ucla.edu<mailto:yingdi at cs.ucla.edu>>
Date: Sunday, September 21, 2014 12:00 AM
To: Adeola Bannis <abannis at ucla.edu<mailto:abannis at ucla.edu>>
Cc: "ndn-interest at lists.cs.ucla.edu<mailto:ndn-interest at lists.cs.ucla.edu>" <Ndn-interest at lists.cs.ucla.edu<mailto:Ndn-interest at lists.cs.ucla.edu>>
Subject: Re: [Ndn-interest] Adding HMAC to available NDN signature types

On Sep 20, 2014, at 11:18 AM, Adeola Bannis <abannis at ucla.edu<mailto:abannis at ucla.edu>> wrote:


On Fri, Sep 19, 2014 at 11:18 PM, Yingdi Yu <yingdi at cs.ucla.edu<mailto:yingdi at cs.ucla.edu>> wrote:

@Adeola, you probably want to forbid KeyDigest in KeyLocator for this HMAC signature. Because if key size is longer than hash output, the key digest is used instead. If we allow KeyDigest in KeyLocator, then some careless programmers may leak the secret.

Well, a careless programmer could put a passphrase, or something used to derive the key, into a KeyLocator KeyName as well. We can go ahead and make the restriction, but there are other ways a programmer could shoot herself in the foot here.

I did not mean that "careless" as you describe. I mean those who do not know the details of HMAC.

The problem is that when key is shorter than hash output, it is safe to put key digest in the key locator. However, when key is longer than the hash output, putting key digest into key locator directly expose the secret to other, i.e., attackers can directly use the key digest to construct any legitimate HMAC. Therefore you either explicitly specify what should be used when KeyDigest is used as the KeyLocator, or you can disable the usage of KeyDigest in KeyLocator.

Yingdi
_______________________________________________
Ndn-interest mailing list
Ndn-interest at lists.cs.ucla.edu<mailto:Ndn-interest at lists.cs.ucla.edu>
http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20140922/7d2813b3/attachment.html>


More information about the Ndn-interest mailing list