[Ndn-interest] Describe the HMAC algorithm in SignatureHmacWithSha256?

GTS gts at ics.uci.EDU
Tue Jun 9 13:16:39 PDT 2015 

FWIW, I fully agree with Marc's point of view, especially this bit:
> I think it is an unnecessary leaking of information. 

Cheers,
Gene




On 6/9/15 10:05 PM, Marc.Mosko at parc.com wrote:
> Yingdi,
>
> I do not think using the sha256 digest of a symmetric key is a 
> security property (in the good sense).  I think it is an unnecessary 
> leaking of information.  Symmetric keys must be rotated, based on the 
> rate at which they are used and based on time.  They are pair-wise 
> associations.  So, one only needs to keep track of keys for the given 
> partner, such as a namespace or endpoint.  And, one usually only needs 
> to keep track of the last, current, and next keys to handle timing 
> issues (or maybe just the current and next).  So, there should not be 
> a giant library of keys.
>
> Because the keys are rotated via a key exchange protocol they are 
> easily identified by some index that can be cryptographically 
> unrelated to the given key, preventing any possible information 
> leakage.  It may or may not be a sequential number, it depends on the 
> key exchange protocol.
>
> Given that there are only a small number of keys that need to be 
> maintained and that they are scoped by a namespace or endpoint, using 
> the first 4-bytes of the key digest is highly likely to render 
> uniqueness.  But, like I said, I don’t think using a key digest is the 
> right thing to do with symmetric keys.
>
> One needs a key exchange protocol because the next key should not be 
> determined over a channel protected by the current key.  That would 
> break forward secrecy.
>
> Yes, if one has long-term statically configured keys one could 
> identify them via their KeyDigest, but I think that is unwise.  Both 
> because they are static and because you possibly leak information in 
> the KeyDigest.
>
> The issue of trust is separate from how a key is identified.  The 
> trust must be established by knowing the identity of the key exchange 
> protocol peer, which is likely an RSA or EC public key.  Trust 
> decisions should never be made on the KeyDigest or KeyId until after 
> one has verified the signature and then the remote identity is 
> uniquely known based on which key verified the signature.  So, even if 
> there were a collision in KeyDigest or KeyID, one could still have 
> strong authentication based on which of the colliding keys actually 
> verified.
>
> Marc
>
> On Jun 9, 2015, at 7:16 PM, Yingdi Yu <yingdi at cs.ucla.edu 
> <mailto:yingdi at cs.ucla.edu>> wrote:
>
>>
>>> On Jun 9, 2015, at 8:29 AM, Thompson, Jeff <jefft0 at remap.ucla.edu 
>>> <mailto:jefft0 at remap.ucla.edu>> wrote:
>>>
>>> > I think the purpose is to allow both ends to uniquely identify the 
>>> key. Is there any particular reason of using the first 4 bytes of 
>>> the digest?
>>>
>>> Using a short identifier (4 bytes) is to keep the packet short for 
>>> low-power devices. Making a short identifier from the digest is an 
>>> easy way to get a unique identifier instead of maintaining a 
>>> separate list of sequential ID numbers. Does that answer your question?
>>
>> I do not think the first 4-bytes can provide a “unique” identifier. 
>> If uniqueness is the major concern, we should use digest, given 
>> collision in sha256 has not been found yet.
>>
>> I did not quite understand what you mean by “a separate list of 
>> sequential ID numbers”.
>>
>> My concern is about using digest or something related alone. Given 
>> HMAC is about authenticity, one might not be able to tell from a 
>> digest or even first 4 bytes that the key can be trusted for a 
>> particular data packet. We have to maintaining an additional mapping 
>> between the privilege of a key (which is usually the key name) and 
>> the key anyway. So using a digest does not save too much at the 
>> device side.
>>
>> For length of the key locator, given the packet size is already 
>> 1500-byte, I am not sure if it is a good tradeoff to sacrifice some 
>> good security property for just tens of bytes.
>>
>> Yingdi
>>
>>
>>
>>
>
>
>
> _______________________________________________
> Ndn-interest mailing list
> Ndn-interest at lists.cs.ucla.edu
> http://www.lists.cs.ucla.edu/mailman/listinfo/ndn-interest

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/ndn-interest/attachments/20150609/93df94e1/attachment.html>

More information about the Ndn-interest mailing list