> babel-mac-algorithms: List of supported MAC computation algorithms. > Possible values include "HMAC-SHA256", "BLAKE2s". > BLAKE2s can produce MACs of different sizes from 1 to 32 bytes and the desired > size of the MAC is a parameter for it. Where the size of MAC is specified? For > HMAC with SHA256 I can at least imagine that full 256 bits output is used as a > MAC... Right. The intent is that Blake2s is used with 32-octet keys and 16-octet hashes (collision-resistance is not a concern for Babel-MAC while dictionary attacks are). Barbara, I think that you should explicitly state that Blake2s implies 128-bit hashes. (You may also consider renaming BLAKE2s to BLAKE2s-128.) > babel-mac-key-value: > I wonder of the rationale for imposing the above restrictions on HMAC key > length. HMAC can use keys of any length, but if the key is greater than block > size of underlying hash function, then it's first hashed (small performance > penalty). So I imagine that the rationale is to avoid this penalty. This was discussed at length on the mailing list. It's not about performance, it's about making it more difficult to use an unsafe procedure for generating keys. Since Babel-MAC is vulnerable to dictionary attacks, the key must either be drawn randomly or generated using a procedure that is hardened against such attacks (scrypt, etc.). Applying the procedure described in RFC 2104 to a user-provided passphrase is not safe, and therefore we try to make it difficult for a naive user to do so. I am opposed to putting the RFC 2104 hashing procedure in the information model. Doing so would be a disservice to our users. > Short (and zero-length) keys and keys that make use of only > alphanumeric characters are highly susceptible to brute force > attacks. > Formally, brute force attack with zero-length keys is not defined, since there > is no key to find and all is in clear. The key length is not carried in the clear by the protocol. Guessing the key length requires a brute-force attack, even when it is zero. > 1. The document contains an entry in the Informational model defining which > hash functions can be used with HMAC authentication. However, there is no > corresponding entry of which ciphersuites can be used with DTLS. Is it up to > DTLS library to select ciphersuites? Yes. Babel-DTLS is intended to inherit the security properties of the system's DTLS library. If the DTLS library is unsafe, then Babel-DTLS must not be used until the library is fixed. -- Juliusz -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
