On Sat, Mar 23, 2019 at 11:06:33AM -0700, Dino Farinacci wrote: > > I'm not sure I understand the need for "use a different key for consecutive > > messages", but probably we should just talk about that on Tuesday. > > Well in your last reply you felt it was okay if we used the nonce in each > Map-Register for a new key per message. > > What this addition brings is use of a different PSK with nonce for a new > authentication key, per message. > > If you think it’s not necessary, we can leave it out. > > But it is not clear to me if you support app-key per Fabio’s suggestion. Can > you clarify that a nonce and PSK by themselves is sufficient?
My sense is that it's fine to have a single configured PSK (per pair of communicating entities, of course), provided that both a per-message nonce and a context string identifying the type of message that the derived key is used for are included as input to the key derivation. For HKDF specifically, we might consider that HKDF-Extract takes a public 'salt' (a "non-secret random value") and HKDF-Expand takes an optional 'info', but also that Section 3.4 mandates that the salt must not be chosen or manipulated by an attacker. Since I don't think the current LISP mechanisms can provide such a guarantee for any of the nonces (until after we use the derived key), it seems that both the nonce and message-type context would need to be introduced in 'info', with some length-prefix or zero separator to enforce separation between those components of the 'info' parameter. -Ben _______________________________________________ lisp mailing list lisp@ietf.org https://www.ietf.org/mailman/listinfo/lisp
