On Sat, Mar 23, 2019 at 05:22:49PM -0500, Benjamin Kaduk wrote: > On Sat, Mar 23, 2019 at 11:06:33AM -0700, Dino Farinacci wrote: > > > I'm not sure I understand the need for "use a different key for > > > consecutive > > > messages", but probably we should just talk about that on Tuesday. > > > > Well in your last reply you felt it was okay if we used the nonce in each > > Map-Register for a new key per message. > > > > What this addition brings is use of a different PSK with nonce for a new > > authentication key, per message. > > > > If you think it’s not necessary, we can leave it out. > > > > But it is not clear to me if you support app-key per Fabio’s suggestion. > > Can you clarify that a nonce and PSK by themselves is sufficient? > > My sense is that it's fine to have a single configured PSK (per pair of > communicating entities, of course), provided that both a per-message nonce > and a context string identifying the type of message that the derived key > is used for are included as input to the key derivation. > > For HKDF specifically, we might consider that HKDF-Extract takes a public > 'salt' (a "non-secret random value") and HKDF-Expand takes an optional > 'info', but also that Section 3.4 mandates that the salt must not be chosen
Sorry, that's Section 3.4 *of RFC 5869*, which didn't make it from my brain to the keyboard. > or manipulated by an attacker. Since I don't think the current LISP > mechanisms can provide such a guarantee for any of the nonces (until after > we use the derived key), it seems that both the nonce and message-type > context would need to be introduced in 'info', with some length-prefix or > zero separator to enforce separation between those components of the 'info' > parameter. > > -Ben _______________________________________________ lisp mailing list lisp@ietf.org https://www.ietf.org/mailman/listinfo/lisp
