Re: [lng-odp] IPsec crypto algorithms summary

2017-05-18 Thread Bogdan Pricope 
Is less about what is deprecated and more about what HW support is
available on already deployed solutions.

On 18 May 2017 at 10:27, Peltonen, Janne (Nokia - FI/Espoo)
 wrote:
> Hi,
>
> The IPsec and IKE document roadmap (RFC 6071) is a good summary about
> the required crypto-algorithms, among other things.
>
> Bill Fischofer wrote:
>> On Wed, May 17, 2017 at 7:07 PM, Dmitry Eremin-Solenikov <
>> dmitry.ereminsoleni...@linaro.org> wrote:
>>
>> > I think, linux-generic should support the following algorihms:
>> >
>> > Cipher:
>> >
>> > - AES-CBC (MUST)
>> > - AES-CTR (MAY)
>> > - 3DES-CBC (MAY)
>> >
>>
>> 3DES appears to be nearing end of life, especially with the recent sweet32
>> [1] attacks so this may be more of a "nice to have", though I see no harm
>> in including it for compatibility. I doubt if many new ODP applications
>> would use 3DES in preference to AES at this point.
>>
>
> 3DES-CBC is still mandatory in IPsec so it is good to keep it.
>
> And besides that, new ODP applications may have to interoperate with
> other systems in existing network deployments that may still use some
> of the older algorithms. I think the benefit of removing an existing
> algorithm implementation is small compared to the trouble it could
> cause in these cases.
>
>> >
>> > Auth:
>> >
>> > - HMAC-SHA1 (MUST)
>> > - HMAC-SHA256/384/512 (optional)
>> > - HMAC-MD5 (unspecified, was MAY)
>> >
>>
>> MD5 is already deprecated [2], and SHA-1 doesn't seem to have long to live
>> either [2]. Enough people still use SHA-1 that it seems we should support
>> it but I think it is safe to drop MD5 support at this point.
>
> HMAC-MD5-96 is optional (MAY) and HMAC-SHA-1-96 is mandatory (MUST) in IPsec.
> The weaknesses of MD5 used as a hash do not necessarily affect HMAC-MD5.
> See RFC 4835, RFC 6151.
>
> The point about interoperability also applies.
>
> Janne
>
>> [1] https://www.openssl.org/blog/blog/2016/08/24/sweet32/
>> [2] https://www.nsrl.nist.gov/collision.html
>> [3] http://csrc.nist.gov/groups/ST/hash/policy.html

Re: [lng-odp] IPsec crypto algorithms summary

2017-05-18 Thread Peltonen, Janne (Nokia - FI/Espoo) 
Hi,

The IPsec and IKE document roadmap (RFC 6071) is a good summary about
the required crypto-algorithms, among other things.

Bill Fischofer wrote:
> On Wed, May 17, 2017 at 7:07 PM, Dmitry Eremin-Solenikov <
> dmitry.ereminsoleni...@linaro.org> wrote:
> 
> > I think, linux-generic should support the following algorihms:
> >
> > Cipher:
> >
> > - AES-CBC (MUST)
> > - AES-CTR (MAY)
> > - 3DES-CBC (MAY)
> >
> 
> 3DES appears to be nearing end of life, especially with the recent sweet32
> [1] attacks so this may be more of a "nice to have", though I see no harm
> in including it for compatibility. I doubt if many new ODP applications
> would use 3DES in preference to AES at this point.
> 

3DES-CBC is still mandatory in IPsec so it is good to keep it.

And besides that, new ODP applications may have to interoperate with
other systems in existing network deployments that may still use some
of the older algorithms. I think the benefit of removing an existing
algorithm implementation is small compared to the trouble it could
cause in these cases.

> >
> > Auth:
> >
> > - HMAC-SHA1 (MUST)
> > - HMAC-SHA256/384/512 (optional)
> > - HMAC-MD5 (unspecified, was MAY)
> >
> 
> MD5 is already deprecated [2], and SHA-1 doesn't seem to have long to live
> either [2]. Enough people still use SHA-1 that it seems we should support
> it but I think it is safe to drop MD5 support at this point.

HMAC-MD5-96 is optional (MAY) and HMAC-SHA-1-96 is mandatory (MUST) in IPsec.
The weaknesses of MD5 used as a hash do not necessarily affect HMAC-MD5.
See RFC 4835, RFC 6151.

The point about interoperability also applies.

Janne
 
> [1] https://www.openssl.org/blog/blog/2016/08/24/sweet32/
> [2] https://www.nsrl.nist.gov/collision.html
> [3] http://csrc.nist.gov/groups/ST/hash/policy.html

Re: [lng-odp] IPsec crypto algorithms summary

2017-05-17 Thread Bill Fischofer 
On Wed, May 17, 2017 at 7:07 PM, Dmitry Eremin-Solenikov <
dmitry.ereminsoleni...@linaro.org> wrote:

> On 18.05.2017 02:53, Bill Fischofer wrote:
> > Thanks, but permissions should allow comments if you want feedback.
>
> Permissions updated, thanks for pointing.
>
> > Handy summary tables. I assume we'll do the MUSTs. Do we plan to do the
> > SHOULDs as well?
>
> I think, linux-generic should support the following algorihms:
>
> Cipher:
>
> - AES-CBC (MUST)
> - AES-CTR (MAY)
> - 3DES-CBC (MAY)
>

3DES appears to be nearing end of life, especially with the recent sweet32
[1] attacks so this may be more of a "nice to have", though I see no harm
in including it for compatibility. I doubt if many new ODP applications
would use 3DES in preference to AES at this point.


>
> Auth:
>
> - HMAC-SHA1 (MUST)
> - HMAC-SHA256/384/512 (optional)
> - HMAC-MD5 (unspecified, was MAY)
>

MD5 is already deprecated [2], and SHA-1 doesn't seem to have long to live
either [2]. Enough people still use SHA-1 that it seems we should support
it but I think it is safe to drop MD5 support at this point.

>
> AEAD:
> - AES-GCM (SHOULD+)
>
> I especially do not plan at this point to implement AES-GMAC (it is a
> nice idea, but standard is really ugly).
>
> >
> > On Wed, May 17, 2017 at 3:31 PM, Dmitry Eremin-Solenikov
> >  > > wrote:
> >
> > Hello,
> >
> > For the sake of keeping all data in a single place, I've gather all
> > crypto-related specs from RFCs in a single document.
> >
> > https://docs.google.com/document/d/1AK74bG9hcJs562FYZ9QIeCVXktdja
> rQ8eTyrqPm2ttg/edit?usp=sharing
> >  rQ8eTyrqPm2ttg/edit?usp=sharing>
> >
> > --
> > With best wishes
> > Dmitry
> >
> >
>
>
> --
> With best wishes
> Dmitry
>


[1] https://www.openssl.org/blog/blog/2016/08/24/sweet32/
[2] https://www.nsrl.nist.gov/collision.html
[3] http://csrc.nist.gov/groups/ST/hash/policy.html

Re: [lng-odp] IPsec crypto algorithms summary

2017-05-17 Thread Dmitry Eremin-Solenikov 
On 18.05.2017 02:53, Bill Fischofer wrote:
> Thanks, but permissions should allow comments if you want feedback.

Permissions updated, thanks for pointing.

> Handy summary tables. I assume we'll do the MUSTs. Do we plan to do the
> SHOULDs as well?

I think, linux-generic should support the following algorihms:

Cipher:

- AES-CBC (MUST)
- AES-CTR (MAY)
- 3DES-CBC (MAY)

Auth:

- HMAC-SHA1 (MUST)
- HMAC-SHA256/384/512 (optional)
- HMAC-MD5 (unspecified, was MAY)

AEAD:
- AES-GCM (SHOULD+)

I especially do not plan at this point to implement AES-GMAC (it is a
nice idea, but standard is really ugly).

> 
> On Wed, May 17, 2017 at 3:31 PM, Dmitry Eremin-Solenikov
>  > wrote:
> 
> Hello,
> 
> For the sake of keeping all data in a single place, I've gather all
> crypto-related specs from RFCs in a single document.
> 
> 
> https://docs.google.com/document/d/1AK74bG9hcJs562FYZ9QIeCVXktdjarQ8eTyrqPm2ttg/edit?usp=sharing
> 
> 
> 
> --
> With best wishes
> Dmitry
> 
> 


-- 
With best wishes
Dmitry

Re: [lng-odp] IPsec crypto algorithms summary

2017-05-17 Thread Bill Fischofer 
Thanks, but permissions should allow comments if you want feedback. Handy
summary tables. I assume we'll do the MUSTs. Do we plan to do the SHOULDs
as well?

On Wed, May 17, 2017 at 3:31 PM, Dmitry Eremin-Solenikov <
dmitry.ereminsoleni...@linaro.org> wrote:

> Hello,
>
> For the sake of keeping all data in a single place, I've gather all
> crypto-related specs from RFCs in a single document.
>
> https://docs.google.com/document/d/1AK74bG9hcJs562FYZ9QIeCVXktdja
> rQ8eTyrqPm2ttg/edit?usp=sharing
>
> --
> With best wishes
> Dmitry
>

[lng-odp] IPsec crypto algorithms summary

2017-05-17 Thread Dmitry Eremin-Solenikov 
Hello,

For the sake of keeping all data in a single place, I've gather all
crypto-related specs from RFCs in a single document.

https://docs.google.com/document/d/1AK74bG9hcJs562FYZ9QIeCVXktdjarQ8eTyrqPm2ttg/edit?usp=sharing

-- 
With best wishes
Dmitry