[Cfrg] IETF's secure messaging v public-key encryption
Dan Brown <dbrown@certicom.com> Fri, 05 April 2013 15:48 UTC
Return-Path: <prvs=38078c4907=dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9478421F9850 for <cfrg@ietfa.amsl.com>; Fri, 5 Apr 2013 08:48:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.782
X-Spam-Level:
X-Spam-Status: No, score=-2.782 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, EXTRA_MPART_TYPE=1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, SARE_GIF_ATTACH=1.42]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jz--0hJgaVwX for <cfrg@ietfa.amsl.com>; Fri, 5 Apr 2013 08:48:11 -0700 (PDT)
Received: from mhs060cnc.rim.net (mhs060cnc.rim.net [208.65.73.34]) by ietfa.amsl.com (Postfix) with ESMTP id EE0B121F980B for <cfrg@irtf.org>; Fri, 5 Apr 2013 08:48:10 -0700 (PDT)
X-AuditID: 0a41282f-b7f1a6d0000054a3-2e-515ef232ef04
Received: from XCT103CNC.rim.net (smtp-pop.rim.net [10.65.161.203]) by mhs060cnc.rim.net (SBG) with SMTP id 9E.EE.21667.232FE515; Fri, 5 Apr 2013 10:48:03 -0500 (CDT)
Received: from XMB111CNC.rim.net ([fe80::fcd6:cc6c:9e0b:25bc]) by XCT103CNC.rim.net ([fe80::b8:d5e:26a5:f4d6%17]) with mapi id 14.02.0328.009; Fri, 5 Apr 2013 11:48:02 -0400
From: Dan Brown <dbrown@certicom.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: IETF's secure messaging v public-key encryption
Thread-Index: Ac4yFPPtfKFxsQ9USvOVB6D3EGsogQ==
Date: Fri, 05 Apr 2013 15:48:01 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF513CC9E@XMB111CNC.rim.net>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.249]
Content-Type: multipart/related; boundary="_004_810C31990B57ED40B2062BA10D43FBF513CC9EXMB111CNCrimnet_"; type="multipart/alternative"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrBJsWRmVeSWpSXmKPExsXC5bjwtK7xp7hAg+bvjBbdPw4yOTB6TN54 mC2AMaqB0SYpsaQsODM9T9/OJjEvL78ksSRVISW1ONlWySc1PTFHIaAosywxuVLBJbM4OScx Mze1SEkhM8VWyURJoSAnMTk1NzWvxFYpsaAgNS9FyY5LAQPYAJVl5imk5iXnp2TmpdsqeQb7 61pYmFrqGirZ6SZ08mRsu7iIqeDDRMaK189XszYwnm1m7GLk5JAQMJF4+uoMlC0mceHeerYu Ri4OIYGVjBK9M1tYQRJCAhsZJfbdKwOx2QRUJe4fPcfcxcjBISKgLPH5owRIWFjAQuLdggtM EGFbiV9feUHCIgJ6EvsWHWIDsVkEVCQ+7n8BtopXwE3i7qoHYDajgKzE7rPXmUBsZgFxiVtP 5jNBnCMi8fDiaTYIW1Ti5eN/rBC2osTeZ0eZQM5kFuhklJgxfRUrxFBBiZMzn7BMYBSahWTW LGR1s5DUzQK6lVkgV2LqQxuIeh2JBbs/sUHY2hLLFr5mhrHPHHjMhCmuI7H50k4WCFtRoq1z NtSupYwS6648YIEp2vH1IFzRlO6H7AsYeVcxCuZmFBuYGSTnJesVZebq5aWWbGIEpyMN/R2M b99bHGIU4GBU4uENeRYXKMSaWFZcmXuIUQVoxqMNqy8wSrHk5eelKonwyj4HSvOmJFZWpRbl xxeV5qQWH2LMAYb1RGYp7uR8YArNK4k3NjCgmKMkzvtbODpQSCAdmHazU1MLUotg1jFxcB5i lODgkhIpBibP1KLE0pKMeFCKjy8GJnmpBkanhYZ79r1rLg1UmXKsMfKTgPXtN1K5nE4VnLwC W9/IGD126Upwuh54/k/ISWbz8kPP1qi++LCtQ3e7w9YJLg4iuxsu251RWvVMaruS1g+19cea nnz2PPihTn1JJr80l+i2Ry5yhcmWnxsMFrG9ff/+9TPTjvSQH9skNQyv1K40uiDkwc+8jFOJ pTgj0VCLuag4EQDAnzvfuwMAAA==
Subject: [Cfrg] IETF's secure messaging v public-key encryption
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 15:48:13 -0000
Dear CFRG list: Some IETF protocols, including CMS (and perhaps JOSE), offer schemes that are essentially public-key encryption: they protect a conveyed message from an unauthenticated (cryptographically anonymous) sender (**) to a recipient with a public key, with the wrinkle that they also permit multiple recipients (sharing a common "wrapped" key). Although the sender has no authenticated key, the sender still applies a MAC to the message. This application of a MAC has been called "authenticated" (with respect to whoever has the MAC key) in some places. It has also been called "integrity-protection" in other places. Past versions of CMS message encryption did not apply the MAC. Consequently, the integrity of an encrypted message was not protected. It seems that the purpose of the MACing corresponds closely to the cryptographers' notion of "non-malleability" (NM) goal public-key encryption schemes. (If I recall correctly, NM-CCA2 has been proven equivalent to IND-CCA2.) Questions: 1) Do the existing and proposed IETF public-key message encryption methods meet the cryptographer's benchmark of IND-CCA2 security? How important is that to meet these goals? Can (or have) these cryptographer's security goals be proven for the specific CMS methods? 2) What is the best terminology to use in IETF? How important is terminology? Should the existing IETF terminology be amended? 3) What is the right formal definition when multiple recipients are involved? I seek your answers, but here are my tentative answers: 1) The current proposals provide IND-CCA2. It would be very hard to prove this (*). It is important to provide at least IND-CCA1 security, but CCA2 is never really necessary. 2) "Non-malleability" is the best terminology for many general users, at least from my experience. Standard terminology is important, for mutual understanding, and accident avoidance. The term "authenticated" should either removed when the sender does not use an authenticated key, or else change the term to "recipient-authenticated" (compare TLS and server authentication versus client authentication...). 3) The security definitions should be nearly the same for multiple recipients (which share a common symmetric key). (*) Shoup [ISO 18033-2] introduced the KEM-DEM approach to hybrid PKE schemes, which may be highly useful for describing, and proving things about, the CMS methods. I vaguely recall some research done in this area. (**) In a separate message, I will discuss schemes in which the sender can also be authenticated by means of an authenticated key (but does not sign). Best regards, Daniel Brown Research In Motion Limited [cid:image001.gif@01CE31F0.30D41300] --------------------------------------------------------------------- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
- Re: [Cfrg] IETF's secure messaging v public-key e… Paterson, Kenny
- [Cfrg] IETF's secure messaging v public-key encry… Dan Brown
- Re: [Cfrg] IETF's secure messaging v public-key e… Dan Brown