Re: [Rats] Which Asymmetric algorithms for Charra?

"Eric Voit (evoit)" <evoit@cisco.com> Wed, 12 August 2020 19:20 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE19A3A07F9 for <rats@ietfa.amsl.com>; Wed, 12 Aug 2020 12:20:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=fjMWCwkx; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=v9fsyROM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mN-VWElpdGOZ for <rats@ietfa.amsl.com>; Wed, 12 Aug 2020 12:20:35 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C24013A07F5 for <rats@ietf.org>; Wed, 12 Aug 2020 12:20:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=34622; q=dns/txt; s=iport; t=1597260034; x=1598469634; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=kWpoZcijlqGlkLtm+t8lQSBy0J6Fvk12traXOuDPhAE=; b=fjMWCwkxh7oi3D2K6IH+S/YIvNCibxJX+0UJShwqetcXlwo3bduBbRzb HjcYd+5OFnxG4ekyikp1bipBZsbJBL6opXvtrffn92k/T3gO8pf2DtEFD O9mCIDPnKSTRtic3sLIcfIFyftSK6MndPAy+yr7Qo3FOe8IZXgJPargjT M=;
X-Files: smime.p7s : 3975
IronPort-PHdr: =?us-ascii?q?9a23=3AlK4gJh0wgjJ4kNFusmDT+zVfbzU7u7jyIg8e44?= =?us-ascii?q?YmjLQLaKm44pD+JxWGu6dtkVbWUISd4PVB2KLasKHlDGoH55vJ8HUPa4dFWB?= =?us-ascii?q?JNj8IK1xchD8iIBQyeTrbqYiU2Ed4EWApj+He2YkhIEdnzZhvZpXjhpTIXEw?= =?us-ascii?q?/0YAxyIOm9E4XOjsOxgua1/ZCbYwhBiDenJ71oKxDjpgTKvc5Qioxneas=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0B9CACcPzRf/49dJa1WCR0BAQEBCQE?= =?us-ascii?q?SAQUFAUCBSoEjL1EHbystLywKh3IDixCCRYddjiKCZ4JTA1UEBwEBAQkDAQE?= =?us-ascii?q?lCAIEAQGETAKCNgIkOBMCAwEBCwEBBQEBAQIBBgRthVwMhXEBAQECAhIbEwE?= =?us-ascii?q?BNwEPAgEIEQQBASEBBgcCMBQJCAEBBA4FCAYUgwU4gUZNAx8PAQ6nOgKBOYh?= =?us-ascii?q?hdIE0gwEBAQWBMwEDAgJKA4MSGIIHBwMGgTiBU4Eeih8agUE/gRFDgk0+gXl?= =?us-ascii?q?BIgIBgTIuKwmDFIItmgaBGZsNCoJihDiCXIFPkVeCfp0XlBuIUZR3AgQCBAU?= =?us-ascii?q?CDgEBBYFqI4FXcBU7gmlQFwINjh8MF4NOhRSFQnQSAiMCBggBAQMJfI5cAYE?= =?us-ascii?q?QAQE?=
X-IronPort-AV: E=Sophos;i="5.76,305,1592870400"; d="p7s'?scan'208,217";a="792558057"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 12 Aug 2020 19:20:32 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 07CJKVY7030388 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 12 Aug 2020 19:20:31 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 12 Aug 2020 14:20:31 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 12 Aug 2020 14:20:30 -0500
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 12 Aug 2020 15:20:29 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ibVZwAOxddyxWc/RqZmUIyV5OgXuSAshXQs4KRpOdMyOLUE4yrp4+lKA8eYpC+JvN/VQYP6syArahmuXy6blGc0g2UkPs0L4063qcH+BdSni45FUL23BdMN4SHSDN7d20h+x/6FgOUoueBXmtC8yHdFL/P4Bv2/KeZUiaA8f+/O+PzpmdsevS/GBuhRWOqIeAIYJBQV98dYAcSAtrEYupdG+yORaTGG53RvvAbvsCQvcToX0Tc35SzAzfE52hJzU08iCgP98oXuBT6aLE9Z2Yv8koe5pNyWi+0pLeyplF2zUN5n56d1e2Hmz95IRNWwrd2tK1zs3vSKQHiw01PpGSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PQn++2j17nAWzxBCKrsumvu1ZwlmLtdYpdnOE5zq4G4=; b=dkLGCdvvBO+3WPFpNVaAmPEYXMjCM6nKj1BeBUcg9h3dyEiCo2hMPBcBSXHo+8+7KD8bPOCwE0lEk0X/1sMs0R/b0cDRFSxkMn4cGNXzUwe5T0ZYL+xHa1Q4sMbpHvDc7h/eaeDv/UCCaTqtdC6P5TozTyDk7j0pLdJcI+073X5wCSq5nCy60FrzciEd4DvgB9Y/6SUJBThtbss3Y8EAWO2XtKHidTXQcWcgjyhsdzEYM/kLaHkLA+32cn/6CtjjKAS09px8PcCI19KLtKbNjOMcjb7au853gO8BKql0BngAdqwKZmSzJIeC7ehmX2Y2HL3sGZqE8oTPcuSS8pQTsQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PQn++2j17nAWzxBCKrsumvu1ZwlmLtdYpdnOE5zq4G4=; b=v9fsyROM2l5SNuoR8aqWcegb+9DfVuqWn8azc04f+Nack9w2MieRdHMqw3u1/nUnfdSJXsR8tW4Gj3PMDW9CcdJsiEKdcNDZ5bUqnUlp5BCljrsbsE2A0uRMIeDG8fYdtedDAXXk7TndcgmTwSxKEqFRj7vA9YCmvM0XA57kHVk=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by MN2PR11MB4174.namprd11.prod.outlook.com (2603:10b6:208:154::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.15; Wed, 12 Aug 2020 19:20:28 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::fcd5:b07d:e935:8956]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::fcd5:b07d:e935:8956%7]) with mapi id 15.20.3283.016; Wed, 12 Aug 2020 19:20:28 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: "Panwei (William)" <william.panwei@huawei.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: Which Asymmetric algorithms for Charra?
Thread-Index: AdZwFfR0sMtRnzzORw2twimiOLxijgAX+PawABmh0rA=
Date: Wed, 12 Aug 2020 19:20:28 +0000
Message-ID: <BL0PR11MB3122D96A348E755D5384D032A1420@BL0PR11MB3122.namprd11.prod.outlook.com>
References: <BL0PR11MB3122651915512C2D122B35A7A1450@BL0PR11MB3122.namprd11.prod.outlook.com> <d323dbd7a24c46f0bb5074f7aad4903d@huawei.com>
In-Reply-To: <d323dbd7a24c46f0bb5074f7aad4903d@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.78]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 406ccc19-6a10-40e4-a021-08d83ef4c5f1
x-ms-traffictypediagnostic: MN2PR11MB4174:
x-microsoft-antispam-prvs: <MN2PR11MB4174C5DA92C2A50B04FCF49FA1420@MN2PR11MB4174.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: WsVZ2w+yInp7anTgDOxrJu8EvcbUx3A54tJIjpEHawzoSZgIP/cfIWd0gIfIRHWPwxUsuyL6Xs4ZUa6fQg9kqJh2M8oXrtOAimB4IYv3A+EPjBUGxFCbHxD+rwXxGdL8EQ3q8cegHwMOlxRAsuKj99gMlI2g/ik4Ut2zVa7pqec0tTqDmd53o1oE3dy+r7a+uxAtssnA2+z4K27VUVewVgADyL1hUwfPRsr+D86wlogKY/BH2RglOrN/O7rA1/2iC85r8sU+XfZU1Qcj2nlHk82nwsNah+ydii6u7+3+6Nk/X9zMn4atZE2HI9pGPKZtoj5/3q56qs127cSpviABVrsSEKBx15+biDWAt2d2nr+btH+AGngEEQAjwqnF0ocb4W2BHS4UmSC6iZhz1FF3NPf7ibq/crc1T9vQmkTo1i1/OfcumoCpFqN12atuvT73w+MqSw/K6/xGsQreGhSY6g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(366004)(346002)(136003)(396003)(376002)(478600001)(33656002)(966005)(4326008)(86362001)(6506007)(316002)(26005)(2906002)(53546011)(8676002)(7696005)(6916009)(55016002)(9686003)(186003)(83380400001)(5660300002)(66446008)(66476007)(66616009)(76116006)(71200400001)(99936003)(64756008)(66556008)(166002)(8936002)(52536014)(66946007)(15398625002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: JFIEpugX/iDRp4cR3F1D2ZClCa7TiQwU7L1U+uSEnwGj2ABjbzSHiMsmkjaLVwk7ff8GwGs7yDkZ7QzdlIArc/fFyPkXVvgEgp0R8QUvF8qYIx7Mrpt/Joj4oryE34n2dpofdQnvcy9jIZ3lHdd8Nrs25HxgVn9G4DNbgyPjBr5j1eh9CZjBUOLvtfxyOUhOPv3LCZE/G9BgWA8p9C3QnB8HK2qWy2TPkJfFit/6bcI1EnGf3QLyvPzP3XghF9KwZzcbVDJwjJE1ip4QBGBuyEdxB0YQaCX65J2Oizk9nQzJnX9BzGOWGS4S2+IlWnWVHwwwE0SYWLpV6Zuu16FbmFmLKblgPSG0pnQmKfIuzfYqxpmCOtby0AdjpFaqktXIiSltVYoDajp5T1mHBFhewHvCjJYCKHLEsmD3hr0mySziigqhoL5MJtMIbP4xTc5U5aA8VvXgVAS5x85QabSk6L3V8oCtTzBelGUkrhwhbqE51mF8Ls7kqAR9oh1yjjuY06cavd9128/6HuakNHKXW0czluqShYk0OwEstxftAtOcPGOAMiPlji4gb56KN5+/y0S0q+RCR49dS6vP3uTccPN+BS1KQviY5nTatc6mDFPoDb3aT3rZh1XjCXOUqM4U8OpcMV7O/dSUBFVwABDvEA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0169_01D670BC.18F28D80"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB3122.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 406ccc19-6a10-40e4-a021-08d83ef4c5f1
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Aug 2020 19:20:28.6115 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TMsPWxV1bG9F+1YEU3VTCB+iA2E6aC8yBOzcTtWFcYty4/ONVOeQt0bAwuQWoSaf
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4174
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/dWbPjnOSD5iRZ_2qcozePwVBPTE>
Subject: Re: [Rats] Which Asymmetric algorithms for Charra?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 19:20:37 -0000

Hi Wei Pan,

 

I don't think we need to define a key length for RSA.  

*	None of our RPCs are involved with generating a new key.  And we can
always discover the length of the key by referencing the information from
the keystore using known information (e.g., the certificate-name). 
*	Looking at the various SHA algorithms, they are actually different
algorithms (since they produce different digest sizes).
*	If we just match to what is in the TCG spec, we don't have to
define/defend a different scoping than they have already made.

 

Thanks,

Eric

 

From: RATS <rats-bounces@ietf.org> On Behalf Of Panwei (William)
Sent: Wednesday, August 12, 2020 3:59 AM
To: Eric Voit (evoit) <evoit@cisco.com>
Cc: rats@ietf.org
Subject: Re: [Rats] Which Asymmetric algorithms for Charra?

 

Hi Eric,

 

Generally, I'm fine with your proposal. I have only one question below.

 

The TCG_Algorithm_Registry_r1p32_pub defines a variety of SHA algorithms
named with key length as a suffix, it also defines the ID values for the
different curves used for elliptic curve cryptography. But it seems like
that the TCG_Algorithm_Registry_r1p32_pub doesn't specify the key length of
the RSA algorithm. So do we need to define fine-granular RSA algorithms in
the YANG module?

 

Regards & Thanks!

Wei Pan

 

From: RATS [mailto:rats-bounces@ietf.org] On Behalf Of Eric Voit (evoit)
Sent: Wednesday, August 12, 2020 6:52 AM
To: rats@ietf.org <mailto:rats@ietf.org> 
Subject: [Rats] Which Asymmetric algorithms for Charra?

 

During the charra presentation at IETF 108, we said we were going to ask the
following question to the list: "Should the algorithm set defined in YANG be
reduced to just those asymmetric algorithms currently exposed in the current
TPM 1.2 and 2 specifications?"

 

This is reflected seen in
https://www.ietf.org/proceedings/108/slides/slides-108-rats-sessb-charra-upd
ate-00, Slide 7.

 

The proposal I would like to make is as follows:

*	The TCG tracked algorithms supportable by a TPM should be the only
ones included in a charra maintained list of YANG identities.   

*	This identity set needs to be extendable to new algorithms for any
YANG models which augment charra.

*	TCG Algorithm Registry Revision 01.32, Table 3 at
https://trustedcomputinggroup.org/wp-content/uploads/TCG-_Algorithm_Registry
_r1p32_pub.pdf contains the algorithms we should encode.

*	There are other types of information within this table, and we might
as well encode the full table within a YANG model.   That way we can
explicitly make the scope of a "ietf-tcg-algs.yang" model the contents this
TCG table encoded in YANG.

*	The YANG model will indicate what TCG algorithms are deprecated by
the IETF.  However identities for these deprecated algorithms from the TCG
table will be assigned.  (e.g., SHA-1)

 

Are there any objections/questions/comments on this proposal?    I have a
strawman YANG file posted at:

https://github.com/ietf-rats-wg/basic-yang-module/compare/master...ericvoit:
patch-4
<https://github.com/ietf-rats-wg/basic-yang-module/compare/master....ericvoi
t:patch-4> 

 

Henk also is thinking of encoding this same Table information within CDDL.
That could be inserted as an additional informational element of the
document for where people prefer CDDL.

 

Eric

 

Eric Voit 

Principal Engineer

.:|:.:|:. Cisco Systems, Inc.