Re: [lamps] Proposal for PBMAC1 in PKCS#12
Jonathan Hammell <jfhamme.cccs@gmail.com> Wed, 29 June 2022 20:50 UTC
Return-Path: <jfhamme.cccs@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C63C5C15AAEC for <spasm@ietfa.amsl.com>; Wed, 29 Jun 2022 13:50:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cEmCVADpI4GJ for <spasm@ietfa.amsl.com>; Wed, 29 Jun 2022 13:50:59 -0700 (PDT)
Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F9A8C15AADE for <spasm@ietf.org>; Wed, 29 Jun 2022 13:50:59 -0700 (PDT)
Received: by mail-ua1-x929.google.com with SMTP id x24so6189857uaf.11 for <spasm@ietf.org>; Wed, 29 Jun 2022 13:50:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3OPnFcOwTo9rCd4U6satSmHqm2UfcRpDQAXqKSMmKCA=; b=DyZ2s8jFAWiN5e6uFge8lXZKrD4CRLOtbRghAnDmV8l5rYjObtYA6TmzG9dvlQo3gS NuFMm8PEE726Kv9Y88EqBMhkneL33e+zo+6mVSE8jUnTxGyhfXwYzwfD7EJ1V/SrLX/t xSP6zRjbMix7vkqGOdyxOvyi9hYM/GJTGcPIKo8EHQvhei0YFAVXu2rQr3G+kKJ70SwY iVSQc+c7jFVbrNQaR24jWcdOa4ZAYps/Z0JOXzUwpgsRENf/BgQk5B6f/HM29xSicuof N0rQ1EForXBCT+khMmLx4CTkUUVJbZeCrpylZwPHb1zd+KR4jViQuPXvnjCu1vEXDDYT l1cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3OPnFcOwTo9rCd4U6satSmHqm2UfcRpDQAXqKSMmKCA=; b=4OFEWTUw70+MJqG9KAOQrp8JLMqAlpfduOFs4ooV/NN2bmZq9l5LJBNLv2kNMdqSUR ZYyws3gbZmsBsF4l131UNQ1ZTmzFUDNkar1wIfoaLepNsi0Y3V4eWqLG7vrxvDUeS3R/ Lpux6W1JYz/RAY7rHIrREc711RVurnvbwzaN5RlRRt2dxpU8iiIDM6rJKtGJ7cahQB+6 Z96sjuv2cArJtNji1D/QbAcFU+wMgTUNTYivIA+2TiXvXP8UwNdBHIelx53ljlPcYBnk 2q5qPXbU5iEcQ/12Ud85G0H09C2OMhhazxGMP6CvbtuuTD80Xt8dnB2t6FCm0v374EjB GW6w==
X-Gm-Message-State: AJIora+VUTZKdsq4Z32JXdgtIirF8IQT+rbMJoV3DHdeVOdE8YFSG7mk 0LfstaTShFCyHgcmY1ZngmCmsCmy2oGETp3l3OA=
X-Google-Smtp-Source: AGRyM1t8Yb/tDNlGWEVvbQCgwgmY1Td5vM1wBWYhUMZWTm2O7mFKbbcKo9Fl++ghb8AeYs3gSuA1oxOnaY6eGReyAdM=
X-Received: by 2002:ab0:684b:0:b0:373:60b6:5d88 with SMTP id a11-20020ab0684b000000b0037360b65d88mr3155335uas.75.1656535858099; Wed, 29 Jun 2022 13:50:58 -0700 (PDT)
MIME-Version: 1.0
References: <c282cba9-f6ae-4412-8e93-0810cffb16f2@redhat.com> <99D0A4AF-89CF-467A-A934-9144636B6A17@vigilsec.com> <ec537743-cf16-42e0-a266-856c03f002fa@redhat.com> <6D67B402-3E26-43EB-8EBD-7155E429CA01@vigilsec.com> <CALhKWgiA5Cq9i--QAVqVgDPSRaFX=cgQeBkw_xXd3=4AwG2e0A@mail.gmail.com> <be5d9d2b-2c3f-4a25-9b16-8212043f5373@redhat.com>
In-Reply-To: <be5d9d2b-2c3f-4a25-9b16-8212043f5373@redhat.com>
From: Jonathan Hammell <jfhamme.cccs@gmail.com>
Date: Wed, 29 Jun 2022 16:50:46 -0400
Message-ID: <CALhKWgi-V_M0_v3T=vRPcu3OBKJKCKK6vRNiUkvbH7h4xN4Mvw@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>
Cc: Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/57VWbcaU46F8XYo0LdH26MQzSrg>
Subject: Re: [lamps] Proposal for PBMAC1 in PKCS#12
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2022 20:50:59 -0000
Hi Hubert, On Tue, Jun 28, 2022 at 2:48 PM Hubert Kario <hkario@redhat.com> wrote: > More specifically, I was thinking of something like > > EncryptedPrivateKeyInfo ::= SEQUENCE { > encryptionAlgorithm EncryptionAlgorithmIdentifier, > encryptedData EncryptedData, > hmacAlgorithm HmacAlgorithmIdentifier, > hmacData HmacData} > > (i.e. add hmacAlgorithm and hmacData fields) with HmacAlgorithmIdentifier > allowing PBMAC1 only, with HmacData defined like > > HmacData ::= OCTET STRING If you were to do that, you may not want to be specific to HMAC (e.g. CMAC or KMAC could be used) and you may want to make the MAC fields optional: EncryptedPrivateKeyInfo ::= SEQUENCE { encryptionAlgorithm EncryptionAlgorithmIdentifier, encryptedData EncryptedData, macAlgorithm [0] IMPLICIT MessageAuthenticationCodeAlgorithmIdentifier OPTIONAL, macData [1] IMPLICIT MessageAuthenticationCode OPTIONAL} where MessageAuthenticationCodeAlgorithm and MessageAuthenticationCode are defined in RFC 5652. However, if macAlgorithm and macData are provided, legacy clients would likely bork on the ASN.1 parsing since there was no extension marker in the original SEQUENCE. > While PBES2 does allow for AES-GCM, to our knowledge, NIST does not allow > use of AES-GCM for protection of key data, at least not in the way it's > defined for use inside PBES2. Indeed, in that case you may actually want to use AES Key Wrap (RFC 5649). It has implicit integrity protection, thus still avoiding changes to PKCS #8 or PKCS #12. > Secondly, no popular open source cryptographic library implements AES-GCM > support inside PKCS#12. So such files would be completely unreadable > by all but the newest implementations. I'm curious how many of these legacy implementations would allow you to ignore PBMAC1 integrity protection and decrypt the key. And even if it did, would no integrity protection not be worse than the legacy password integrity mode? Best regards, Jonathan
- [lamps] Proposal for PBMAC1 in PKCS#12 Hubert Kario
- Re: [lamps] Proposal for PBMAC1 in PKCS#12 Russ Housley
- Re: [lamps] Proposal for PBMAC1 in PKCS#12 Hubert Kario
- Re: [lamps] Proposal for PBMAC1 in PKCS#12 Russ Housley
- Re: [lamps] Proposal for PBMAC1 in PKCS#12 Jonathan Hammell
- Re: [lamps] Proposal for PBMAC1 in PKCS#12 Hubert Kario
- Re: [lamps] Proposal for PBMAC1 in PKCS#12 Jonathan Hammell
- Re: [lamps] Proposal for PBMAC1 in PKCS#12 Hubert Kario
- Re: [lamps] [EXTERNAL] Proposal for PBMAC1 in PKC… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Proposal for PBMAC1 in PKC… Hubert Kario