Re: [lamps] [EXTERNAL] Proposal for PBMAC1 in PKCS#12

Hubert Kario <hkario@redhat.com> Fri, 01 July 2022 12:07 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2476C15BE13 for <spasm@ietfa.amsl.com>; Fri, 1 Jul 2022 05:07:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.85
X-Spam-Level:
X-Spam-Status: No, score=-2.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ozwsAumJLOw for <spasm@ietfa.amsl.com>; Fri, 1 Jul 2022 05:07:40 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CF22C15AD37 for <spasm@ietf.org>; Fri, 1 Jul 2022 05:07:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1656677258; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BPw0OtNWd1419xNr9yYDfCPG6ZvS3d7V46gnP5N5UY0=; b=KHzr9KVyirUCQXFPD2ZMgWu2Y9OXXcb9nWU1o62SB1pG3Khiro4PWPXSLkhayb2YLFl6Pn qNf2VdaVjfLDYpV0j3ZvPwa6Vq9RlFGBZWFtu9fR5g+5XGwmnQA/ZM+k11MPLW9mSKw0V5 RkRnSMIXF15CTFeDWUdDziGiFZZINo8=
Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-638-DFTQ6I29MVaRLBLNI_3khg-1; Fri, 01 Jul 2022 08:07:37 -0400
X-MC-Unique: DFTQ6I29MVaRLBLNI_3khg-1
Received: by mail-ej1-f71.google.com with SMTP id qa41-20020a17090786a900b00722f313a60eso693985ejc.13 for <spasm@ietf.org>; Fri, 01 Jul 2022 05:07:37 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:mime-version:message-id :in-reply-to:references:organization:user-agent :content-transfer-encoding; bh=T+LG0qJm0M747s2rfxhTQf1F2pau6Fa9zFKR6TezNgo=; b=UmKmeYnlGwHgmRj+pChapT2FrCirky1XFHjZ6AGTG6pqdMTYG3t9ybklI1t/WzvkBu oaw88v+m1WckiMd/3gccA5p7+ohBMOyXlwBCh8ZLqjRKeRTJo23AjlfHUm8vH2ndyjsP TFjVhgF8nHaRZuA5ZAWsQLFMbSkxMedIfHw6fGEktf+9LHmJtPde+wMzKdZRf5TZDVU0 SmaKEP6sTDEzpbEV+T2wFv1MMOvebBymK2HS8RSDEFwUBebEp6f22YmO2PGYq7CqCXSR o9q4ule8d9ZdzXR57gBziYHHP+cK07RNxPJl+xNCzjAEe00iACMUX9ItF5MwwtpxER7v SEjQ==
X-Gm-Message-State: AJIora+qYEFq+fzTJehgf4hF4WSG1+ULP6yh6ZgHtl/xj4r7y0w6Jyie 6x1MH7sy21feaYsLkJtxcRE11m33C0/So75CFAWNl9WFcKZp85Rt0xjFmP9BirkH0lVIPkBXia9 fLC1qtw==
X-Received: by 2002:a17:907:7745:b0:6f3:674a:339 with SMTP id kx5-20020a170907774500b006f3674a0339mr14440373ejc.207.1656677256404; Fri, 01 Jul 2022 05:07:36 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1sZTkZmWcJgaPtusC9cLaxubCLTDzYdOH2g8MvrtQQ2LLhvj0DKXI3Ow3iuP4smXmq/+iHNGA==
X-Received: by 2002:a17:907:7745:b0:6f3:674a:339 with SMTP id kx5-20020a170907774500b006f3674a0339mr14440350ejc.207.1656677256175; Fri, 01 Jul 2022 05:07:36 -0700 (PDT)
Received: from localhost (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id by27-20020a0564021b1b00b004356112a8a2sm14851877edb.15.2022.07.01.05.07.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Jul 2022 05:07:35 -0700 (PDT)
From: Hubert Kario <hkario@redhat.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: spasm@ietf.org
Date: Fri, 01 Jul 2022 14:07:31 +0200
MIME-Version: 1.0
Message-ID: <f25b9ad8-88d4-4457-9113-03626a71c03e@redhat.com>
In-Reply-To: <CH0PR11MB573967EB15B13D7AA8BDA6059FBA9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <c282cba9-f6ae-4412-8e93-0810cffb16f2@redhat.com> <CH0PR11MB573967EB15B13D7AA8BDA6059FBA9@CH0PR11MB5739.namprd11.prod.outlook.com>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.2; xcb; Linux; Fedora release 34 (Thirty Four)
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=hkario@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/61W1oXRevA2bfvoeX7UVrlQuvpM>
Subject: Re: [lamps] [EXTERNAL] Proposal for PBMAC1 in PKCS#12
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jul 2022 12:07:45 -0000

On Friday, 1 July 2022 00:04:36 CEST, Mike Ounsworth wrote:
> Hi Hubert,
>
> About these two changes:
>
>
>> 3. if the PBMAC1 algorithm is used, the macSalt value MUST be 
>> ignored, for backwards compatibility it SHOULD NOT be empty
>
>> 4. if the PBMAC1 algorithm is used, the iteration value MUST 
>> be ignored, for backwards compatibility it SHOULD have a 
>> non-zero positive value
>
> I assume the reason for ignoring these is that they are already 
> specified in the id-PBMAC1 params "PBKDF2-params", and so you're 
> proposing to have the copy in the PKCS#12 MacData be ignored and 
> the copy in PBKDF2-params be used?

Yes, since those values are not enough to derive correct keys with PBKDF2,
it's better to ignore them than to try to have two copies of those 
parameters.
The other limitations are for backwards compatibility only (as applications
still expect values there, even if they don't recognise the Algorithm OID).

> About the backwards compatibility discussion; I think I agree 
> with Russ that encouraging no integrity protection check is 
> worse than supporting old algorithms -- though your FIPS lab may 
> not agree :/  

Reading those files without checking the integrity protection isn't FIPS
compliant behaviour; it's not really what lab requests, it's just about
what users will find more convenient to work with.

> That means a "flag day" is almost preferrable if a 
> client is not able to parse a p12 with new crypto.
> I wonder if this is substantial enough to be worth bumping the 
> version field of the p12 object to v4?

For FIPS compliance we have two options:
 1. use AES-KW, and have PKCS#12 files with an AEAD algorithm, but without
    whole-file MAC; then only the newest software can do anything with the
    file (both because of atypical, and in practical terms completely new,
    encryption algorithm and atypical MAC omission)
 2. use PBMAC1, and use exactly the same algorithms any modern PKCS#12
    implementation needs to support anyway (AES-128-CBC, PBKDF2, HMAC with
    SHA-1 or SHA-256), with limited backwards compatibility for 
applications
    that can skip MAC check

Now, thinking of users, I consider the 2nd option to be the best option, 
both
because backwards compatibility is already deployed and because 
implementing
it will be easiest, thus most likely to be quickly supported.
With an engineer hat on, redefining the PFX structure or using the 1st 
option
is definitely much "nicer looking".

> ---
> Mike Ounsworth
>
> -----Original Message-----
> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Hubert Kario
> Sent: June 22, 2022 5:35 AM
> To: spasm@ietf.org
> Subject: [EXTERNAL] [lamps] Proposal for PBMAC1 in PKCS#12
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender 
> and know the content is safe.
>
> ______________________________________________________________________
> Hello everybody,
>
> The work on the new NIST FIPS 140-3 implementations made us 
> aware that the current PKCS #12 specification uses a legacy 
> PBKDF for the calculation of the whole-file MAC value: PBKDF1. 
> The PKCS #12 standard also doesn't provide a way to specify any 
> alternative KDF. Since PBKDF1 isn't an approved mechanism in 
> FIPS, the whole file becomes FIPS non-compliant.
>
> While deciding how to modify the PFX structure we considered two options:
> change the structure completely, so that the whole macData is 
> extensible and allows for use of PBMAC1, or by placing the 
> PBMAC1 as as "hash"
> in the existing structure. The first option is much cleaner, 
> but it has the unintended consequence of making the file 
> completely unreadable by any of the popular software able to 
> process PKCS#12 files that exists now.
> The second option does on the other hand create files that even 
> old versions of OpenSSL (like 1.0.1) can read when the user 
> specifies the -nomacver option. Allowing for a relatively easy 
> workaround for interoperability with old systems.
>
> With those two things in mind I'd like to propose the following 
> I-D to specify use of PBMAC1 in PKCS#12:
> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-kario-pkcs12-pbmac1/__;!!FJ-Y8qCqXTj2!dYb2eaF0MwC-dRJr3A_dd2ATl_kQPOjYAJEJlT3c4I0Oez8iCwGlmHLIcYFF20iyPJzspaK9tNfd80wg-2LxBOUcxg$
> --
> Regards,
> Hubert Kario
> Principal Quality Engineer, RHEL Crypto team
> Web: 
> https://urldefense.com/v3/__http://www.cz.redhat.com__;!!FJ-Y8qCqXTj2!dYb2eaF0MwC-dRJr3A_dd2ATl_kQPOjYAJEJlT3c4I0Oez8iCwGlmHLIcYFF20iyPJzspaK9tNfd80wg-2LywBbDYQ$
> Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
>

-- 
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic