Re: [lamps] Key Derivation in draft-ietf-lamps-cms-kemri
Daniel Van Geest <daniel.vangeest.ietf@gmail.com> Tue, 30 January 2024 17:09 UTC
Return-Path: <daniel.vangeest.ietf@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D209EC14F5F1 for <spasm@ietfa.amsl.com>; Tue, 30 Jan 2024 09:09:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uCD-zut6tiUL for <spasm@ietfa.amsl.com>; Tue, 30 Jan 2024 09:09:20 -0800 (PST)
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEA89C14EB17 for <spasm@ietf.org>; Tue, 30 Jan 2024 09:09:19 -0800 (PST)
Received: by mail-wm1-x32f.google.com with SMTP id 5b1f17b1804b1-40efcd83196so2153435e9.1 for <spasm@ietf.org>; Tue, 30 Jan 2024 09:09:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706634558; x=1707239358; darn=ietf.org; h=mime-version:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=0dlq037Iwbh67dMp8NMpBs69E3P+MtXMkxnJzR8Hrxc=; b=B49GvxENDJ8r9SUnLJtsMsRDgFLRX1glyXdv44/DXj72G+TCvXXCu38b+v5OSPHd1J OTr9E1XErVRctMTVIGSI6b2AsPkzUTaAS4qo7hABgBR0SWPtz+TgS9QptlLBebQ/380o 6xNboljMLdoWIrD4aM+Joa1UdMISlXUCulv27S8N+vzhAXKlzn06Cn5xUYDBFys8MLET m07UJMQjA90dixrA6+4PTzanDoPBy03aB5YklW8Hi3CTRdV1gQnUlG5h2uGONCpE3ln1 It7Pmbx4jS1yCNYiXCvioSTfs+6cJ8GVtwSeVT4qmRFU1eHTuEQ6VfX3WAM6HJ8gbhBs 9LRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706634558; x=1707239358; h=mime-version:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0dlq037Iwbh67dMp8NMpBs69E3P+MtXMkxnJzR8Hrxc=; b=CP0t01qr66iWgmbo1v0th4HfdFVmNHSI1VrzpFITvqcT92aIUZgnlNPzrxdbd8V5b/ g3z6OqESoxKbgDHjz6z6nCgNBI0qjatSBZ6KJ2VEv1uwkIo4FttVAsEzmHFOAg4Cwewc GXLQ0BDpErjCkCi39hpR7yngVJW8Sh+1MzR32kUh2Fabn363I87q9XQl4DCBkoB/YSLe SIzE8/ai+zkqkPCYeUT19er4Sck+rPRtiFYnlMd5Vu/bE/UAuODcj5fGE4j1Y+X1TvdI aujo09OwcVdqqqG+GVBQXD0F9tIBuR4fwKEZhp1LdLDxgZTbq1/keSxGRXNGAlaJyeGl 1d1Q==
X-Gm-Message-State: AOJu0Yy0Kgzze7b1e5A/uSxwkDZfvZAHWx5CK4pEbMMUwOvNeRadukYl 6lNANu1yeKExZlJGzp+69hZ23Aha2A7k205cEsMKuzwIhDcDUOIzvd6gma3A
X-Google-Smtp-Source: AGHT+IH/cqRdPKwpa/o4KN6vI5zH5row7SFvaaGMimQzf2Bt5thDXJjdb7HsgHax3RQZ/YsHfkbLvw==
X-Received: by 2002:a05:600c:6023:b0:40e:eaca:59db with SMTP id az35-20020a05600c602300b0040eeaca59dbmr1067321wmb.2.1706634557551; Tue, 30 Jan 2024 09:09:17 -0800 (PST)
X-Forwarded-Encrypted: i=0; AJvYcCV+Yzje3Bul/2Ub13j6ElJRP9WXjBn6mg2e3PLQmTnrMdkVLmRYNgPX8sDIuDM9gbeaMrM7Qe9NIrNHmCgihYYyWzqRxDyhiKQXiimXoCXkGGicFV0MemRHYu3bJOTgc1A=
Received: from VI1PR08MB3534.eurprd08.prod.outlook.com ([2603:1026:302:85::5]) by smtp.gmail.com with ESMTPSA id i5-20020a05600c354500b0040efb8f7158sm4424517wmq.15.2024.01.30.09.09.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 09:09:17 -0800 (PST)
From: Daniel Van Geest <daniel.vangeest.ietf@gmail.com>
To: Carl Wallace <carl@redhoundsoftware.com>, Russ Housley <housley@vigilsec.com>, Mike Ounsworth <Mike.Ounsworth@entrust.com>
CC: LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] Key Derivation in draft-ietf-lamps-cms-kemri
Thread-Index: AdpCaC+It7iW3LwtQaS8gH3/erKdhQADc+YABEmrHwAAAGGE3A==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Tue, 30 Jan 2024 17:09:16 +0000
Message-ID: <VI1PR08MB35343612CE9F8F2165596E18AF7D2@VI1PR08MB3534.eurprd08.prod.outlook.com>
References: <10d001da4275$84783c10$8d68b430$@gmail.com> <27CC12F8-4D7D-4C65-9587-C54C9E017E40@vigilsec.com> <35E24FD1-8C52-4204-89B1-822ACAD1AF5D@redhoundsoftware.com>
In-Reply-To: <35E24FD1-8C52-4204-89B1-822ACAD1AF5D@redhoundsoftware.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_VI1PR08MB35343612CE9F8F2165596E18AF7D2VI1PR08MB3534eurp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/9vMwZc10uHslB4s83NmJX6qjcF4>
Subject: Re: [lamps] Key Derivation in draft-ietf-lamps-cms-kemri
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 17:09:23 -0000
draft-ietf-lamps-cms-kyber-01 is out of date, it doesn't take KemRecipientInfo into consideration well enough (or at all?). I've spoken to my colleague Julien about taking over the draft since I've been implementing kemri anyways, I just need to find the time for both. I envision the draft being simplified, and following the model of rfc5990bis: - discuss KEMs and ML-KEM in (very) brief. There seem to be many draft repeating the same info where it would be better to refer to the NIST specs (or a CFRG doc covering them). - specify OIDs for ML-KEM in CMS (again pointing to other drafts) Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Carl Wallace <carl@redhoundsoftware.com> Sent: Tuesday, January 30, 2024 4:52:12 PM To: Russ Housley <housley@vigilsec.com>; Daniel Van Geest <daniel.vangeest.ietf@gmail.com>; Mike Ounsworth <Mike.Ounsworth@entrust.com> Cc: LAMPS <spasm@ietf.org> Subject: Re: [lamps] Key Derivation in draft-ietf-lamps-cms-kemri Russ and Mike, Section 5.2.1 of draft-ietf-lamps-cms-kyber-01 states the following: “If the session key obtained from the KEM algorithm is long enough to fit into the WRAP algorithm, then the KDF could be equal to the identity function.” Given this, should the kdf and kekLength fields be OPTIONAL in KEMRecipientInfo? Carl From: Spasm <spasm-bounces@ietf.org> on behalf of Russ Housley <housley@vigilsec.com> Date: Monday, January 8, 2024 at 4:02 PM To: Daniel Van Geest <daniel.vangeest.ietf@gmail.com> Cc: LAMPS <spasm@ietf.org> Subject: Re: [lamps] Key Derivation in draft-ietf-lamps-cms-kemri Daniel: It can use an KDF, but I expect that most implementers will want to use the same KDF that was used internal to the KEM algorithm to keep the implementation small. Russ On Jan 8, 2024, at 3:59 PM, Daniel Van Geest <daniel.vangeest.ietf@gmail.com> wrote: I’m implementing draft-ietf-lamps-cms-kemri and have a question about the ` kdf KeyDerivationAlgorithmIdentifier` field in KEMRecipientInfo. Is it intended that any (IKM, L, info) KDF can be thrown there (respecting Security Considerations), or should the KEM-instantiating documents specify which KDFs to use with which KEMs. e.g. draft-ietf-lamps-cms-kyber should specify to use id-alg-hkdf-with-sha256 with Kyber512, id-alg-hkdf-with-sha384 with Kyber768 and id-alg-hkdf-with-sha512 with Kyber1024? If they should do this, should the kdf field for KEMRecipientInfo be parameterized by allowed KDF ids (or whatever the right ANS.1 terminology is)? KEMRecipientInfo ::= SEQUENCE { … kdf KeyDerivationAlgorithmIdentifier{KEY-DERIVATION, KEMRIKeyDevAlgs}, … } KEMRIKeyDevAlgs KEY-DERIVATION ::= {kda-hkdf-with-sha256, kda-hkdf-with-sha384, kda-hkdf-with-sha512, …} And KEM instantiating docs can add to KeyDevAlgs if needed. Thanks, Daniel _______________________________________________ Spasm mailing list Spasm@ietf.org<mailto:Spasm@ietf.org> https://www.ietf.org/mailman/listinfo/spasm _______________________________________________ Spasm mailing list Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm
- Re: [lamps] Key Derivation in draft-ietf-lamps-cm… Russ Housley
- [lamps] Key Derivation in draft-ietf-lamps-cms-ke… Daniel Van Geest
- Re: [lamps] Key Derivation in draft-ietf-lamps-cm… Carl Wallace
- Re: [lamps] Key Derivation in draft-ietf-lamps-cm… Daniel Van Geest
- Re: [lamps] Key Derivation in draft-ietf-lamps-cm… Daniel Van Geest
- Re: [lamps] Key Derivation in draft-ietf-lamps-cm… Mike Ounsworth