Re: [lamps] Proposal for PBMAC1 in PKCS#12

Russ Housley <housley@vigilsec.com> Wed, 22 June 2022 15:41 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21B7BC159490 for <spasm@ietfa.amsl.com>; Wed, 22 Jun 2022 08:41:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rp_Y6U6HrQk2 for <spasm@ietfa.amsl.com>; Wed, 22 Jun 2022 08:41:22 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E2F4C14F739 for <spasm@ietf.org>; Wed, 22 Jun 2022 08:41:22 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 0CB4D9817B; Wed, 22 Jun 2022 11:41:20 -0400 (EDT)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id F30AD9810E; Wed, 22 Jun 2022 11:41:19 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <ec537743-cf16-42e0-a266-856c03f002fa@redhat.com>
Date: Wed, 22 Jun 2022 11:41:19 -0400
Cc: LAMPS <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6D67B402-3E26-43EB-8EBD-7155E429CA01@vigilsec.com>
References: <c282cba9-f6ae-4412-8e93-0810cffb16f2@redhat.com> <99D0A4AF-89CF-467A-A934-9144636B6A17@vigilsec.com> <ec537743-cf16-42e0-a266-856c03f002fa@redhat.com>
To: Hubert Kario <hkario@redhat.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/HPGv1T9EFEkeI8dfKAPpZmTUiI4>
Subject: Re: [lamps] Proposal for PBMAC1 in PKCS#12
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2022 15:41:26 -0000

Thanks.  I'll take a careful look at page 24 of RFC 7292.

At this point, I am not suggesting any document changes.  Rather, I am saying that the existing structure has the necessary algorithm agility.  The problem comes from the text you reference from RFC 2315, where the context is always a message digest.

Russ


> On Jun 22, 2022, at 11:14 AM, Hubert Kario <hkario@redhat.com> wrote:
> 
> On Wednesday, 22 June 2022 16:58:18 CEST, Russ Housley wrote:
>> Hubert:
>> 
>> Please point to the text in RFC 7292 that is causing your concern.
>> 
>> The PFX structure is:
>> 
>>   PFX ::= SEQUENCE {
>>       version     INTEGER {v3(3)}(v3,...),
>>       authSafe    ContentInfo,
>>       macData     MacData OPTIONAL
>>   }
>> 
>>   MacData ::= SEQUENCE {
>>       mac         DigestInfo,
>>       macSalt     OCTET STRING,
>>       iterations  INTEGER DEFAULT 1
>>       -- Note: The default is for historical reasons and its
>>       --       use is deprecated.
>>   }
>> 
>>  -- IMPORT FROM RFC 2315
>> 
>>   DigestInfo ::= SEQUENCE {
>>     digestAlgorithm DigestAlgorithmIdentifier,
>>     digest Digest }
>> 
>>   Digest ::= OCTET STRING
>> 
>> It seems to me that DigestInfo would be better named macInfo.
> 
> Sorry, I don't follow... You're suggesting I should rename the fields in
> ASN.1 definitions or you're stating that the existing standard is confusing?
> 
>> It carries the MAC algorithm identifier (and optional parameters) as the MAC itself.
> 
> Correct, the problem is that the DigestAlgorithmIdentifier is specified in
> RFC 2315 as:
> 
>  The DigestAlgorithmIdentifier type identifies a message-digest
>  algorithm. Examples include MD2 and MD5. A message-digest algorithm
>  maps an octet string (the message) to another octet string (the
>  message digest).
> 
> I would not classify PBMAC1 as a "message-digest algorithm".
> 
> Moreover, the RFC 7292 is quite explicit that the PBMAC1 can't be placed
> in the PFX structure (see page 24):
> 
>  This document recommends that future definitions of
>  the PFX structure replace the existing MacData object, optionally
>  present in password integrity mode, with a new object definition that
>  holds a MAC based on PKCS#5 [13] [22] PBMAC1 message authentication
>  scheme.  This change would simplify the requirements for key
>  derivation functions used across all parts of the PFX structure.
> 
>>> On Jun 22, 2022, at 6:35 AM, Hubert Kario <hkario@redhat.com> wrote:
>>> Hello everybody,
>>> The work on the new NIST FIPS 140-3 implementations made us aware that the
>>> current PKCS #12 specification uses a legacy PBKDF for the calculation
>>> of the whole-file MAC value: PBKDF1. The PKCS #12 standard also doesn't ...
>> 
> 
> -- 
> Regards,
> Hubert Kario
> Principal Quality Engineer, RHEL Crypto team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm