Re: [lamps] Feedback on figure 3 in draft-brockhaus-lamps-lightweight-cmp-profile-01
"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Thu, 05 December 2019 16:57 UTC
Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED1CD1209D8 for <spasm@ietfa.amsl.com>; Thu, 5 Dec 2019 08:57:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.402
X-Spam-Level:
X-Spam-Status: No, score=-1.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, PDS_BTC_ID=0.499, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Zv3XnHTdfMK for <spasm@ietfa.amsl.com>; Thu, 5 Dec 2019 08:57:30 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150077.outbound.protection.outlook.com [40.107.15.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35AE91209CC for <spasm@ietf.org>; Thu, 5 Dec 2019 08:57:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MfJks5VpfMubqv8JRw9bh3+tz/jIs7dtDyQvUXoX/VFeyE50IbIFLv9yiMcHxRKLBq4Wst5iiIH9ot44cLKerIXwAD+4eJurq1A4jbpTV+Nh/HPgmkmUeSCKc5q8K6j/2BsFbHaNGPqmcatxcgmdWoxYh711gMxAbw1bz/jbTOnYNRJ5msbyNx5mDxN3z+PCwfIvlzaQRp6Wbv7L+5pZ4KTJdeNb98cd4HyNLF5LvIlzB/0WxDo6qUBppwTryr4RIMGHVMqLkOkYymAkQMf/lGsekceBvxFKxYXB5ghpdHL2HnbgDejT+YQYnyKjJ0CEZAwf21sL9V0USGC9WDbGVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W9qn6LRkZ0uO46liU+do1AoSDNiGW5rf4lMm/aQeLJk=; b=DqXLkKseQsr4l2FRpGvViMvymeUbYkGwdbfJcVTveccGa5tfF18bTjSzq3JeyN7xIpmf0HOyAaXiPrCKL2SwFtiowe68pdEFL4zgPrDeFW4qB0HKJBPeIHoHeEdzsafjmGZK/TDVgezAVkWjW29oYyBLk1UsEmDDRJKva48NiY6pJQWIoFttO/ldvaGsqYOK5N+bn3kKhnEmFYO8/8DmDiH6cW2ld/f10GItF/khQ/N/RpDFwBvUrOdUUYwKOTr7593ORhRXjQCDh7rAnk13T+4fDsQsru4oIlTwHvv0JK/I89mGiqH8mTd+nskpg23BG9T2NDLtXXKuthy22edLbw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W9qn6LRkZ0uO46liU+do1AoSDNiGW5rf4lMm/aQeLJk=; b=osEBxg6m4c+y/R5ttkkAzsFmhYpfzuuQ04UWx0Rnon6qyrWymb18F+H31v6PtyTPl1nySWXQvyVY9OUp2RDxmAR6lmkhvaTQD9PKpzqhpcezA570nVGX0Gu2RIJBT6Fmo+mRIQ1+RxuFmbKLS7sAEGPaLg/9dWyUIN2G/huFvkU=
Received: from DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM (20.176.238.95) by DB7PR10MB2380.EURPRD10.PROD.OUTLOOK.COM (20.177.121.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.12; Thu, 5 Dec 2019 16:57:26 +0000
Received: from DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM ([fe80::e1f3:8a6c:f50f:f207]) by DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM ([fe80::e1f3:8a6c:f50f:f207%7]) with mapi id 15.20.2516.014; Thu, 5 Dec 2019 16:57:26 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Justin Cranford <Justin.Cranford@entrustdatacard.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: Feedback on figure 3 in draft-brockhaus-lamps-lightweight-cmp-profile-01
Thread-Index: AdWqNJPpfHT9y+XHSjCsxT/8ALDI9QBSY7zQ
Date: Thu, 05 Dec 2019 16:57:26 +0000
Message-ID: <DB7PR10MB24111A6F8B460E1A87DBA931FE5C0@DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM>
References: <CY4PR1101MB22464DDDC3184DD83716FD31FE420@CY4PR1101MB2246.namprd11.prod.outlook.com>
In-Reply-To: <CY4PR1101MB22464DDDC3184DD83716FD31FE420@CY4PR1101MB2246.namprd11.prod.outlook.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=hendrik.brockhaus@siemens.com;
x-originating-ip: [195.145.170.177]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: f0aa4d39-6af4-4f90-dd53-08d779a4351b
x-ms-traffictypediagnostic: DB7PR10MB2380:
x-microsoft-antispam-prvs: <DB7PR10MB2380C946F76D822E14F7758AFE5C0@DB7PR10MB2380.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02426D11FE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(199004)(189003)(305945005)(71200400001)(66574012)(81156014)(30864003)(74316002)(8936002)(33656002)(52536014)(66446008)(110136005)(71190400001)(2906002)(5660300002)(8676002)(64756008)(86362001)(81166006)(26005)(186003)(6506007)(7696005)(9686003)(102836004)(498600001)(45080400002)(11346002)(966005)(66556008)(66946007)(76176011)(25786009)(99286004)(55016002)(14444005)(76116006)(66476007)(14454004); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR10MB2380; H:DB7PR10MB2411.EURPRD10.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: siemens.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DbnNRAk526Poti/mE+CULdVYHn61+/u6shYwc5ysVvZByxKIy76GpyeoiRkMA/xL63lsULSjfLtNCvuas7p6vF4lsTRTcNhghxPU0Af/VuAPv6Wi0ErR1ZSDzrqIIR4OhrQtohS20ccFoBELwv1S4OzX6RK7DGcF7NcLyWUxXk3dcyAH6PKW2AQt/dA7Py5OmRFtb6NvBrlZ8KfLOmwkdSgSN8FfzI+4KLK/7Id6Pydi3NY2LNkGg/W9CkM6ldZuHpvq0fOKGiJXB4sqdPI44BhH/TI05ww9CeugmVxdMUN8rkUEuqzqGrIkLezcmaI8EXcjIALTBusTqarskaM4w9UD6+WlYualboxkTJJ5xH69ZnNuJFyo9t7QMAGVaNcR6cd8ur01tIQTrtHZZStt+p+rtcMhPtt5+OmH/Yt+Vwzu4wlYS0PnpV4U9iZUugBSj0FmU+v4jUyXzQhm06Isst2brOd07uRa+YpmJHnGe+g=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f0aa4d39-6af4-4f90-dd53-08d779a4351b
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Dec 2019 16:57:26.7711 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bv7cqSrpyK3PZc7MrCSH9HEj1bepNYWb3De8fSjynDZf3MNCpGlwXTyQm0mKQ7OR7afP1x/v2Y0f1arhyRqBnpX3Ah3TPd9aQAMKoVIe2B8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR10MB2380
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/KCOC-1PCDP9JWQNKs05MFh1cur0>
Subject: Re: [lamps] Feedback on figure 3 in draft-brockhaus-lamps-lightweight-cmp-profile-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2019 16:57:35 -0000
Justin thank you very much for you feedback and ideas to ease the use of the lightweight CMP profile for constrained entities. Please see my comments inline below. > -----Ursprüngliche Nachricht----- > Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Justin Cranford > Gesendet: Mittwoch, 4. Dezember 2019 00:55 > An: spasm@ietf.org > Betreff: [lamps] Feedback on figure 3 in draft-brockhaus-lamps-lightweight- > cmp-profile-01 > > Hello, > > Figure 3 shows the proposed message format for securely returning a remote > generated privateKey to a lightweight CMP client. > > - > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf. > org%2Fhtml%2Fdraft-brockhaus-lamps-lightweight-cmp-profile-01%23page- > 31&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7C4c12326f0f > 9e4680fdcf08d7784c8cfc%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1 > %7C637110142482661729&sdata=grVrLN8a43hCZC93QIbKELZFxENB0q1Y > zs2hFhEKMUc%3D&reserved=0 > > > Feedback summary: > > 1. CMS SignedData should be the outer layer. > 2. CMS ContentInfo should be used to wrap both of the CMS EnvelopedData and > CMS SignedData layers. > 3. CMS Data may be useful to wrap the privateKey payload. > > > > Feedback details: > > 1. CMS SignedData should be the outer layer. > a) When a lightweight IOT client receives a response, it should do the > lightweight SignedData verification first. [Bro] I see your goal and appreciate it. Actually there is the outer signature provided by the CMP protection. But to explain a bit further, I had two points in mind while defining the structure like this. i) Currently the structure specified in CMP to carry the private key is EncryptedValue. EncryptedValue is defined in CRMF and is depreciated in favor of EnvelopedData for a long time already. Therefore I would like to make use of the EncryptedKey, as also specified in CRMF, to allow EnvelopedData next to EncryptedValue. This procedure was also recommended by Jim Schaad while discussion this at IETF104 as this is backward compatible with current syntax on the bitstream and requires only a minimal extension to CMP. This change is documented in CMP Updates section 3.4 (https://tools.ietf.org/html/draft-brockhaus-lamps-cmp-updates-01#section-3.4 ). ii) While specifying the structure I used guidance from "CMS Encrypted Key Package Content Type" RFC6032 (https://www.rfc-editor.org/rfc/rfc6032.html ). As the CMP response message is signed, I have a layering like this: CMPProtection(EnvelopedData(SignedData(privateKey))) Finally, the inner signedData serves the goal to proof who generated the key-pair and therefore has knowledge of the privateKey next to the end entity. This can only be achieved by putting the signature into the envelopedData structure. Therefore I would say, I also follow the procedure of Gutmann with regard to the outer signature provided by the CMPProtection and the envelopedData encrypting the privateKey. But I added an inner signature to proof who has knowledge of the privateKey. This is required especially in a scenario where the key-pair was not generated by the PKI management entity the end entity directly talks to. In such scenarios, where the encrypted privateKey is transferred over several hops, the inner signature is necessary. May be Peter Gutmann should consider adding such inner signature to his syntax to also offer this feature. In case the end entity does not care or has very limited resources, it can skip the validation of this inner signature. Did this clarify my design goals and constraints. If you have concrete suggestions to improve this with regard to simplification of validation, please let me know. In case I misunderstood your suggestion, please also come back to me. :-) > b) In other words, if a lightweight client does heavyweight EnvelopedData > decryption first, and SignedData verification fails second, the client just wasted > a lot of processing power, battery life, and time. [Bro] This is right. Therefor the functional extension to deliver centrally generated keys is optional and not recommended. As motivated in https://tools.ietf.org/html/draft-brockhaus-lamps-lightweight-cmp-profile-01#section-5.1.6 it is recommended to locally generated the key material if possible. If the end entity has to request for central key generation it anyhow first validates the signature of the CMP protection when receiving the response message and therefore has some evidence that the response message comes from a legitimate PKI management entity. > c) CMS SignedData can be used to provide extra data needed by the client to > decrypt EnvelopedData. Consider if client and server both use EC key pairs. > Example: EnvelopedData contains KeyAgreeRecipentInfo using static-static > ECDH algorithm. Client needs the server EC public key to compute > EnvelopedData KEK. Server options for the originator KeyIdentifier in KARI > include IssuerAndSerialNumber, SubjectKeyIdentifier, or OriginatorPublicKey. If > server chooses IssuerAndSerialNumber, the client must find the server's EC > public cert. That somewhere can be the SignedData certificates set if-and-only- > if SignedData is outside EnvelopedData. [Bro] I tried to make use of data already used in the CMPHeader of the response message, for example to identify the end entities key to be used for the keyManagement. recipientEncryptedKey REQUIRED rid REQUIRED rKeyId REQUIRED subjectKeyID REQUIRED -- MUST contain the same value as the senderKID in the respective -- request messages Generally I am not in favor of static-static DH. I prefer static-ephemeral DH to have more variation in the agreed symmetric keys, in case the same PKI management entity generates another key pair for the same end entity. You may argue, that it will not happen that this will be performed using the same key-pairs on both sides, but you never know. Therefore, I mandated to use the OriginatorPublicKey field in the section 5.1.6.2 (https://tools.ietf.org/html/draft-brockhaus-lamps-lightweight-cmp-profile-01#section-5.1.6.2 ). Doing so I reduce the options in the syntax and offere the server side to align with the algorithm the client uses. Therefore I do not have to require that client and server both have EC key pairs. > > 2. CMS ContentInfo should be used to identify the CMS EnvelopedData and CMS > SignedData layers. > a) The lightweight client's CMS parser can to do more strict verification of the > response structure without incurring significant overhead. [Bro] You are right, CMS recommends to use ContentInfo. For the outer EnvelopedData the use of EncryptedKey does not allow wrapping in ContentInfo. In the EnvelopedData structure I do use the contentType field to specify the id-signedData type and in SignedData I also used the contentType id-data to specify the type for the privateKey. See section 5.1.6 (https://tools.ietf.org/html/draft-brockhaus-lamps-lightweight-cmp-profile-01#section-5.1.6 ): [...] encryptedContentInfo REQUIRED contentType REQUIRED -- MUST be id-signedData contentEncryptionAlgorithm REQUIRED -- MUST be the algorithm identifier of the symmetric -- content-encryption algorithm used -- As private keys need long-term protection, the use of AES-256 -- or a stronger symmetric algorithm is RECOMMENDED encryptedContent REQUIRED -- MUST be the encrypted signedData structure as specified in -- CMS [RFC5652] section 5 [...] contentType REQUIRED -- MUST be id-data content REQUIRED -- MUST be the privateKey as OCTET STRING [...] Would you still recommend to wrap the SignedData and the privateKey in a ConentInfo structure first, before putting it into the surrounding structure? I feel like this would be too much. > > 3. CMS Data can be used to wrap the privateKey. > a) This is optional, but it might be useful to wrap the payloads. > b) If you choose to add a CMS Data layer, also wrap it with CMS ContentInfo > like in point #2. [Bro] As described, I do mandate to use the contentType id-data for the privateKey. > > > > References: > > I based my feedback on SCEP pkiMessage format from Gutmann SCEP draft 14. > SCEP is a lightweight enrollment protocol with similar goals to lightweight CMP > profile draft. > > Gutmann SCEP draft 14 does a good job of explaining the structure of its secure > pkiMessage format with different layers of ContentInfo, SignedData, > EnvelopedData, and Data. > > - > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf. > org%2Fhtml%2Fdraft-gutmann-scep-14%23page- > 13&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7C4c12326f0f > 9e4680fdcf08d7784c8cfc%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1 > %7C637110142482661729&sdata=G4zoSgXCHDD2zJUDNwo268Gdsp6teT > MPt10647UrXCI%3D&reserved=0 (June 9 2019) > > Gutmann inherited this message format from Nourse SCEP draft 23. However, > Gutmann does a much better job showing and explaining the structure, so use > the Gutmann reference. > > - > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf. > org%2Fhtml%2Fdraft-nourse-scep-23%23section- > 3&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7C4c12326f0f9 > e4680fdcf08d7784c8cfc%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1% > 7C637110142482671723&sdata=h3lJnuPkm8nRdndj0Wb7ptKIAsngK8EG%2 > FrRdBqRuALQ%3D&reserved=0 (September 2011) > > Here is a compact summary of the SCEP pkiMessage format. SCEP uses it for > requests and responses. > > - SCEP's pkiMessage = > ContentInfo[SignedData[ContentInfo[EnvelopedData[ContentInfo[Data[payload] > ]]]]] > > > Summary: > > Ignore SCEP payload formats since they are not applicable. Optionally use the > same CMS Data layer. Definitely put SignedData first, and consider adding > ContentInfo wrappers for all CMS layers. > > Thank you, > Justin Cranford > Prin Software Developer > Entrust Datacard > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf. > org%2Fmailman%2Flistinfo%2Fspasm&data=02%7C01%7Chendrik.brockha > us%40siemens.com%7C4c12326f0f9e4680fdcf08d7784c8cfc%7C38ae3bcd9579 > 4fd4addab42e1495d55a%7C1%7C1%7C637110142482671723&sdata=LU4 > UFLDKg4Lru40ZcmdYvk%2BCXPkS4UkfoA59cp8aFNg%3D&reserved=0
- [lamps] Feedback on figure 3 in draft-brockhaus-l… Justin Cranford
- Re: [lamps] Feedback on figure 3 in draft-brockha… Brockhaus, Hendrik