Re: [lamps] Key Derivation in draft-ietf-lamps-cms-kemri
Carl Wallace <carl@redhoundsoftware.com> Tue, 30 January 2024 16:52 UTC
Return-Path: <carl@redhoundsoftware.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 532B1C236E4D for <spasm@ietfa.amsl.com>; Tue, 30 Jan 2024 08:52:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DMxUPN7x6BLD for <spasm@ietfa.amsl.com>; Tue, 30 Jan 2024 08:52:15 -0800 (PST)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1968EC14CE2E for <spasm@ietf.org>; Tue, 30 Jan 2024 08:52:14 -0800 (PST)
Received: by mail-qk1-x730.google.com with SMTP id af79cd13be357-783ced0216aso296736885a.1 for <spasm@ietf.org>; Tue, 30 Jan 2024 08:52:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; t=1706633533; x=1707238333; darn=ietf.org; h=mime-version:in-reply-to:references:thread-topic:message-id:cc:to :from:subject:date:user-agent:from:to:cc:subject:date:message-id :reply-to; bh=pwyykZolIghieiC4bg+zcnfJ/2zDm03zAg1MelcBGZQ=; b=bwAuzka+NmZjl7PasEx8Ik6Ze/wuYCNOr+SpBcqexBEF6IkRA9uMqzXqVg7REAHNBq B+2P4uK+p5QWWQsKUjXst/1qxK0pqQUaApNr3Z1UWmuESOiy/0PieF2KAFA1jNNlUS0d Oy+6VIrPUgIP9rky3cVkHa1juUYiui0H5ebG8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706633533; x=1707238333; h=mime-version:in-reply-to:references:thread-topic:message-id:cc:to :from:subject:date:user-agent:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=pwyykZolIghieiC4bg+zcnfJ/2zDm03zAg1MelcBGZQ=; b=jQpotVT383Gr97BSKoY6JWQNVfPf3aJCpcls1yvwhygTslsdsOb1Jz4a0f5YToZEK7 3VWM58AMip+5xBVRzHz5MrmTH6LYm1tB7qcxUjitDLSIqr1Aj1pDGqK8GrvP+MagDvMj kA0Ek4fwDMPhYEGGgDUCiRZeYCHEjkRdcuIty1NzophSRBHLZtJ04QEvMn91TVtB/Awo sBYapzPesjlnnkOMom1Nh2AHJxlYL6eYP1OeV1IArZbDhDEO+xqjiUANfBV+khMxIFUY nouzAJ3BVoZCNm4l3W6Lt81G1VndPHa+mZ54GB9cjU4HqxZtOnQadyamPcDbZnVIdDcK YV0A==
X-Gm-Message-State: AOJu0Yxesz50bKSzKuD6MbLhjSLMqfndFLjfybtmqeBfINjrHB83GRFE p0/dZNR+GFgf3kBLhi/hZZT18bfP/UHTg5h79LP0Swwxj6ya8cpe2Ul1yGxiNR0=
X-Google-Smtp-Source: AGHT+IEQ5eTnxEfUnN6SE40vO0J+xuDl93lMW51pOMG+JA2a6TPsjNr6Me0ICj/OABXOqR7qZOrqYw==
X-Received: by 2002:ad4:5fcb:0:b0:68c:648c:bc7a with SMTP id jq11-20020ad45fcb000000b0068c648cbc7amr1346827qvb.84.1706633533337; Tue, 30 Jan 2024 08:52:13 -0800 (PST)
Received: from [192.168.4.77] (pool-96-255-232-167.washdc.fios.verizon.net. [96.255.232.167]) by smtp.gmail.com with ESMTPSA id or32-20020a05621446a000b0068189e9d3a3sm4235520qvb.112.2024.01.30.08.52.12 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Jan 2024 08:52:12 -0800 (PST)
User-Agent: Microsoft-MacOutlook/16.81.24012117
Date: Tue, 30 Jan 2024 11:52:12 -0500
From: Carl Wallace <carl@redhoundsoftware.com>
To: Russ Housley <housley@vigilsec.com>, Daniel Van Geest <daniel.vangeest.ietf@gmail.com>, Mike Ounsworth <Mike.Ounsworth@entrust.com>
CC: LAMPS <spasm@ietf.org>
Message-ID: <35E24FD1-8C52-4204-89B1-822ACAD1AF5D@redhoundsoftware.com>
Thread-Topic: [lamps] Key Derivation in draft-ietf-lamps-cms-kemri
References: <10d001da4275$84783c10$8d68b430$@gmail.com> <27CC12F8-4D7D-4C65-9587-C54C9E017E40@vigilsec.com>
In-Reply-To: <27CC12F8-4D7D-4C65-9587-C54C9E017E40@vigilsec.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3789460332_3979656448"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/L_bvnqxfq-9wrk93hOiQnKa5Adc>
Subject: Re: [lamps] Key Derivation in draft-ietf-lamps-cms-kemri
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 16:52:19 -0000
Russ and Mike, Section 5.2.1 of draft-ietf-lamps-cms-kyber-01 states the following: “If the session key obtained from the KEM algorithm is long enough to fit into the WRAP algorithm, then the KDF could be equal to the identity function.” Given this, should the kdf and kekLength fields be OPTIONAL in KEMRecipientInfo? Carl From: Spasm <spasm-bounces@ietf.org> on behalf of Russ Housley <housley@vigilsec.com> Date: Monday, January 8, 2024 at 4:02 PM To: Daniel Van Geest <daniel.vangeest.ietf@gmail.com> Cc: LAMPS <spasm@ietf.org> Subject: Re: [lamps] Key Derivation in draft-ietf-lamps-cms-kemri Daniel: It can use an KDF, but I expect that most implementers will want to use the same KDF that was used internal to the KEM algorithm to keep the implementation small. Russ On Jan 8, 2024, at 3:59 PM, Daniel Van Geest <daniel.vangeest.ietf@gmail.com> wrote: I’m implementing draft-ietf-lamps-cms-kemri and have a question about the ` kdf KeyDerivationAlgorithmIdentifier` field in KEMRecipientInfo. Is it intended that any (IKM, L, info) KDF can be thrown there (respecting Security Considerations), or should the KEM-instantiating documents specify which KDFs to use with which KEMs. e.g. draft-ietf-lamps-cms-kyber should specify to use id-alg-hkdf-with-sha256 with Kyber512, id-alg-hkdf-with-sha384 with Kyber768 and id-alg-hkdf-with-sha512 with Kyber1024? If they should do this, should the kdf field for KEMRecipientInfo be parameterized by allowed KDF ids (or whatever the right ANS.1 terminology is)? KEMRecipientInfo ::= SEQUENCE { … kdf KeyDerivationAlgorithmIdentifier{KEY-DERIVATION, KEMRIKeyDevAlgs}, … } KEMRIKeyDevAlgs KEY-DERIVATION ::= {kda-hkdf-with-sha256, kda-hkdf-with-sha384, kda-hkdf-with-sha512, …} And KEM instantiating docs can add to KeyDevAlgs if needed. Thanks, Daniel _______________________________________________ Spasm mailing list Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm _______________________________________________ Spasm mailing list Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm
- Re: [lamps] Key Derivation in draft-ietf-lamps-cm… Russ Housley
- [lamps] Key Derivation in draft-ietf-lamps-cms-ke… Daniel Van Geest
- Re: [lamps] Key Derivation in draft-ietf-lamps-cm… Carl Wallace
- Re: [lamps] Key Derivation in draft-ietf-lamps-cm… Daniel Van Geest
- Re: [lamps] Key Derivation in draft-ietf-lamps-cm… Daniel Van Geest
- Re: [lamps] Key Derivation in draft-ietf-lamps-cm… Mike Ounsworth