Re: [lamps] [EXTERNAL] Murray Kucherawy's No Objection on draft-ietf-lamps-cms-kemri-08: (with COMMENT)
Mike Ounsworth <Mike.Ounsworth@entrust.com> Thu, 07 March 2024 16:19 UTC
Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72BC4C180B5B; Thu, 7 Mar 2024 08:19:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KGQA8RT4Y55C; Thu, 7 Mar 2024 08:19:36 -0800 (PST)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC912C151071; Thu, 7 Mar 2024 08:19:35 -0800 (PST)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 427Ec3Jh000930; Thu, 7 Mar 2024 10:19:27 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=mail1; bh=FGZgOQFmYBbAHa51Wp8z1Cpm Gen0mKx8kiozsUVPZEI=; b=BM9x7YLNtKYmwQfyaaUsDpEJUJPXizDVgvc9/avP dgGOI2npEWC9iP74PnXxUOUxn9JdPhczQA9X5Z7uP6Ze/oRs/1S7sibvrLbJc3sz TiYIp/F4jcfL0SDj2bsdTFNoPpJjvretRxLv58F7U/qQ+/p/kh91RyRQfM3pLPp9 8r4IngAczVOb2Gb2dFpxuaI9nOAVG5K3gQ8V73irR4uUf63AghtB3KrCITQufZLQ RKaYZSFgRFc13gCbWb+Ogq4tZ/sdPaKBaP4AAqhJFEKfrdGq+3aCkC2RpJCyIwqA um4S7UApXOJRwvarJWFdz4fo0RgGN4Ff7O9OZtY+gSnvdA==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2100.outbound.protection.outlook.com [104.47.55.100]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3wm1p4the1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 07 Mar 2024 10:19:26 -0600 (CST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SvnOLwsPpp3G2twJ6DQvZK872Py1SrzxNBPg1iblSAsDliDzLSmJxvtqo2pXwKnS8F+J1T3+htUVbQAYR86Xk/nQBNkrEpes80irN3/ml4KNWObh7I4zlN5LuH9UtVwXP+FFE3BI020BWhhORiY21TE/orks5v9WTfVG+xYr26cUiJPCEQdqcreM1Eg6ouKGkb05BlkoJFHHpgTENFtUWPvtxPtpk7s3O3zuBZt4e2EStAmJ8s0zNSKGxJTdTR+3CGGPXSnH34xJUWTqjky/qgN6c6IXKZOIXcJfb9afkZo8dXWoxlCki5t7+hITSxUfyWSQZv94SPFWWSUkaT7Ubg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=czfRpcAaczoYhBfw+F66NCtAKnoWcK+7GbWhIapUmdM=; b=iuJZwniO3M8UPqompVqcQh7yN3wzI4/gp5pSebWBUfHX2cvq4JkrJvYqwy5dRGJTOYeK0/uKhAP4f/EiKoxfER6GG4xHsrmuo4tY0ecLJHksiU+cJ5JsKpF5m95XJmQz3X2nGLND0UV36fjnjpmU+lGwQRCfNnxJnj6aF0sCvesSyC73CR7U47NfofUwX/YUV44DRoajWLX9RXtdzu3iWeEVJjWXhG1XdNfxjcWU9n7JnAjfgeQhY4OXSDun5SMX6MDAUewZr30qVHGgbW56D04G2vL2HjeNRghWCk/BsP6mYfZjyx8BsPhldUwhqfXwmiNDZOTUZ/YJCPBWqPKMlw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by PH7PR11MB5794.namprd11.prod.outlook.com (2603:10b6:510:131::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.9; Thu, 7 Mar 2024 16:19:18 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::e3f0:78e1:48fc:8a03]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::e3f0:78e1:48fc:8a03%3]) with mapi id 15.20.7386.006; Thu, 7 Mar 2024 16:19:17 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Orie Steele <orie@transmute.industries>, Russ Housley <housley@vigilsec.com>
CC: Murray Kucherawy <superuser@gmail.com>, The IESG <iesg@ietf.org>, "draft-ietf-lamps-cms-kemri@ietf.org" <draft-ietf-lamps-cms-kemri@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "tim.hollebeek@digicert.com" <tim.hollebeek@digicert.com>, "corey.bonnell@digicert.com" <corey.bonnell@digicert.com>
Thread-Topic: [EXTERNAL] [lamps] Murray Kucherawy's No Objection on draft-ietf-lamps-cms-kemri-08: (with COMMENT)
Thread-Index: AQHacF9ucMJ9a3U8702ARUSTncP2e7EsXy/wgAAHIwCAAAoEIA==
Date: Thu, 07 Mar 2024 16:19:17 +0000
Message-ID: <CH0PR11MB57395334161F937085858A549F202@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <170979580187.63516.11101857365652932121@ietfa.amsl.com> <CH0PR11MB5739C6B07D229865D3072AC09F202@CH0PR11MB5739.namprd11.prod.outlook.com> <CAN8C-_+xsF1HdFdCDzWnAKmBymu+ZYmg5iR-T-qib16QT=UjEg@mail.gmail.com>
In-Reply-To: <CAN8C-_+xsF1HdFdCDzWnAKmBymu+ZYmg5iR-T-qib16QT=UjEg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-Mentions: housley@vigilsec.com
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|PH7PR11MB5794:EE_
x-ms-office365-filtering-correlation-id: df3c9ae8-1f46-452b-d43c-08dc3ec25664
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: n0ajTAUL7LXTbLeRlFJ7mgwW3Q+Ijuq0wQP1FjOhEvIEaediovKSxZdH/aL1syxBdELz8T3uXziGP805+PK4BakYdD7mlM848icaoP2Hld5DmL6N9EOQ8D/0NNqWlQK7V78T3DK11XRownrHShP5EvDlvX6s24bm3ZvbTJtAxOaoTAl60GCiV0nUxAP/B4DSNEmcBHFguCzeuMlV28HG6VolpTT3Dr59xpWP0cjKER/GTqB4l/17QhQKwXDXJ1Xr6uIg32QwSpkowV1y8LmoHtfc49eniq+OwiW2Ag2eX/qBbBUBELQ98HWVRV2MWWmBs28iThF0IVQbZJeRq/jgcgJpiTCnuLxwxXeh24pk7tjHGRi0XxxpbzCZVZuAjw7BhzSDlF2j3skr045Dz9AjNlXhQ401oZrgclQH6IzAt6EpKk52P9W6x+6jBr9Zmsf876GUXKnJcUaujkCRFopXQrSTmdo1ivh3PwzsR5yGBs8nvO2iIx8yO3mNb/vHJAjWeygvsA3A1qq5EMDPyCYeDejS/9ZO6CRz1btj1c0SXS5JDwITIVGglwTC9zRmHfKna7C6wxnFGZJLTmkcNayB9/OlOGDEGH6tqUmpCUdqZudigHuQAy83RNo/8MlTPfdckyF/XwzjmKmjjbbt3B9qz5I6Q6IGm/PclMoJY2qUKKE7OgmlAlI09IW6kYpa/NOV
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ETSVh2lYyp8e3JK+4WT1Z3lLDwihVjWQb+u1HTvWOw1oxa2MDAlbZUpqau9/rKuQ7NJO9RWS8bJjl/iFcHtzKU8HyW7pv7p4edmL7t+Fflg7zAVnTvm2UeaXmj7bloulZEfPEBdI2By8SZtfiwHd7CbhuByIi8wrd0vcctdbFXgPvLitLoP2O0maMWD14LLauoLUd97/pHW+28AXuYQk7CGbftNATIN92rh5kI6NfLEWR1DM7Gnl74XzlH+IaoDDvYFUS0g/zccMcDGN3Ao+3/nzeeJ9s43h8lddUrn2isxu85lzoTMkczTVp1J8Bs9s/T8T7lea+skjPOBql0YSOo+VjSmz45nQz4xBysH2BWpA3OjTGquoeIaCB+zhEDR4OYV7ejH1OKQLj33sBDTK9mtCcHZYX6fhQVts34zRIa3H9EN+wRKpci8T/Jegeze0YDPlf0xuV0UT9JofMkP8Qvkp+zcsVcl3/O92vJjO9+HOuayz20qxp0+uYLq0/ocNK8k0Smck/gLiUTwRufV11b0MgfR/GVeRYdFzW6ITXeujvEs0xqGF8t/QjJLPyQNPxWiO0XXEhYUZoARtW/N+M8cM1WDnNIxn4uTUL1r+vKd4HlJiKSVNzABOzwWzM+VdLNiYu7mfbrUWCQTOUzm/9ycUxG9kMlRSEEssjHaU1cFXfN+0d/4aQ+bUJVAkMiLCvlp8impCZgYReCc+Wv4VqgSB+p7Xgy1s6FF2x+Aa+QO0CoOiPyShLKwZjOR59m3l7sWD3jh5dUVgcZKfGsik4+N4xgPc61R4XFZj5RMIH4HB9bMb1mV3IvIfsDlU8apmcO/QwnL3anHcae3y5R7fuBq4oxWpkB9jHukbmhHQZ3n0IyS5SbeXcrJoTB2uMRmYinqIU6qjVvazkk7pfqbwu/mA6r4sxxEZzm+DNbz7ipL3QANbNBv4ZzmcsBPPEU+rWyGAvLkH9nwkOYOxWpYiS8qDQWC7crPioBlI2Fz6e0HjCHjkQDEuK7l2FgevF0dAIWaO96NZU/KPyE+V3vL/7I/Qq4j+wdxOQPOXPlvwXE6VQJpKGWqDe67GhhHtjQhDpniAxZuwJF38nx/o0D+MUAjGCC9NkA4CxNazxhSmuaU9rFn9qROFSXczm9MXKs+VDNBWHdz/hCRG9eE+m2dwJ5Mr8VnjNOMICm6tWo8nAeE5Tba0dVPUjzD3V/PYvBHrgUuWLQBAGMKtL0IxQWCFJsed171YPy7uzN+NcjgBo+EFthInw1dm3GdGVScteys9cgq/yn7bkv+UL/VkYUcpZFkgTD0M9GhKvlFMCtN3baRbHrZ4lvUdapfqdoNV1h/uk++ccuhKm5fcTj7KCFNTREny1vKYQ3xH/PNYZsPZGa4IRn8kqcd8hQF4Nu7XCEkiV8S+35gPm1wCBZjAF93DNKG4zL6p9BQOf0PPLMwaHbUXQ+qe6vtvbHtIUiiB3WHhBcE6VA2f0KnN8ABQ8LHtB0IOwlVEiRKzWfnwYNVxen/6vTXmCxvC/rs6tNWQOXJ+jGRVb4Wj215WXULBBoEshQx5HlZnginJHd2DdLPhpJb4ee20NeXH8v6+bSUNaaQs
Content-Type: multipart/signed; micalg="2.16.840.1.101.3.4.2.1"; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_04B6_01DA7078.E7FC77C0"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: df3c9ae8-1f46-452b-d43c-08dc3ec25664
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2024 16:19:17.3410 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xYZ2rEePlG1RW2jE3lFdX+gqxTSOP1KmbxIVuZA1HcvG+yavGHKUSPDdz3nSXUTxL8/Kk9pUauhJr4FOrweDkbDPrraWrCa7uMqifYHcx9c=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB5794
X-Proofpoint-ORIG-GUID: e18zZaE5vEreLUJI2ptP5fQzL391fpLT
X-Proofpoint-GUID: e18zZaE5vEreLUJI2ptP5fQzL391fpLT
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-07_12,2024-03-06_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 impostorscore=0 priorityscore=1501 spamscore=0 malwarescore=0 mlxlogscore=999 mlxscore=0 adultscore=0 bulkscore=0 lowpriorityscore=0 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2402120000 definitions=main-2403070112
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/PkQ75UqAKlKHmU_treu1zs5scng>
Subject: Re: [lamps] [EXTERNAL] Murray Kucherawy's No Objection on draft-ietf-lamps-cms-kemri-08: (with COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Mar 2024 16:19:41 -0000
Hi Orie,
Ok, that’s clearer. I’m following now.
You’re referring to this line in draft-ietf-lamps-cms-cek-hkdf-sha256:
“””
Providing the object identifier as an inout to the key derivation function is sufficient to mitigate the attack described in [RS2023], but this mitigation includes both the object identifier and the parameters to protect against some yet-to-be-discovered attack that only manipulates the parameters.
“””
draft-kemri does require that this structure is input to the KDF:
CMSORIforKEMOtherInfo ::= SEQUENCE {
wrap KeyEncryptionAlgorithmIdentifier,
kekLength INTEGER (1..65535),
ukm [0] EXPLICIT UserKeyingMaterial OPTIONAL }
therefore the KeyEncryptionAlgorithmIdentifier is bound.
I would have to do a deeper dive, but I think your attack gets at the existing CMS (RFC5652) behaviour of EnvelopedData to retrieve the CEK / CAEK from the RecipientInfo and use it, without performing a KDF in between. So *I think* your concern is outside the scope of KEMRecipientInfo, and would apply equally to KeyTransRecipientInfo (RSA), KeyAgreeRecipientInfo (DH / ECDH), etc. Also, in practice there is often the mitigation that EnvelopedData (ie content encrypted for the recipient’s public key) is inside a SignedData (ie content signed by the sender’s public key), which prevent manipulation of AlgorithmIDs.
By the way <mailto:housley@vigilsec.com> @Russ Housley: typo in the Security Considerations: “Providing the object identifier as an *inout* to the key derivation”
---
Mike Ounsworth
From: Orie Steele <orie@transmute.industries>
Sent: Thursday, March 7, 2024 9:24 AM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: Murray Kucherawy <superuser@gmail.com>; The IESG <iesg@ietf.org>; draft-ietf-lamps-cms-kemri@ietf.org; lamps-chairs@ietf.org; spasm@ietf.org; tim.hollebeek@digicert.com; corey.bonnell@digicert.com
Subject: Re: [EXTERNAL] [lamps] Murray Kucherawy's No Objection on draft-ietf-lamps-cms-kemri-08: (with COMMENT)
Hey Mike, I'm not a CMS expert, I'll refine the possible attack, and if my refinement still doesn't convince anyone it's possible, I'm happy to have displayed my ignorance so publicly : ) Let's imagine a scenario where
Hey Mike,
I'm not a CMS expert, I'll refine the possible attack, and if my refinement still doesn't convince anyone it's possible, I'm happy to have displayed my ignorance so publicly : )
Let's imagine a scenario where you have content encrypted with AES-GCM, and the CEK is encrypted to multiple recipients.
The attacker knows one of the recipients supports AES-CBC, and changes the content encryption algorithm to AES-CBC, hoping the recipient will leak leaks part of the AES-GCM key per, the attack described in https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-cek-hkdf-sha256/ <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-lamps-cms-cek-hkdf-sha256/__;!!FJ-Y8qCqXTj2!bknDRONSifkqrpK7aSwhF_Qlqx0Uue19D0cYkIhEOZ3Tg_la8N3aa_JNgA6fVlh247-I1YVjg1JptTk8wEoHsBzAoak$>
When you have direct encryption, the KDF can bind the context of the content encryption algorithm.
When you have wrap encryption, that is still possible, but you need to know more than just "this is a wrapped key", you would need to know "this is a wrapped key for AES-GCM".
There are other possible mitigations depending on the constructions used, for KEMs "info" seems to be where that binding would take place.
This is possibly an issue in COSE with -29, <https://urldefense.com/v3/__https:/www.iana.org/assignments/cose/cose.xhtml*key-type__;Iw!!FJ-Y8qCqXTj2!bknDRONSifkqrpK7aSwhF_Qlqx0Uue19D0cYkIhEOZ3Tg_la8N3aa_JNgA6fVlh247-I1YVjg1JptTk8wEoHD4ww1TA$> https://www.iana.org/assignments/cose/cose.xhtml#key-type, because -29 only commits to "A128KW" in the KDF... it does not commit to "and then use that key with AES-GCM", hence: https://www.rfc-editor.org/rfc/rfc9459.html#section-8 <https://urldefense.com/v3/__https:/www.rfc-editor.org/rfc/rfc9459.html*section-8__;Iw!!FJ-Y8qCqXTj2!bknDRONSifkqrpK7aSwhF_Qlqx0Uue19D0cYkIhEOZ3Tg_la8N3aa_JNgA6fVlh247-I1YVjg1JptTk8wEoHtR4YN7Y$>
We want an attacker changing the content encryption algorithm to fail closed, I am unsure if that property is achieved in the document, based on my inexperience with CMS.
OS
On Thu, Mar 7, 2024 at 9:12 AM Mike Ounsworth <Mike.Ounsworth@entrust.com <mailto:Mike.Ounsworth@entrust.com> > wrote:
Hi <mailto:orie@transmute.industries> @Orie Steele
I am intrigued by your comments, but I don’t fully understand them.
My understanding:
CMS has some data payload to encrypt. The sender will generate a random CEK or CAEK. It will encrypt the payload with AES-CBC or AES-GCM. So far this is all basic CMS RFC5652 behaviour. The KEMRI draft adds the ability to protect the CEK or CAEK for one or more recipients’ KEM certificate – more than one recipient is for things like email with more than one person in the TO: field, so you encrypt the CEK / CAEK multiple times rather than encrypting the entire payload multiple times.
So with that understanding, I don’t think I follow your comments.
The payload will be encrypted once, with either AES-CBC or AES-GCM, with a unique key per payload. I don’t see where cross-mode attacks are introduced.
The CMS headers will specify both the KeyEncryptionAlgorithmIdentifier (inside KEMRecipientInfo), and ContentEncryptionAlgorithmIdentifier (inside EncryptedContentInfo). If those specify that, for example, the payload was encrypted with ContentEncryptionAlgorithmIdentifier = AES-CBC, and the CEK was encrypted with KeyEncryptionAlgorithmIdentifier = AES-GCM. I don’t see how you get an attack here.
---
Mike Ounsworth
From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org> > On Behalf Of Murray Kucherawy via Datatracker
Sent: Thursday, March 7, 2024 1:17 AM
To: The IESG <iesg@ietf.org <mailto:iesg@ietf.org> >
Cc: draft-ietf-lamps-cms-kemri@ietf.org <mailto:draft-ietf-lamps-cms-kemri@ietf.org> ; lamps-chairs@ietf.org <mailto:lamps-chairs@ietf.org> ; spasm@ietf.org <mailto:spasm@ietf.org> ; tim.hollebeek@digicert.com <mailto:tim.hollebeek@digicert.com> ; corey.bonnell@digicert.com <mailto:corey.bonnell@digicert.com>
Subject: [EXTERNAL] [lamps] Murray Kucherawy's No Objection on draft-ietf-lamps-cms-kemri-08: (with COMMENT)
Murray Kucherawy has entered the following ballot position for draft-ietf-lamps-cms-kemri-08: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to
Murray Kucherawy has entered the following ballot position for
draft-ietf-lamps-cms-kemri-08: No Objection
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer to https://urldefense.com/v3/__https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxS-023Peg$ <https://urldefense.com/v3/__https:/www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxS-023Peg$>
for more information about how to handle DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found here:
https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-kemri/__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxSZn3FNhw$ <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-lamps-cms-kemri/__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxSZn3FNhw$>
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
===
>From Orie Steele, incoming ART Area Director:
Thanks to Sean Turner for the ARTART review, and the PR.
The security considerations mentions both AES-GCM and AES-CBC.
Is there a need to comment on binding the CEK or CAEK to a specific symmetric
encryption algorithm, similar to:
https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-housley-lamps-cms-cek-hkdf-sha256/__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxQa702bBQ$ <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-housley-lamps-cms-cek-hkdf-sha256/__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxQa702bBQ$>
Or the algorithm integrity protection comments in:
https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc9459.html*section-8__;Iw!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxQbrRdCPw$ <https://urldefense.com/v3/__https:/www.rfc-editor.org/rfc/rfc9459.html*section-8__;Iw!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxQbrRdCPw$>
I am concerned about how cross mode attacks are or are not mitigated by this
document, but I lack the CMS experience to be able to compare the security
properties to COSE.
"""
In this environment, security depends on three things. First, the KEM algorithm
must be secure against adaptive chosen ciphertext attacks. Second, the
key-encryption algorithm must provide confidentiality and integrity protection.
Third, the choices of the KDF and the key-encryption algorithm need to provide
the same level of security as the KEM algorithm. """
It seems like there is possibly a missing criteria that assures that the same
content encryption algorithm is used on both sides of the KEM interface, after
the CEK or CAEK is decrypted?
_______________________________________________
Spasm mailing list
Spasm@ietf.org <mailto:Spasm@ietf.org>
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxT8KnKO4w$ <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxT8KnKO4w$>
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries <https://urldefense.com/v3/__http:/www.transmute.industries__;!!FJ-Y8qCqXTj2!bknDRONSifkqrpK7aSwhF_Qlqx0Uue19D0cYkIhEOZ3Tg_la8N3aa_JNgA6fVlh247-I1YVjg1JptTk8wEoHvq1SOLw$>
<https://urldefense.com/v3/__https:/transmute.industries__;!!FJ-Y8qCqXTj2!bknDRONSifkqrpK7aSwhF_Qlqx0Uue19D0cYkIhEOZ3Tg_la8N3aa_JNgA6fVlh247-I1YVjg1JptTk8wEoH-xG9YvE$>
- [lamps] Murray Kucherawy's No Objection on draft-… Murray Kucherawy via Datatracker
- Re: [lamps] [EXTERNAL] Murray Kucherawy's No Obje… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Murray Kucherawy's No Obje… Orie Steele
- Re: [lamps] [EXTERNAL] Murray Kucherawy's No Obje… Mike Ounsworth
- Re: [lamps] Murray Kucherawy's No Objection on dr… Russ Housley
- Re: [lamps] Murray Kucherawy's No Objection on dr… Orie Steele