IETF Logo Mail Archive

Re: [lamps] Problems with the current ALGORITHM information object class

Erik Andersen <era@x500.eu> Tue, 12 May 2020 12:57 UTC

Return-Path: <era@x500.eu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE9AC3A0899 for <spasm@ietfa.amsl.com>; Tue, 12 May 2020 05:57:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.696
X-Spam-Level:
X-Spam-Status: No, score=-1.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=x500.eu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5iDrG3GYtQ8m for <spasm@ietfa.amsl.com>; Tue, 12 May 2020 05:57:10 -0700 (PDT)
Received: from outscan1.mf.dandomain.dk (outscan1.mf.dandomain.dk [212.237.249.58]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADE8D3A08C4 for <spasm@ietf.org>; Tue, 12 May 2020 05:57:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by outscan1.mf.dandomain.dk (Postfix) with ESMTP id 3724D4068ABC for <spasm@ietf.org>; Tue, 12 May 2020 14:57:06 +0200 (CEST)
Received: from outscan1.mf.dandomain.dk ([127.0.0.1]) by localhost (outscan1.mf.dandomain.dk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kInOvkyc-E4e for <spasm@ietf.org>; Tue, 12 May 2020 14:57:04 +0200 (CEST)
Received: from mail-proxy.dandomain.dk (dilvs03.dandomain.net [194.150.112.64]) by outscan1.mf.dandomain.dk (Postfix) with ESMTPA id B4BC84068AAA for <spasm@ietf.org>; Tue, 12 May 2020 14:57:04 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=x500.eu; s=dandomain; t=1589288224; bh=eDxglXav4zWnYUrOpOfVtuWyIfr4sZAUZSpsaAo1vLg=; h=From:To:References:In-Reply-To:Subject:Date:From; b=ncyIzwTwXiQNomC+ivZUv4eYpvSnMDwjUuhiyewRuwM5uW+Pxw3NiArDu/DeABJCs LYA+R1gTpbUcZl/Qpoty0zVTYi973alhNnDG9NIOpZPrF0RWY1WeLz9zU/pC7F5K2l weMG8NOh3+US5hABk0tAG26eFdJ89v1DRGJzu3fDA6q6zAAJJsB8QlLY9ZqWNeZp2E 5bPSyfxOokBzlsm4xlzqmrcSym4ahg1jUZ0sTW2ohLBkj/4BE+49sF6MqefAauBzZa NMYWfyM/RSHazxfE1GjdSBXPOAPrKI7OLRbyhis2rPkpmH62LTEgdnST5dnUvjCs1v RxgVdnRmebiBA==
From: Erik Andersen <era@x500.eu>
To: LAMPS <spasm@ietf.org>
References: <000001d62762$8385a360$8a90ea20$@x500.eu> <97737DBD-54DB-4336-A387-E22C59E78B11@vigilsec.com>
In-Reply-To: <97737DBD-54DB-4336-A387-E22C59E78B11@vigilsec.com>
Date: Tue, 12 May 2020 14:57:04 +0200
Message-ID: <001f01d6285c$d614adb0$823e0910$@x500.eu>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0020_01D6286D.999FC7A0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGsSWEsGbi5WzyRcw86Ep3rBlnkMwIwrpU6qOaVcgA=
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/TQl7-iyBUfok77m-oGTrho-ZbE4>
Subject: Re: [lamps] Problems with the current ALGORITHM information object class
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2020 12:57:13 -0000

Hi Russ,

 

The problem was identified when a vendor was implementing IEC 62351-4, where we were faced with the question: When negotiating e.g., symmetric key algorithm, should we just specify the OID or should we also include the parameters. The answer is that sometimes you should only use the OID and in other cases you will also need to include the parameters. In some other cases, like aes256-GCM, you shall include part of the parameter.  What do you then tell the implementor? 

 

aes256-GCM is an example with a mixture of parameters.:

 

aes256-GCM ALGORITHM ::= {

  PARMS         GCMParameters

  IDENTIFIED BY id-aes256-GCM }

 

 

GCMParameters ::= SEQUENCE {

  aes-nonce   OCTET STRING, -- recommended size is 12 octets

  aes-ICVlen  AES-GCM-ICVlen DEFAULT 12 }

 

AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16)

 

An alternative algorithm should be defined as:

 

newAes256-GCM ALGORITHM ::= {

  PARMS         AES-GCM-ICVlen DEFAULT 12,

  DYN-PARMS     OCTET STRING

  IDENTIFIED BY <some other OID> }

 

Sure, there could be an interworking problem, but it can be handled. Implementations of a standard specifying the original algorithm will still interwork. Implementations of a standard specifying the modified algorithm will also interwork.

 

For the sake of IEC 62351-4 and X.510, we need a solution. We can either do it unilateral or we can find a common solution, like who defines the alternative algorithms and allocate new OIDs..

 

Erik

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: 11 May 2020 18:35
To: Erik Andersen <era@x500.eu>
Cc: LAMPS <spasm@ietf.org>
Subject: Re: [lamps] Problems with the current ALGORITHM information object class

 

If both parameter types are present, then interoperability will be gravely impacted.

 

Russ

 





On May 11, 2020, at 3:05 AM, Erik Andersen <era@x500.eu <mailto:era@x500.eu> > wrote:

 

In our work with IEC 62351-4 and X.510 we have identified a limitation with the current ALGORITHM information object class. The current definition is 

 

ALGORITHM ::= CLASS {

  &Type         OPTIONAL,

  &id           OBJECT IDENTIFIER UNIQUE }

WITH SYNTAX {

  [PARMS        &Type]

  IDENTIFIED BY &id }

 

The PARM field is used for defining parameters associated with the algorithms. However, the parameters are of two types:

 

1.       Parameters that provide additional information about the procedure to be applied according to the algorithm. An example is ecPublicKey, where the parameter value is the elliptic curve to be used. 

2.       Parameters that specified the syntax of the value to be used when the algorithm is deployed. An example is the AES algorithms that require a value of the parameter transferred together with the encrypted data.

 

This causes problems when negotiating the use of algorithms. When specifying  ecPublicKey algorithms in such negotiation, the parameter value is relevant. When specifying AES-CBC in such a negotiation, the random value of some InitializationVector is not relevant. This make algorithm negotiation cumbersome.

 

We have therefore suggested to extend the ALGORITHM information object class in the following way.

 

ALGORITHM ::= CLASS {

  &Type         OPTIONAL,

  &DynParms     OPTIONAL,

  &id           OBJECT IDENTIFIER UNIQUE }

WITH SYNTAX {

  [PARMS        &Type]

  [DYN-PARMS    &DynParms]

  IDENTIFIED BY &id }

 

A suggested update to the ALGORITHM information object class is attached. It also includes three derivative parameterized data types. By using those data types it has been possible to define the wrapper protocol without “hard coding” specific algorithm details, e.g., we have avoided a specific component for an initialization vector. This has allowed different cryptographic algorithms to be used for different communication instances make life a little more difficult for adversaries.  

 

Certain algorithms have to be redefined, which could cause some negative reactions. As an example the aes256-CBC algorithm must be changed from

 

aes256-CBC ALGORITHM ::= { 

  PARMS         AES-InitializationVector

  IDENTIFIED BY { aes 42 } }

 

To 

 

aes256-CBC ALGORITHM ::= { 

  DYN-PARMS       AES-InitializationVector

  IDENTIFIED BY { <some OID> } }

 

However, most algorithms do not need to be modified.

 

The current version of X.510 may be found at  <https://www.dropbox.com/s/i7mizfvoy9uo21x/x510.docx?dl=0> https://www.dropbox.com/s/i7mizfvoy9uo21x/x510.docx?dl=0.

 

Any comments?

 

Best regards,

 

Erik

 

 

 

 

 

 

<algorithms.docx>_______________________________________________
Spasm mailing list
 <mailto:Spasm@ietf.org> Spasm@ietf.org
 <https://www.ietf.org/mailman/listinfo/spasm> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email