Re: [lamps] Proposal for PBMAC1 in PKCS#12
Hubert Kario <hkario@redhat.com> Thu, 30 June 2022 10:27 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7C3FC14CF10 for <spasm@ietfa.amsl.com>; Thu, 30 Jun 2022 03:27:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.854
X-Spam-Level:
X-Spam-Status: No, score=-7.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hgJV8cg0FLht for <spasm@ietfa.amsl.com>; Thu, 30 Jun 2022 03:27:39 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30DAAC14F73B for <spasm@ietf.org>; Thu, 30 Jun 2022 03:27:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1656584858; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=G4t1s0fGtkRRpwsro3q6MxIPwGAAAh4S9h8su2B4Qns=; b=Po7YsyOx9FcwJZi9oCRGCUZNSBP7Ve1WXl+gUPvTf9Lv5rV/V7GMBBNuGFUgOIBvF4+rYf kfhkFNWf8Jewr1XZQ5FkoVsHhfqS/4wQIVqBZwOMJsJFdUkx5BH74Z8fm+zlWVwNGMxbM/ M7SGz3gscTlDNP8nkeen12TUdsYJtjI=
Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-82-nygmL7HSPW61uj5eCRU2Tg-1; Thu, 30 Jun 2022 06:27:36 -0400
X-MC-Unique: nygmL7HSPW61uj5eCRU2Tg-1
Received: by mail-ed1-f72.google.com with SMTP id z19-20020a05640240d300b00437633081abso12271475edb.0 for <spasm@ietf.org>; Thu, 30 Jun 2022 03:27:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:mime-version:message-id :in-reply-to:references:organization:user-agent :content-transfer-encoding; bh=DmcCFIBDXbw3oOQrJR82+ej4qxLW0BWs+h5DMMAXiSc=; b=w6jA7rYYqLrPAu80HLC25knf5Qe6pgyf5gOFIsIY07kgmpk5SaoRZq3Pp46M7jS/97 SP2KmpGcAhF20e6Up1DAcjGfXZ/6ia+NDeQkPu5kabcVmRJ8Lze6RGd/wNFFteYLYUJ5 qk0eGHWm9hG4Ch6JRMiYtnSQ0GleL8IO+ZPmP1y9uza3xxpwL7pTGDoUZSo7Fi+Z2Tob nG40hy5BPg7BrjZ52saYGbf7JicF5/LBHFv/ak/v1kPzgmi5O0rtnAcg92babaQjapsK hlSfpg1f6Hv0RBMJIhmXoZ9sUMR4RZen9qWCvXKFcZMB003cYR9hnlWKO85GUpbhi7rx ukVg==
X-Gm-Message-State: AJIora86avrIf9xONA33nzPC70/kISdauc6WQGPaJ5eG61jwKW8iBG22 5M9qaBMMb9l2vN717jmDQ2Y0/15v5AQPRjRc2C47U/dDp80M/B25T3z7gtsP/i6vzRotVrHAGUx pxcB/Qw==
X-Received: by 2002:a17:906:7ac2:b0:726:38e0:4e7d with SMTP id k2-20020a1709067ac200b0072638e04e7dmr8436537ejo.236.1656584855669; Thu, 30 Jun 2022 03:27:35 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1vA6N4VqUhMabCsO71H088WWwIXZMQg6yLxT0AiSYAOdZi41Kf0UoyEsE21nCd3yfySBA97lw==
X-Received: by 2002:a17:906:7ac2:b0:726:38e0:4e7d with SMTP id k2-20020a1709067ac200b0072638e04e7dmr8436516ejo.236.1656584855366; Thu, 30 Jun 2022 03:27:35 -0700 (PDT)
Received: from localhost (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id lo17-20020a170906fa1100b0072696b3a327sm6130071ejb.187.2022.06.30.03.27.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 03:27:35 -0700 (PDT)
From: Hubert Kario <hkario@redhat.com>
To: Jonathan Hammell <jfhamme.cccs@gmail.com>
Cc: Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>
Date: Thu, 30 Jun 2022 12:27:33 +0200
MIME-Version: 1.0
Message-ID: <ecd0241a-94ed-4a9f-afba-6a9dab1cd46c@redhat.com>
In-Reply-To: <CALhKWgi-V_M0_v3T=vRPcu3OBKJKCKK6vRNiUkvbH7h4xN4Mvw@mail.gmail.com>
References: <c282cba9-f6ae-4412-8e93-0810cffb16f2@redhat.com> <99D0A4AF-89CF-467A-A934-9144636B6A17@vigilsec.com> <ec537743-cf16-42e0-a266-856c03f002fa@redhat.com> <6D67B402-3E26-43EB-8EBD-7155E429CA01@vigilsec.com> <CALhKWgiA5Cq9i--QAVqVgDPSRaFX=cgQeBkw_xXd3=4AwG2e0A@mail.gmail.com> <be5d9d2b-2c3f-4a25-9b16-8212043f5373@redhat.com> <CALhKWgi-V_M0_v3T=vRPcu3OBKJKCKK6vRNiUkvbH7h4xN4Mvw@mail.gmail.com>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.2; xcb; Linux; Fedora release 34 (Thirty Four)
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=hkario@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Uw8tIrFvp2Bm34fncnvaZgS8j4w>
Subject: Re: [lamps] Proposal for PBMAC1 in PKCS#12
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2022 10:27:39 -0000
On Wednesday, 29 June 2022 22:50:46 CEST, Jonathan Hammell wrote: > Hi Hubert, > > On Tue, Jun 28, 2022 at 2:48 PM Hubert Kario <hkario@redhat.com> wrote: >> More specifically, I was thinking of something like >> >> EncryptedPrivateKeyInfo ::= SEQUENCE { >> encryptionAlgorithm EncryptionAlgorithmIdentifier, >> encryptedData EncryptedData, >> hmacAlgorithm HmacAlgorithmIdentifier, ... > > If you were to do that, you may not want to be specific to HMAC (e.g. > CMAC or KMAC could be used) and you may want to make the MAC fields > optional: > > EncryptedPrivateKeyInfo ::= SEQUENCE { > encryptionAlgorithm EncryptionAlgorithmIdentifier, > encryptedData EncryptedData, > macAlgorithm [0] IMPLICIT > MessageAuthenticationCodeAlgorithmIdentifier OPTIONAL, > macData [1] IMPLICIT MessageAuthenticationCode OPTIONAL} > > where MessageAuthenticationCodeAlgorithm and MessageAuthenticationCode > are defined in RFC 5652. However, if macAlgorithm and macData are > provided, legacy clients would likely bork on the ASN.1 parsing since > there was no extension marker in the original SEQUENCE. precisely >> While PBES2 does allow for AES-GCM, to our knowledge, NIST does not allow >> use of AES-GCM for protection of key data, at least not in the way it's >> defined for use inside PBES2. > > Indeed, in that case you may actually want to use AES Key Wrap (RFC > 5649). It has implicit integrity protection, thus still avoiding > changes to PKCS #8 or PKCS #12. True, though support for it is also limited (I know of no software package that supports it). The other problem is that also means that such file would need to drop the mac section, which also many tools don't like... >> Secondly, no popular open source cryptographic library implements AES-GCM >> support inside PKCS#12. So such files would be completely unreadable >> by all but the newest implementations. > > I'm curious how many of these legacy implementations would allow you > to ignore PBMAC1 integrity protection and decrypt the key. And even > if it did, would no integrity protection not be worse than the legacy > password integrity mode? As I've said, OpenSSL does, now. Which means that even if some application or appliance doesn't, it wouldn't be hard to convert PBMAC1 PKCS#12 to legacy PKCS#12 file. Also, implementing a similar switch in any library should be fairly simple... Similarly, I'd expect implementation/addition of PBMAC1 support to be easier than introducing AES key wrap, so compatibility for PBMAC1 solution is likely to be higher overall. -- Regards, Hubert Kario Principal Quality Engineer, RHEL Crypto team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
- [lamps] Proposal for PBMAC1 in PKCS#12 Hubert Kario
- Re: [lamps] Proposal for PBMAC1 in PKCS#12 Russ Housley
- Re: [lamps] Proposal for PBMAC1 in PKCS#12 Hubert Kario
- Re: [lamps] Proposal for PBMAC1 in PKCS#12 Russ Housley
- Re: [lamps] Proposal for PBMAC1 in PKCS#12 Jonathan Hammell
- Re: [lamps] Proposal for PBMAC1 in PKCS#12 Hubert Kario
- Re: [lamps] Proposal for PBMAC1 in PKCS#12 Jonathan Hammell
- Re: [lamps] Proposal for PBMAC1 in PKCS#12 Hubert Kario
- Re: [lamps] [EXTERNAL] Proposal for PBMAC1 in PKC… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Proposal for PBMAC1 in PKC… Hubert Kario