Re: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01
Russ Housley <housley@vigilsec.com> Mon, 17 September 2018 18:51 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53D16130E80 for <spasm@ietfa.amsl.com>; Mon, 17 Sep 2018 11:51:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBIfeukWeEE6 for <spasm@ietfa.amsl.com>; Mon, 17 Sep 2018 11:51:48 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81B73120072 for <spasm@ietf.org>; Mon, 17 Sep 2018 11:51:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 4E71B300AA4 for <spasm@ietf.org>; Mon, 17 Sep 2018 14:51:46 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id vZ7eqlzE8aa7 for <spasm@ietf.org>; Mon, 17 Sep 2018 14:51:43 -0400 (EDT)
Received: from new-host-5.home (pool-71-127-50-4.washdc.fios.verizon.net [71.127.50.4]) by mail.smeinc.net (Postfix) with ESMTPSA id BC942300258; Mon, 17 Sep 2018 14:51:43 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <1F5FD70A-34B4-41EE-86A7-F1848D2B7DA8@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_718E1E0A-F163-415E-A70A-EAE7A7191337"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Mon, 17 Sep 2018 14:51:44 -0400
In-Reply-To: <e1ebcfeb9d09415bad5647a0edad73c9@XCH-ALN-010.cisco.com>
Cc: SPASM <spasm@ietf.org>
To: panos Kampanakis <pkampana@cisco.com>, Jim Schaad <ietf@augustcellars.com>, Quynh Dang <quynh.dang@nist.gov>
References: <00be01d42b65$b8452ee0$28cf8ca0$@augustcellars.com> <DM6PR09MB274668C47815881BE3159EB7F3020@DM6PR09MB2746.namprd09.prod.outlook.com> <086101d44538$2c0d47e0$8427d7a0$@augustcellars.com> <DM6PR09MB274676943D27C9D6CD80221AF3020@DM6PR09MB2746.namprd09.prod.outlook.com> <087301d44543$390807e0$ab1817a0$@augustcellars.com> <DM6PR09MB274607D636D86A71778431D7F3020@DM6PR09MB2746.namprd09.prod.outlook.com> <09C752C4-CF6C-4455-961F-6121D07B9F1A@vigilsec.com> <019201d44e9c$827ad620$87708260$@augustcellars.com> <e1ebcfeb9d09415bad5647a0edad73c9@XCH-ALN-010.cisco.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/WR5v23POO-a_esIyfN0uXbGLKM8>
Subject: Re: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2018 18:51:53 -0000
Quynh, Panos, and Jim: While it does look like a simple substitution, I do not think the LAMPS is the right group to make the assessment. CFRG may have people with the right skills. Russ > On Sep 17, 2018, at 2:08 PM, Panos Kampanakis (pkampana) <pkampana=40cisco.com@dmarc.ietf.org> wrote: > > I think that falls outside the scope of this spec and the LAMPS charter to be honest. > I mean, introducing a new MFG should not be taken lightly even if it is straightforward. > Panos > > From: Jim Schaad [mailto:ietf@augustcellars.com <mailto:ietf@augustcellars.com>] > Sent: Monday, September 17, 2018 11:39 AM > To: 'Russ Housley' <housley@vigilsec.com <mailto:housley@vigilsec.com>>; 'Quynh Dang' <quynh.dang@nist.gov <mailto:quynh.dang@nist.gov>>; Panos Kampanakis (pkampana) <pkampana@cisco.com <mailto:pkampana@cisco.com>> > Cc: 'SPASM' <spasm@ietf.org <mailto:spasm@ietf.org>> > Subject: RE: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01 > > Russ, > > That is not the question that I was asking. I think that replacing SHA-1 with SHAKE in the MFG function is correct. I was proposing replacing the MFG function in its entirety with a new MFG function. > > Jim > > > From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley > Sent: Monday, September 17, 2018 2:53 AM > To: Quynh Dang <quynh.dang@nist.gov <mailto:quynh.dang@nist.gov>>; Panos Kampanakis <pkampana@cisco.com <mailto:pkampana@cisco.com>> > Cc: SPASM <spasm@ietf.org <mailto:spasm@ietf.org>> > Subject: Re: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01 > > Here is a part of a message to resolve the WG Last Call comments on draft-ietf-lamps-cms-shakes-01 ... > > > * Message Digests - are the limits on the size only for CMS or do they apply > everywhere that the algorithm is used. If it is everywhere how do we > reconcile with the usage in RSA-PSS? > > Comment 5: Only in CMS, when a message digest is generated. For RSA-PSS, a SHAKE has 2 different output sizes for 2 different uses: hashing a message to be signed and generating a masking value in MGF 1. > [JLS] After looking at this a second time, I propose that this problem be solved by creation of a new mask generation function MGF-V. We can eliminate the counter from the operation as being un-needed and just compute the mask length and generate that many bits of input from a SHAKE function. > > I thought about that. But that would be another standard function which have not been defined yet. How could we go from here ? And this route would take time. Using the existing MGF 1 would waste only 1 division: to figure out counter number is zero: so there is only one hash function execution. > [JLS2] No it is more than that. It takes both the one division AND a concatenation AND the strangeness for trying to decide how long the SHAKE output is if one is placing it into an existing MGF1 piece of code. If you define a new MGF-V then there is a new function that is called – which code should potentially be setup for – and zero extra work beyond that. The size of the mask is the size of the output, no concatenation. It is much cleaner in my opinion. > > Does anyone think that using SHAKE in the RSA-PSS mask generation function is the wrong approach? > > Russ >
- [lamps] WGLC comments draft-ietf-lamps-cms-shakes… Jim Schaad
- Re: [lamps] WGLC comments draft-ietf-lamps-cms-sh… Russ Housley
- Re: [lamps] WGLC comments draft-ietf-lamps-cms-sh… Russ Housley
- Re: [lamps] WGLC comments draft-ietf-lamps-cms-sh… Joan Daemen
- Re: [lamps] WGLC comments draft-ietf-lamps-cms-sh… Joan Daemen
- Re: [lamps] WGLC comments draft-ietf-lamps-cms-sh… Jim Schaad
- Re: [lamps] WGLC comments draft-ietf-lamps-cms-sh… Panos Kampanakis (pkampana)
- Re: [lamps] WGLC comments draft-ietf-lamps-cms-sh… Russ Housley
- Re: [lamps] WGLC comments draft-ietf-lamps-cms-sh… Jim Schaad
- Re: [lamps] WGLC comments draft-ietf-lamps-cms-sh… Russ Housley