IETF Logo Mail Archive

Re: [lamps] CMS: selection of key management technique to use for EnvelopedData

"von Oheimb, David" <david.von.oheimb@siemens.com> Fri, 23 December 2022 19:16 UTC

Return-Path: <david.von.oheimb@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7718FC14CE42 for <spasm@ietfa.amsl.com>; Fri, 23 Dec 2022 11:16:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BLXsI7RT0-Dx for <spasm@ietfa.amsl.com>; Fri, 23 Dec 2022 11:16:16 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2054.outbound.protection.outlook.com [40.107.22.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CD84C14CE26 for <spasm@ietf.org>; Fri, 23 Dec 2022 11:16:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bKkYHHoOXWvtHZ3oC/ZXHHLKjdtQhdONwevvATeJyQliUUWhufiGybejMsIT/fH5hBCnowLJa01qRv5zotUfYu6i576/K/L3YSdf0eeSp1qsVEMRJz0gqej2VxiDiAd63NqS2Cv+cADQ5iVk2mcD2T3nCUgw+1N+0OKwG6UJkjPXJ7QEFMfLaHaNUrYc7NRwv9uaDDL99o3Aj5Mxo7lnWVDwTWX8H1VfCneZ3oBkUOjfGr5ZnPyqcEPhY9kYohtwVOpUT8uhizMxz7JU1lxloXMbk+SjZ+4I8vij2g3aCMTE/2k8ZTe/cdWuH4/W/K+57QkVjP5DdhVuyJlY4jAONg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6TqSNtK/o2rkmJvTJQtRWNgSUtIs9w0PZrbmCbnhLas=; b=FPhEaMtlzV0IGYzxAFaKnYrl/mcbnuszkupBJxG4hF7mTTIFmTkbb94fWAg7KUwjmPReDlVyVlreWNymcelqyf+BFbGvw9n7TiPxQNBpLghCauY4TKg6fRLFaLrftamFRFb3rETkDCRz+ivdaJxb3F73xVBjKBKlGDiMjXHrek6+EHJUkLPBTgdQgbILsON9/mJfOS19EWhZeNv5jYWOY+//tmS62sChy1HgQmSKrfsLYyU1kHnrYqCnFZr/ZQkoDIb4Lh1WzgDNyA8j52rNIN/yXwbrVQ/jePoHr1qcdOtFPa8bpqi1LDudB+FlYF/pbzflRB/iaga21gb9BhIraA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6TqSNtK/o2rkmJvTJQtRWNgSUtIs9w0PZrbmCbnhLas=; b=X3VbB/thmP/rM0IG+4qy/Xxodi3IewToFEa6GrJy8v/zVZu2G2ckhSb/06hHEwzQbtfksuPO6ta/ehLy85CQ/Uz+3anhSvtZVVleOHqdmEFBZiSfJykQ+tjOJ1N2hvlAsAJDyKZPD7MxIKjFq6R5+WcrTFivptaqv9SFGF3zgicmzKj2nGZlF13larl8lBP6pWlIZ3n8W2RYB+rLlmOCgJ7dJGNY5LY2M+mpVQ1VK80ssFdzwgEefKNrKoxbmG1qmpsPrg7OlVTIVFUZg1uNPO+vD/n2R1VKrTFA2W7MoyBz1DIXvfrbPccUhC0KRYM3ITJ2gs8NGSQNd2bVoWDinw==
Received: from DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:398::20) by DB9PR10MB6404.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:3db::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5924.16; Fri, 23 Dec 2022 19:16:12 +0000
Received: from DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM ([fe80::9193:3b29:2644:986]) by DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM ([fe80::9193:3b29:2644:986%6]) with mapi id 15.20.5924.016; Fri, 23 Dec 2022 19:16:12 +0000
From: "von Oheimb, David" <david.von.oheimb@siemens.com>
To: "housley@vigilsec.com" <housley@vigilsec.com>
CC: "spasm@ietf.org" <spasm@ietf.org>, "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
Thread-Topic: CMS: selection of key management technique to use for EnvelopedData
Thread-Index: AQHZFV/jrsIQe/6GokCjtrmrn6LVBq56VtaAgAFZ+QCAAARhAIAAJhiA
Date: Fri, 23 Dec 2022 19:16:12 +0000
Message-ID: <0aedcb9cef4436867986ae78baf64b56cd87c505.camel@siemens.com>
References: <b8c681f4f7e6728ecec2cb848e43f2228c4cba7a.camel@siemens.com> <db687565617dde5cc08fcedf0f39241255bb5ac8.camel@siemens.com> <E3949494-08FA-4558-8FFA-1FA7143FD61E@vigilsec.com> <c671f3550a3c422398ded9aa687432aabc9731e1.camel@siemens.com> <CAB18899-660F-4BC5-92FB-9A3B7AF7290D@vigilsec.com>
In-Reply-To: <CAB18899-660F-4BC5-92FB-9A3B7AF7290D@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Evolution 3.38.3-1
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DB9PR10MB5884:EE_|DB9PR10MB6404:EE_
x-ms-office365-filtering-correlation-id: a20304a0-ee75-4a4e-7787-08dae51a2780
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: y+wJZa2d6+89oqs7xhkQMAzdxaf944QY2eYKoiKDKZ45NzPSHWl2KtANgNpaOeEdObi+nrintJtSAqXX1gzz6UzAUb4/Z5Ht01LsI4yhTXZsOq+rioxJMVqkCwMkegsL0KSEq4+9ANONr/PKrH9sYrnFyXeJlzhs92fkByFLnmEjPrAKXa8HTckkrTxnpM+9ISmCc62u3oBW6docRNHC9s3qgrIHdHDNwJx56UHj9eNnyLzBmNJqi7SuzUb31dVyog44GRsYAXA48fZd1yrWtivObY5GFstJeevSZFK/D6uCfsTweVGQNP73Xe7UVf0HI6ZKeMR7QEEAxqctifgTVa2fE4keWFFBEZFDc17ybs56J6KhB1AZWSx2si0xOJiwfajZrlLC8N8XLTP6/y/o8RuiH0LM+/rG59qM5Wyi1oG7vSlDID5pEppUkz3fEbc05+zkKQ1mfyZ7RopQf3UQlhE1eg0+APGJiBwM+7jlZAQXfs6u6bw/IuAFD1/gH3Km9P5Mt1xpAPBcOJgA2BN/6PahMVTOAeTUzA0UEceXYrAexy/MUuO8Gi/+qvQLtnVjPYjYtUEj69tVjjq0QUSnT9VALiMO8HuVL1ZFGAZxNrMF4l+f8C86DeG20iDPEAAXvFExyMaaWgmd05bJiwbhcF4JIKKAIrEWGzqZ3G/Y4khajNgpLazzKerUy4jWhxV4HmxwZmhfz1UYsPpSFVV5CjkHSaKeEkzEgKvAdEIFLYI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(4636009)(366004)(346002)(136003)(376002)(39860400002)(396003)(451199015)(38100700002)(82960400001)(41300700001)(122000001)(91956017)(66476007)(64756008)(166002)(5660300002)(66446008)(66946007)(8676002)(76116006)(66556008)(4326008)(21615005)(83380400001)(478600001)(6486002)(36756003)(8936002)(6916009)(2906002)(54906003)(4001150100001)(38070700005)(316002)(71200400001)(186003)(6506007)(6512007)(26005)(107886003)(2616005)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: xbLvx7JiDaVYexsEKsZbkt/JoWbv2z4rZHfWIbYFIp4OSugwaEq3JCTzWG3BGqakImIDfPIn0aOfP+AqCcjAXwCRpJePc4dtBqvD3J/zZyqYBFVw62zltAwrsB8N1MJeS5D84Hsz7k+sf8VoV7IySVzE3wEz+gyohNuBTh8dF/XFJh6GJQmLIUtJ5GqrZi12/1GjXCvhI2J4CfVDJBNDZgjoVPkzEp946e4dWv7eHZ9yQXQsvIeVnecmC9ZdamGY5NJzPJHWfXxLiabj3yT4W5VyoGStePPGk5WaTve4g8LuOJf4R6l4iJqwAkn/qpJ+peDrbqwVQBHsqb+WkrNM3vFCKMwLoaYcECTEisAsoOWXX2jjyEXfnE7S7lmY5Ou8ImnZhMy039dtZ3lJaDmFzjPe9mI4sxdj9SGEy/dDo6O3gvjJ7SnAMd7ixtSS6atpo6c1jbTTo/E4a9vc3ePb9+UE4VrMGGA8UKUPKmNjqJ2pSVZhuyTWKksZdnztVhZxJVMGLynVBs8hvnTwIgER/bzLAqQ6oak6YJaWJIyRKAc2ucedCfl3hSeFSRKQBCcnHpR3LwJK4KQ+ZIABjKHhj7gJiZNBQXrLY9W7kUat8+FabI6X8430AxJAotr7JPIpJj9aVhLMX2fKwwuu32q8FiVp+W1KO2BaZJsC5xg34QTSnCAxXY1Jf6pnCrif5zMdV3kaVjKPYyV+2SwaLvz15B0WdOA0HtMHMgYtbne0e74vVy86hD8ETdYmCFLsHS15wdkCi808tgF1rX3cv4gColsDsi8hQYvc3OL1vLp9ju3Bcppz7HiNoT7sfsF7sCiPFjzAiaEcodbUmlspSSI6fmseQ8cmma8YNE7DSozh8l1jI/8LqZLCE732tyIRGuxh4dfKZ2VJBmvixYfRRvjIsBuCcdpvQ6DAaOkkq5uOIwcm6RXBZW74MGNx5ZuCdYnCSw3+JDDkGom9hVdAKderqb/I91Z7N5JVAl5gxjvnj6D9NRTIIhOzAAC7gEOVL9+x/AoeNvLKrLcYYG6xues0MkLxerLLOzKAJ3Ha2xzwYnNAwn8vLphuDQybyGoFAeL/ns9mK9Hmsu78CpoXUrsWgyQSg+Yf8D4I1yvhnT5r1GRb182ZACBWi4DmhW0Sftzs9gO2KD1AwsC3ae4z4i+JigUOEGwz1yJLMqhjmGHtP88ojfkB6QCOykUiQbpyUxGgDmvyCvxgz/bbccC3H12aVA1c0YCTGrxD3NGZkl696pxQU4S3ygNBBE0OctTJrYPB8yNhvW8FabAMDVQZuyGa2xINh1e812FRgz/zZFH9KFk6hgx+L4CuMBcLK1XhI/AUaVh3Vh3xXrCAO1/wjHESiuelOgbP30yh0Gfx3pFFGJ+ksUNI9t/pVp7G/lkIHs/sQnviO4pLbziFMgyYVTBJ74ekE1p4nr32zASkE/90sgeQSOtvQGRQaXeooUJGGs8phDQdb/qbqA8f5XIy/1qguCNTQIXNH8L0ywvJ9q7eSBdPXnzzPdzPkLOtiPmXEg3tfl6F1CVXB2eOYelAm8W0g5LGLU0yvIGXcNu3o1Ysbrys5xPI0Mxvt46p8GTvY4xxwhOWEd3+G95MyIFfXe4nD+IotUEm44EZVsOKmQm1zic=
Content-Type: multipart/alternative; boundary="_000_0aedcb9cef4436867986ae78baf64b56cd87c505camelsiemenscom_"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB9PR10MB5884.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: a20304a0-ee75-4a4e-7787-08dae51a2780
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Dec 2022 19:16:12.0518 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JQCVmiidnHfcqrdfB8H+nBmdVXtLOyVqmrI4KRiCa8OaAYwacgN0Zq0XdPbqtOG1TgYxxOo/5jIC62nHbfu0rv4f2XoUkxEzVTHTMgs7nzk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR10MB6404
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/bi0DOu_YSdyXm61aVy5v2W0MKS4>
Subject: Re: [lamps] CMS: selection of key management technique to use for EnvelopedData
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Dec 2022 19:16:20 -0000

Thanks Russ for your further immediate response.

On Fri, 2022-12-23 at 11:59 -0500, Russ Housley wrote:

Since neither the original CMS RFC 5652 nor its update mention the topic how to select the key management technique to use,
the questions remains: was this on purpose?

  *   If not, I'd say this an omission to be sorted out.
  *   If yes, I'd expect some reasoning why, and a concrete pointer to, e.g., some other RFC (maybe, on specific uses like S/MIME) where concrete guidance is given.

I am sure you know this, but they can be mixed in the general case.  For example, one recipient could have a certificate with an RSA public key, and another recipient could have a certificate with an ECDH public key.  The sender would use KeyTransRecipientInfo for the first one, and the sender would use KeyAgreeRecipientInfo for the other one.  For this reason, I am not sure what guidance would be added to CMS.

Indeed there may be multiple recipients with certificates of different key types,
but still the expected guidance should better say for each of those types which key management technique to use.
So

  *   if all recipients have an RSA cert, it is sufficient to use KeyTransRecipientInfo,
  *   if all recipients have an (EC)DH or GOST R 34.10-94 cert, it is sufficient to use KeyAgreeRecipientInfo,
  *   if the recipients have both flavors, both key transport and key agreement needs to be used.


As mentioned in my first email (quoted again below), in the central key generation use case for CMP v3 (and maybe any further cert enrollment protocols),
CMS is used to convey the new private key. There it is just one recipient, and the sender needs to decide which key management technique to use.


RFC 2630 was published in June 1999.  This was the first version of CMS that included more that one flavor of RecipientInfo.  In the 20+ years since RFC 2630 was published, this is the first time that this has been a concern.

I wonder why nobody brought this up before -
maybe simply because cryptographically educated users of CMS know (and others should learn by failure) that RSA does not support key agreement and ECC does not support key transport.

If an implementation supports a particular public key type (identified by the subjectPublicKeyInfo.algorithm in the certificate), then the implementation should "know" whether it is a key transport or a key agreement algorithm.

The point is that the implementation of a CMS sender (which is a central key generation authority in our new use case)
usually supports both KeyTransRecipientInfo (typically for RSA) and KeyAgreeRecipientInfo (typically for DCDH).
So it must implement some logic which one (or both in some cases) to choose in which situation, based on the set of recipient certs at hand.
And even if it supports just one of the two key management techniques, it needs to know for which (unsupported) key types to throw an error.
This logic apparently has been implicit for meanwhile 23+ years.

If the algorithm identifier is unknown or unsupported, then the implementation will throw an error.

This is fine, of course, in particular since in general the implementer of the sender cannot know in advance which types of recipient keys the sender may be confronted with.
Essentially the same holds of course for the expected guidance: it can only be given for key types known so far.

David


On Wed, 2022-12-21 at 18:15 +0100, David von Oheimb wrote:
Russ et al.,

when doing extended tests on central (i.e., server-side) key generation with CMP Updates, where CMS is used for sending the newly generated private key encrypted to the client,
we stumbled over potential differences between the key management techniques allowed by the client certificate and those techniques actually supported by the key type in that cert.

Sorting this out, we tried to find in RFC 5652<https://www.rfc-editor.org/rfc/rfc5652.html>, in particular section 6 on EnvelopedData, some guidance how to select the key management technique to use for a given recipient cert.
Yet it looks like this is kind of implicit. For instance, if the public key in the recipient cert is of type RSA, only key transport makes sense, while for EC keys only key agreement makes sense.
Is there any specification that makes the (intended) selection of the key management technique explicit, or has this been deliberately left open?
[...]

v2.43.4 | Report a Bug | By Email | System Status