IETF Logo Mail Archive

Re: [lamps] Benjamin Kaduk's Discuss on draft-ietf-lamps-cms-mix-with-psk-06: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Fri, 23 August 2019 02:00 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B80E120227; Thu, 22 Aug 2019 19:00:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6FTTsMa-Q01a; Thu, 22 Aug 2019 19:00:13 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3490B12011B; Thu, 22 Aug 2019 19:00:12 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x7N208fw019145 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 22 Aug 2019 22:00:11 -0400
Date: Thu, 22 Aug 2019 21:00:08 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Russ Housley <housley@vigilsec.com>
Cc: IESG <iesg@ietf.org>, LAMPS WG <spasm@ietf.org>
Message-ID: <20190823020007.GZ60855@kduck.mit.edu>
References: <156597611893.31967.2500700648100356711.idtracker@ietfa.amsl.com> <B73FED9C-8983-4CFE-AD66-E548CEEAD45B@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <B73FED9C-8983-4CFE-AD66-E548CEEAD45B@vigilsec.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/cQNPHlQxntfE45SCGEPf26V0K98>
Subject: Re: [lamps] Benjamin Kaduk's Discuss on draft-ietf-lamps-cms-mix-with-psk-06: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2019 02:00:16 -0000

Hi Russ,

On Fri, Aug 16, 2019 at 02:09:03PM -0400, Russ Housley wrote:
> Ben:
> 
> Thanks for doing all of the reading necessary to raise this question.
> 
> I want to respond to the DISCUSS in this note.  I'll tackle the non-blocking comments is a separate message.

Sorry that I did not more effectively make use of the extra lead time you
gave me.

> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> > 
> > I think we need to have a discussion about the abstract API for a
> > KEY-DERIVATION instance and how that relates to what we need for a key
> > combination operation.  In Section 5 we assume that we can use the
> > HKDF terminology, but that doesn't seem to hold universally for
> > KEY-DERIVATION; for example, while HKDF has IKM, salt, and info, PBKDF2
> > (from RFC 3211 that AFAICT introduces keyDerivationalgorithm for CMS) is
> > specified by RFC 2898 as taking just the input secret (password) and a
> > salt, with no separate 'info' (and of course the different iteration
> > count and PRF parameters needed for its construction).  I note (with
> > chagrin, as sponsoring AD) that RFC 8619 says "PARAMS ARE absent" for
> > the HKDF-based KEY-DERIVATION instances but is silent about how one is
> > supposed to know what to pass for salt/info (the IKM we can perhaps
> > assume will be obvious).
> > 
> > In short, should we be seeking to define a distinct key combination
> > operation like KRB-FX-CF2 (RFC6113) rather than trying to repurpose key
> > derivation?  Some KDFs support this fairly well, but it's not clear to
> > me that it is a universal property.  For example, the proof in [H2019]
> > seems to be assuming HKDF but this draft does not (as is clearly seen
> > from the use of the X9.63 KDF in one of the examples).
> 
> NIST SP 800-56 Revision 1 offers this high-level interface to the KDF:
> 
>    KDF(Z, OtherInput)
> 
>   - Z: a byte string that represents the shared secret.  This ic called IKM in the HKDF terminology.
> 
>   - OtherInput includes:
> 
>    -- salt - a non-null (secret  or non-secret) byte string.
>    
>    -- L - a  positive  integer  that  indicates  the  length  (in  bits)  of  the  secret  keying  material to be derived.
> 
>    -- FixedInfo - a bit string of context-specific data that is appropriate for the relying key-establishment scheme.
> 
> I do not think that this very high level of API really solves your concern, but it did guide my thinking in writing the document.

It is helpful to see this and understand the origin of what's in the
document.  (Also that the salt is listed as "secret or non-secret" here, as
in at least one other place I looked at during my background reading I saw
it listed as "not-secret", which would be problematic when we want to put a
secret key in it!)

> The KDF algorithm identifier has this structure:
> 
>    AlgorithmIdentifier  ::=  SEQUENCE  {
>         algorithm               OBJECT IDENTIFIER,
>         parameters              ANY DEFINED BY algorithm OPTIONAL  }
> 
> The algorithm part lets us name many different KDFs.  As you point out, the examples in Appendix A and Appendix B use HKDF and X9.63 KDF.
> 
> Recent discussions in the LAMPS WG show a big bias against complex parameter strictures.  Instead, people have voiced a strong preference for an object identifier that names all of the options.  This leads to more object identifier assignments, but clear understanding of all options when one is chosen or negotiated.  The one exception is an initialization vector, where a fresh value is expected each time the algorithm is invoked.

Agreed.

> So, in this document, I have defined a structure of the OtherInput portion of the NIST API.  If a particular KDF needs to use a value from that structure in a particular way, is can do so.  The document uses HKDF terminology.
> 
> If a KDF requires a salt, then it should be provided as a parameter.  I can certainly add that to the document.  I believe that KMAC128 and KMAC256 are algorithms that require a salt.

Okay, but I'm not sure we've really gotten onto the same page.

I think my main question is whether we're comfortable using a KDF
abstraction like the above (KDF(secret, otherInput)) in a fully general
sense, and asking for this mix-with-psk to work properly for all possible
KDFs.  For example, would you be comfortable using the construction in this
document with PBKDF1 as the KDF?  I don't even see where we could slot in
the PSK from this document into PBKDF1 -- the API just doesn't seem to be
flexible enough.  PBKDF2 allows a more-than-8-octet salt, but is that going
to provide the kind of mixing that we need?

I just don't know if all KDFs are going to guarantee the contributory
behavior from the otherInput that we need in order for this scheme to work.

-Ben

v2.23.0 | Report a Bug | By Email