IETF Logo Mail Archive

Re: [lamps] I-D Action: draft-ietf-lamps-rfc4210bis-04.txt

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Tue, 07 March 2023 06:45 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7324AC151541 for <spasm@ietfa.amsl.com>; Mon, 6 Mar 2023 22:45:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8O1Am_Du4GyC for <spasm@ietfa.amsl.com>; Mon, 6 Mar 2023 22:45:30 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on0604.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::604]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E1EDC15153E for <spasm@ietf.org>; Mon, 6 Mar 2023 22:45:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jQaJ8o0ZTvy5hhtIi4juJgDAZANMnRJx/bhPyw48nlVmjpN+05Bn7ELBU+gNnrdNa4X6Wvq8ntnMPfsk/M1BS7m9U9Q/X5umFd45I+/7yycwrevLQVspzZv0LmpOnWWwr3hN2ltKHn1LOIVgL/RgEhjHr+6y/szEK8a7B9Q4EWAVJyX/jmsQSUgJbmukufymp2OLmqEH7eytRD80gT65hIzpDl3L0swm1Wi5aR5qgklhebi7tUH3vH3pY5bwjbMd9OLmAYnXbwVOORQ/qLfTUrSWcHwv8/9Rn8fiS26WJM4cTjKJtdFWEOgP9QK4uN4ncAjZ21dHyjafyyRbyVpKnw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RwjfBnUmr2bBbpq4aSrFTJOjVTvAVUJ9cw8zTFtGAr8=; b=mTlGAKlexgTgCTrJlbEDUIWsN3GSatUGV8+KZRObYK8rvSS8+/pNYNS/4i0zxYu+9Hj8GTItvl+fh0Q1Rzt0amzE5PyngfZY9w/dA2QuJ1L0oGsRPeNxiGnOv8DXUcowEP3YV1RYnkZNFVayX+9bd0genKSfLyt2p+ZmpeHXrWulh147uJ592JkLEQEt2aC9lg75JLivioxnhJt70d8WeeUo5H/ZJYuPHxJgf7AlYlzpr7TR9LbXQ1W35vd0ynNOLkN1EbER4U2ZxojkNpA8MMyhTFSMyoCn+h6giSf4h4Li0NYa3bQogrMAHVf6md83BxazIAmB1WTQIKoaFr3TEA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RwjfBnUmr2bBbpq4aSrFTJOjVTvAVUJ9cw8zTFtGAr8=; b=lwaD4txZd53QU8SIXY1lfHwkXar1cqy6VNOAeAL1eQMr9GvlnXbm+t/lGzu/LqNP7qWBw4Xq0GE00y4bTBNRK4ZrXIemygylHCGKzhhcOivRmYBKGgv3x21dpOUf0s3J1szwdRlD1A2GeyGVB6nUu+j3G/oVJUrNkjse/LzlL85F96hmRbCq82nR104AyPMf+e7+wRX4nmx1Sqm1HjzccwC4CrkvkJkSczrwWW27oO1PMrYPof0IeHmEqqhRxVzSQmkJb01UKyPN2N51V0EhpmiSPEfuOxH9E8hqMQe3F5DW7iFxr7tyms+3MyYF65AlbiNxuwzO6YKlugSoCXJIzg==
Received: from GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:7d::8) by VI1PR10MB3310.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:803:138::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.16; Tue, 7 Mar 2023 06:45:26 +0000
Received: from GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM ([fe80::5f5c:cc72:2750:c5cd]) by GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM ([fe80::5f5c:cc72:2750:c5cd%9]) with mapi id 15.20.6178.014; Tue, 7 Mar 2023 06:45:26 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Russ Housley <housley@vigilsec.com>
CC: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] I-D Action: draft-ietf-lamps-rfc4210bis-04.txt
Thread-Index: AQHZTbdE/3BbdrecVEumkFsKvjPbXK7o0zyggABiN4CABDDUUIAAhA8AgAAJW6CAAAjNgIAABDzQgABEe4CAAJdnkA==
Date: Tue, 07 Mar 2023 06:45:26 +0000
Message-ID: <GV2PR10MB6210C7E837EB7D5AB2C44060FEB79@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM>
References: <167783773786.47984.15768792057420994394@ietfa.amsl.com> <GV2PR10MB6210C5B966EE954DE5704C7BFEB39@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM> <9B15EEAF-54EF-4644-B3C2-11588503D9F7@vigilsec.com> <GV2PR10MB621084795B669AE2B4383216FEB69@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM> <98C8A664-1445-4A5F-AD9B-948E5C99673E@vigilsec.com> <GV2PR10MB6210ED2C7141D4581B3F3DC4FEB69@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM> <BA668F3A-6C65-4F46-AE8A-5389C2741723@vigilsec.com> <GV2PR10MB6210FB980AEB1984EF5A146DFEB69@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM> <63C066DA-F655-4A3B-9182-B8FA2A137390@vigilsec.com>
In-Reply-To: <63C066DA-F655-4A3B-9182-B8FA2A137390@vigilsec.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2023-03-07T06:45:24Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=9e430862-6b7a-4dd7-99e9-0f1f9b15ebc8; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0
document_confidentiality: Restricted
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GV2PR10MB6210:EE_|VI1PR10MB3310:EE_
x-ms-office365-filtering-correlation-id: cb36bea0-657a-44c4-08f4-08db1ed788af
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dLWLqtwW65eB1DudDvgUnIkusOSKEZ65SjjzYTbZuuoDHOCZ8mOrUFGO1sYEIFUxAPTVDSyCuFhMRi+UCA6GWyfT6jLKeu1/WcFZrn+XaPtPYLaZBR2HHY6U+hG+dEe8hP4NoH1AzXzJlg4ueMipIvepprQVQ9v6Ckc+koU2XI4d1rTJS3M5imC7WT8Bcpo3lHn8C/3o0E58YytZifULb4/0UQGIbAtiKey8vBuCqKtZxCxtuaSg20xBzjo0Jy+oLrJ69osujbgacDqrSMT1iSZbTIcCNjL/WDZEavJOVcNUye9Q26WpzeFb9L98bfoB2W0jBm0dND79xJpmhnXBBs3kKNQBlHKujJFreHEC9I5fpRToCp9xYg3c2k+JZUZZnGW0NK6kxZpEPPMiRLy65V4G9uOMC17/2Y9T4zS4qOaj7LvnQGpxvssm07oDIog770cy0zwDEsUKrlsyskTllJl/5jYFE4bIXDPvobSFJK5/4w5JGvSI/BOW3v9e4QZfR/U/3jzE7XhUv0bAfIZejnxvMZXnla/g6WUGv/AKTZBoyomaY1SE6IqIDnioD8vOCDhy7ru7IKP0iwk1Bo/85za1dbnAMpQOTw0DzB5Wm1iJqLGV+KMbKeVCTT2Knkfw4kx4SZbTDaFPIuOtzZDw8HO4D0SXdHERMvDuPZOyQqzE6P8UwKyC8j/DWqcTQAhsLFS+EEe1Etqwi2qmAm0ctw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230025)(4636009)(376002)(346002)(39860400002)(136003)(396003)(366004)(451199018)(2906002)(38100700002)(52536014)(122000001)(82960400001)(9686003)(186003)(26005)(6506007)(38070700005)(66946007)(64756008)(76116006)(66446008)(66476007)(66556008)(478600001)(8936002)(5660300002)(41300700001)(7696005)(71200400001)(55016003)(316002)(4326008)(8676002)(33656002)(6916009)(83380400001)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 6chSUS91Xw72PU9riU8iVaiAxx0mX7D/Fr5+KAicuK5dUT2lctpAedUtyuN894DnGRRCml2x1X7jLuHWexrweAzqQIOFj+Kh+K6/mWp5lc1QMJQG2C3rXB11qvPkIw+NHnkRhwrF8atXy3WU3LuMFFhZnq6gHk2dgnVQmgtPvhy7S5z6wxR9ttaqlxwBEL2uaVHwOYuOXZZ2rCq3t/l4y6d4aT4HErf8SFtvx1yCkCKfIZ9faZmI32LjvmiLrGQJd4rswbpXQ5iP62+MeYD5056hLa420PK37x9lTXwOBCUkUtYMeibUfPrgBrpu5HcKstnD1oXRxEihavMOQUYbjxzQ44ahE/6Hsv2yj4xCVL8j2oYqru9+KKye3OHqt8O5I3ptF8uOEx+1v+91UXTOCUEPxCXurYdjt/hRlR8pQ4QoB/4yAVgZRCYiO+9wz3vtsSHsaXkCrke3+GDmeoBchDyPRVAsRIxWqkYZWloKKw7of2dwz4/WUE+2t24KAT+9R6OfyDs1xuPs9E02esOHaKRqILRWOVtCloGo/q7rl4Tx1IzjR1nYeXnDV8aTvxf9kouhicz0/SYyLyt8nBnZGRE0yEsupLFjKuuylyqbPNxAKm+oN+43QVxpmmi8842X8mQz2hy/43kd4u60TXHzogbT7IjHpsxVbZyENoDiq87fhTzE10MDE88jAYatDDBEdC4Sf1MyI7PG5zCXlv2ii7GdRENlyeoPXf9pqQudtNW0rtIZymXuV4YC7FsVMQTssfPNdh0aJJ4zEuTJEw0mkOa0RI5FAaVKhpeYP/H+nAcpshXG3Z4qJt17tzz9nHcVC/vGCeBb0Ed3CqhmKgfmo7HoFjPTIm2PI9/j2tk7q7uyX/MT2mbOI5l5jSFOMbYJaxh0InaHbfF475z1sx0ekxKfzJwCh6aSA+5xgIM0NnxsCTDLztbWPP5XF+jJ9mhAF9rLMBz2cShckN52NnWJ3HcV3C5TIGQWEJhCG18u2VTqzISiKUhO+zEsrwy0GLqZojOFuQ3xQg1W/0wq5TEw5H33dB5PnuTTk+nJ8n5q0ebA6lWROxEYjqiyDDHfK7KA0v07+pQYvxV4dR59eoI35AVbxfIei31BT2XcjjT2NyEbXVOpcMy+wv6VkOFnBhk4e5OpfS7CrSXfZioM+4w9V0hnzD6qWMhdhdICx/0CH4/pKly4WyJX7GotbT52z7EFFqQaVvq1VRv/e8CEh/fPWDrXztINznl6N6UnLaPWU2F+4+PFA2ttsSAKj0HWim2rqlAzrOzdJkJ0NXIE2DBFs+Scl95nh4BYCue01wmxtf6+cPb8xmhaxHvvH6WmjvinZ0mb9/ekxHbanehSabHSWWLW5E9e3P80r3pWqQg5pNS/zRq6fEgzRS0qEBu5PQ8SP2KGNke7shQMhMa1Up5JrDKPNo8WnwT88va9XSOrUzdYkEbKd4L7Gz/4GkT1qdakyI/tYAviIyGuSHyKGMEI0MT9s6LOpPCd1aY9Xbf8wyI2PhR72qWyJyZPcgcdn3yrsNrO0OxvM0ShfdnySmWP6l/D98VlufuLc1TntDdBsBMclmoDJkVA1TyAsYcWau0SOf/DxPg+kcTkMrHuhbeJRA==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: cb36bea0-657a-44c4-08f4-08db1ed788af
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2023 06:45:26.2876 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0C1BNIOt0DmJlLG/XiRNAXMG1XOnjgN3p9qMSHGHvjDBYlJx5HfucM+3jIMCiLWIdWhOIMBnA04j1XZ67pVbgWCm9akbSNXI6797HJbBk64=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR10MB3310
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/fJ7XE6p8NCTelbsxT-nbPfcTyL8>
Subject: Re: [lamps] I-D Action: draft-ietf-lamps-rfc4210bis-04.txt
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2023 06:45:34 -0000

Russ

Thank you for clarifying you issue. I am sorry that our description does not make 
things clearer.

> Von: Russ Housley <housley@vigilsec.com>
> 
> Hendrik:
> 
> Trimming for readability ...
> 
> >>>>>
> >>>>> [HB] Section 5.1.3.4 is about PKIMessage protection using MAC-based
> >>>> protection.
> >>>>> We want to achieve message authentication, but no confidentiality.
> >>>>
> >>>> Hendrik, it is now clear to me that I totally misunderstood your
> approach.
> >>>> Normally, when people talk about HPKE (Hybrid Public Key Encryption)
> they
> >> are
> >>>> talking about the combination of key management and authenticated
> >>>> encryption.  You are not.  You are only planning to use HPKE Secret
> Export.  I
> >>>> suggest you add "Secret Export" to keep others from going down the
> same
> >> path.
> >>>
> >>> [HB] I will add a hint to secret export to the introductory paragraph.
> >>>
> >>> OLD
> >>>  Both PKI entities require a certificate of the other side and send a
> >>>  symmetric key in form of a KEM encapsulated ciphertext according to
> >>>  Hybrid Public Key Encryption [RFC9180] to the respective recipient.
> >>>
> >>> NEW
> >>>  Both PKI entities require a certificate of the other side and send a
> >>>  symmetric key in form of a KEM encapsulated ciphertext using the
> >>>  secret export APIs as specified in Hybrid Public Key Encryption
> >>>  Section 6.2 [RFC9180] to the respective recipient.
> >>
> >> I do not see where the public key of the sender comes into the algorithms
> in
> >> Section 6.2 of RFC 9180.  So, why do both PKI entities require certificates?
> >
> > [HB] The shared symmetric key shall be mutually authenticated. Both sides
> > contribute to the MAC key with an KEM encapsulation using the public key
> > from the certificate of the other side.
> > Or do I miss something ?-)
> 
> From Section 6.2 of RFC 9180:
> 
>    def SendExport<MODE>(pkR, info, exporter_context, L, ...):
>      enc, ctx = Setup<MODE>S(pkR, info, ...)
>      exported = ctx.Export(exporter_context, L)
>      return enc, exported
> 
>    def ReceiveExport<MODE>(enc, skR, info, exporter_context, L, ...):
>      ctx = Setup<MODE>R(enc, skR, info, ...)
>      return ctx.Export(exporter_context, L)
> 
> SendExport uses the recipient's public key.  Nothing from the sender is
> involved.
> 
> ReceiveExport uses the recipient's private key.  Nothing from the sender is
> involved.
> 
> Thus, the HPKE Secret Export does not provide authentication of the sender.
> Some other mechanism would beed to be used in conjunction with HPKE
> Secret Export to do so.

[HB] You are absolutely right. This is why we apply HPKE twice, the first time using the CMP client's public/private key. The second time we use the CMP server's public/private key and the shared secret key from the first HPKE into the exporter_context parameter of the SendExportBase function. Doing so we believe that we receive a mutually authenticated shared secret key from the second HPKE.
For more clarity I could explicitly state in the text that 'context' is also used with the exporter function.

OLD
       It concatenates the shared secret ss1, with the transactionID,
       the senderNonce genp_senderNonce, and the recipNonce
       genp_recipNonce from the PKIHeader of the received genp message
       to context2.

        context2 = concat(ss1, transactionID, genp_senderNonce,
                          genp_recipNonce)

       It generates a shared secret ss2 and the associated ciphertext
       enc2 using the HPKE export function SendExportBase and the
       server's public key pkS:

        SendExportBase(pkS, "round2", context2, len) = (enc2, ss2)

NEW
       It concatenates the shared secret ss1, with the transactionID,
       the senderNonce genp_senderNonce, and the recipNonce
       genp_recipNonce from the PKIHeader of the received genp message
       to context2.

        context2 = concat(ss1, transactionID, genp_senderNonce,
                          genp_recipNonce)

       It generates a shared secret ss2 and the associated ciphertext
       enc2 using the HPKE export function SendExportBase with the
       server's public key pkS and context2:

        SendExportBase(pkS, "round2", context2, len) = (enc2, ss2)

Hendrik

v2.23.0 | Report a Bug | By Email