Re: [lamps] [EXTERNAL] [EXT] Re: WGLC for draft-ietf-lamps-cms-sha3-hash
Russ Housley <housley@vigilsec.com> Wed, 07 February 2024 17:54 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1F25C14F74E for <spasm@ietfa.amsl.com>; Wed, 7 Feb 2024 09:54:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.806
X-Spam-Level:
X-Spam-Status: No, score=-1.806 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tY4bcAFXFsyU for <spasm@ietfa.amsl.com>; Wed, 7 Feb 2024 09:54:55 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 185E9C14F6AC for <spasm@ietf.org>; Wed, 7 Feb 2024 09:54:55 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 74CA8192637; Wed, 7 Feb 2024 12:54:54 -0500 (EST)
Received: from smtpclient.apple (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 5C2241924C4; Wed, 7 Feb 2024 12:54:54 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <4EA17D5B-D69B-4A61-8D7F-E3FC8502F100@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D0AF4A27-B4F9-4FE8-9CE5-8EBE836CFE92"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Wed, 07 Feb 2024 12:54:44 -0500
In-Reply-To: <CH0PR11MB573990B3E0E1B77B9729C3269F452@CH0PR11MB5739.namprd11.prod.outlook.com>
Cc: Uri Blumenthal <uri@ll.mit.edu>, Daniel Van Geest <daniel.vangeest.ietf@gmail.com>, SPASM <spasm@ietf.org>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
References: <SN7PR14MB6492B10C0593B89D36FE221E837D2@SN7PR14MB6492.namprd14.prod.outlook.com> <CH0PR11MB5739C5F3417263871C60C5649F462@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB5739E26AF94E538B30D440389F462@CH0PR11MB5739.namprd11.prod.outlook.com> <0F0F606F-6B33-4896-ACDF-8388E28BC258@vigilsec.com> <02e401da59db$d2d2c830$78785890$@gmail.com> <7D181DEE-933F-4E19-82BB-F3CE9BD15504@ll.mit.edu> <C61A2777-D678-4B8F-B20B-303CDBF195BE@vigilsec.com> <CH0PR11MB573990B3E0E1B77B9729C3269F452@CH0PR11MB5739.namprd11.prod.outlook.com>
X-Mailer: Apple Mail (2.3731.700.6)
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/j8zdf7yu4sxQtMX7sxvl3JqZzVo>
Subject: Re: [lamps] [EXTERNAL] [EXT] Re: WGLC for draft-ietf-lamps-cms-sha3-hash
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 17:54:59 -0000
Mike: I have sent email to NIST to see whether they will assign OIDs for KMAC as a KDF as specified in NIST.SP.800-108r1. If so, I'm pleased to add another subsection to the draft for these KDFs. They are more efficient that HKDF using SHA-3, but I'm not sure we should remove those sections. There is a lot of adoption of HKDF in many different contexts. Russ > On Feb 7, 2024, at 12:06 PM, Mike Ounsworth <Mike.Ounsworth@entrust.com> wrote: > > Russ, > > I don’t think we’re talking about KMAC as a MAC – we’re talking about KMAC as a KDF, right? > > draft-ietf-lamps-cms-sha3-hash Section 5: Key Derivation Functions lists > > * HKDF with SHA3 > * KDF2 and KDF3 with SHA3 > > HKDF is HMAC underneath, which will be 2 invocations of SHA3. I don’t know what the KDF2 or KDF3 constructions are because I am not paying for the document. > > KMAC is only a single invocation of SHA3, so I think this document would benefit from defining id-alg-kdf-kmac-128 and id-alg-kdf-kmac-256, with suitable instantiations of KMAC, in addition to the HKDF and KDF2 / KDF3 ones that are already in there. > > Copying from my parallel email on this thread, there will be existing implementations of HKDF-SHA2 where the existing crypto agility easily allows for substitution of SHA2 for SHA3, but may not easily allow for substitution of the entire construction for KMAC, so I think there is value in leaving HKDF-SHA3 in. > > --- > Mike Ounsworth > > From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley > Sent: Wednesday, February 7, 2024 10:09 AM > To: Uri Blumenthal <uri@ll.mit.edu <mailto:uri@ll.mit.edu>> > Cc: Daniel Van Geest <daniel.vangeest.ietf@gmail.com <mailto:daniel.vangeest.ietf@gmail.com>>; SPASM <spasm@ietf.org <mailto:spasm@ietf.org>> > Subject: [EXTERNAL] Re: [lamps] [EXT] Re: WGLC for draft-ietf-lamps-cms-sha3-hash > > Uri: KMAC with SHAKE128 and KMAC with SHAKE256 are already specified for use as Message Authentication Codes in RFC 8702. Russ On Feb 7, 2024, at 10: 50 AM, Blumenthal, Uri - 0553 - MITLL <uri@ ll. mit. edu> wrote: > So then, are there > Uri: > > KMAC with SHAKE128 and KMAC with SHAKE256 are already specified for use as Message Authentication Codes in RFC 8702. > > Russ > > On Feb 7, 2024, at 10:50 AM, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu <mailto:uri@ll.mit.edu>> wrote: > > > So then, are there any suggestions on what to do with this? Keep hkdf-with-sha3* and make @Markku-Juhani O. Saarinen <mailto:mjos@pqshield.com> unhappy? > > I’m against it. I.e., count me as “unhappy” in this case too. > > > Slide KMAC into draft-ietf-lamps-cms-sha3-hash? Spin up a new draft for KMAC? > > Spinning up a new draft for KMAC sounds reasonable. I wouldn’t worry that it uses cSHAKE rather than SHA3. > > > Define an OID for KMAC in draft-ietf-lamps-cms-kyber (yuck)? > > My gut feeling is “No”. > > > Force draft-ietf-lamps-cms-kyber to use KDF3 like rfc5990bis (and further commit to a paywalled spec)? > > Absolutely not. > > > > From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley > Sent: Tuesday, February 6, 2024 8:51 PM > To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org <mailto:Mike.Ounsworth=40entrust.com@dmarc.ietf.org>>; Markku-Juhani O. Saarinen <mjos@pqshield.com <mailto:mjos@pqshield.com>> > Cc: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org <mailto:tim.hollebeek=40digicert.com@dmarc.ietf.org>>; SPASM <spasm@ietf.org <mailto:spasm@ietf.org>> > Subject: Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-hash > > Mike and Markku: > > Section 5 was added in October 2023because someone asked for KDFs. I do not recall the source of the request. > > Russ > > > > > On Feb 6, 2024, at 3:21 PM, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org <mailto:Mike.Ounsworth=40entrust.com@dmarc.ietf.org>> wrote: > > Sorry, too quick on the SEND. > > Markku is questioning why we need section 5.1 HKDF with SHA3. > > --- > Mike Ounsworth > > From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Mike Ounsworth > Sent: Tuesday, February 6, 2024 2:20 PM > To: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org <mailto:tim.hollebeek=40digicert.com@dmarc.ietf.org>>; SPASM <spasm@ietf.org <mailto:spasm@ietf.org>>; Markku-Juhani O. Saarinen <mjos@pqshield.com <mailto:mjos@pqshield.com>> > Subject: [EXTERNAL] Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-hash > > I’m just gonna lob this in on @Markku-Juhani O. Saarinen <mailto:mjos@pqshield.com>’s behalf. > > He commented this morning that it’s un-necessary to do HMAC with SHA3. If you need a MAC, then KMAC is a single invocation of SHA3 vs two invocations in HMAC. And if you only need a KDF then (I think?) naked SHA3 is fine? > > I’ll leave it to Markku to give the details here, but I wanted to make sure this got logged before WGLC closes. > > --- > Mike Ounsworth > > From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Tim Hollebeek > Sent: Tuesday, January 30, 2024 2:43 PM > To: SPASM <spasm@ietf.org <mailto:spasm@ietf.org>> > Subject: [EXTERNAL] [lamps] WGLC for draft-ietf-lamps-cms-sha3-hash > > Hello, > > Russ has suggested that draft-ietf-lamps-cms-sha3-hash might be ready for WGLC, and since it’s a pretty simple draft that seems like a pretty reasonable way to flush out any remaining comments and problems. > > Therefore this is the WGLC for draft-ietf-lamps-cms-sha3-hash: > > Use of the SHA3 One-way Hash Functions in the Cryptographic Message Syntax (CMS) > https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-sha3-hash/ <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-lamps-cms-sha3-hash/__;!!FJ-Y8qCqXTj2!byPxBYPVZ9FW0iY4xIILY8VaxAuB50r17Pl74_V6yeLZ_6u55BDl5iFwdWmHwTM2b_3cIFpu-ktMwth2YQnANtgAaDTb$> > > Abstract > > This document describes the conventions for using the four one-way > hash functions in the SHA3 family with the Cryptographic Message > Syntax (CMS). > > Please send comments to the list by 12 February 2024. > > -Tim > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org <mailto:Spasm@ietf.org> > https://www.ietf.org/mailman/listinfo/spasm <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!byPxBYPVZ9FW0iY4xIILY8VaxAuB50r17Pl74_V6yeLZ_6u55BDl5iFwdWmHwTM2b_3cIFpu-ktMwth2YQnANlKRxjq-$> > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org <mailto:Spasm@ietf.org> > https://www.ietf.org/mailman/listinfo/spasm <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!byPxBYPVZ9FW0iY4xIILY8VaxAuB50r17Pl74_V6yeLZ_6u55BDl5iFwdWmHwTM2b_3cIFpu-ktMwth2YQnANlKRxjq-$>
- [lamps] WGLC for draft-ietf-lamps-cms-sha3-hash Tim Hollebeek
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Mike Ounsworth
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Daniel Van Geest
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Russ Housley
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Daniel Van Geest
- [lamps] Fwd: WGLC for draft-ietf-lamps-cms-sha3-h… Russ Housley
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Mike Ounsworth
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Mike Ounsworth
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Russ Housley
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Tim Hollebeek
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Daniel Van Geest
- Re: [lamps] [EXT] Re: WGLC for draft-ietf-lamps-c… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] [EXT] Re: WGLC for draft-ietf-lamps-c… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [EXT] Re: WGLC for dra… Mike Ounsworth
- Re: [lamps] [EXTERNAL] [EXT] Re: WGLC for draft-i… Russ Housley
- Re: [lamps] [EXTERNAL] [EXT] Re: WGLC for draft-i… Mike Ounsworth
- Re: [lamps] [EXTERNAL] RE: WGLC for draft-ietf-la… Mike Ounsworth
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Tim Hollebeek