Re: [lamps] Benjamin Kaduk's Discuss on draft-ietf-lamps-cms-mix-with-psk-06: (with DISCUSS and COMMENT)
Phillip Hallam-Baker <phill@hallambaker.com> Fri, 23 August 2019 03:07 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9430C120091; Thu, 22 Aug 2019 20:07:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M9N32wCQhptq; Thu, 22 Aug 2019 20:07:24 -0700 (PDT)
Received: from mail-ot1-f48.google.com (mail-ot1-f48.google.com [209.85.210.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D409120019; Thu, 22 Aug 2019 20:07:24 -0700 (PDT)
Received: by mail-ot1-f48.google.com with SMTP id o101so7459188ota.8; Thu, 22 Aug 2019 20:07:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JUVCpDlom9keIL3wBhp7e1MFoNkV3bIWYkaIgxCQ0tI=; b=DuGA1aqTGUrUkKv3ahPz3/3mEUd/dQIRachVsESGV5lout/BC/arOt2e+59pWQol8f mAemsuolBx2/8OwCoMvqXHqvK6lyvtpZ67POCwME5q6Rut0LvCL1D0/fHgXh8rPUg1SZ WXWXtyH22MboIhgNwP19Wuf5YSJYgQbH3DZF8PS5cfIycjsqUekKkvj1GkyG92+qMhra MKCU+OuExY2WZZw4ecfqTLZ0W/UPsxyG8FCFpVCR0Sn4Rmy+8JvRTQepmtKLjoAeGXLF qNP4KyXcV8IU9BS8hNTS+rmZ22QFOCcD/wqNO1TN6CQ2pgGOWv+8X12WeCp/huH9XQ0G tz3g==
X-Gm-Message-State: APjAAAUU5HFIDDa8hqjQe0JqMyq1K/J4LqEBMKwpsu3NsVswZEK4l1cl VKWiwWxaXqcH2P43slnSIRYeFzpZqV537XM0K8o=
X-Google-Smtp-Source: APXvYqyIgJJFwK7PtQ86oegF+wXG26VxBUplM+8+6pQpAA2jXkQ2ghU894nMqs2LubrSipIaiyCVnz+N7sttsdaW45Q=
X-Received: by 2002:a9d:4a3:: with SMTP id 32mr2352993otm.37.1566529643476; Thu, 22 Aug 2019 20:07:23 -0700 (PDT)
MIME-Version: 1.0
References: <156597611893.31967.2500700648100356711.idtracker@ietfa.amsl.com> <B73FED9C-8983-4CFE-AD66-E548CEEAD45B@vigilsec.com> <20190823020007.GZ60855@kduck.mit.edu>
In-Reply-To: <20190823020007.GZ60855@kduck.mit.edu>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 22 Aug 2019 23:07:12 -0400
Message-ID: <CAMm+Lwhs5HKsQ3EQ+cZ5m8GLF7XvDY803x9WX=HKsgEN9hH+7w@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Russ Housley <housley@vigilsec.com>, LAMPS WG <spasm@ietf.org>, IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000edfa2c0590c01a62"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/lEZdUyeiM4g2lPHtuuCzZRe3UPw>
Subject: Re: [lamps] Benjamin Kaduk's Discuss on draft-ietf-lamps-cms-mix-with-psk-06: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2019 03:07:27 -0000
On Thu, Aug 22, 2019 at 10:00 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > Hi Russ, > > On Fri, Aug 16, 2019 at 02:09:03PM -0400, Russ Housley wrote: > > Ben: > > > > Thanks for doing all of the reading necessary to raise this question. > > > > I want to respond to the DISCUSS in this note. I'll tackle the > non-blocking comments is a separate message. > > Sorry that I did not more effectively make use of the extra lead time you > gave me. > > > > ---------------------------------------------------------------------- > > > DISCUSS: > > > ---------------------------------------------------------------------- > > > > > > I think we need to have a discussion about the abstract API for a > > > KEY-DERIVATION instance and how that relates to what we need for a key > > > combination operation. In Section 5 we assume that we can use the > > > HKDF terminology, but that doesn't seem to hold universally for > > > KEY-DERIVATION; for example, while HKDF has IKM, salt, and info, PBKDF2 > > > (from RFC 3211 that AFAICT introduces keyDerivationalgorithm for CMS) > is > > > specified by RFC 2898 as taking just the input secret (password) and a > > > salt, with no separate 'info' (and of course the different iteration > > > count and PRF parameters needed for its construction). I note (with > > > chagrin, as sponsoring AD) that RFC 8619 says "PARAMS ARE absent" for > > > the HKDF-based KEY-DERIVATION instances but is silent about how one is > > > supposed to know what to pass for salt/info (the IKM we can perhaps > > > assume will be obvious). > > > > > > In short, should we be seeking to define a distinct key combination > > > operation like KRB-FX-CF2 (RFC6113) rather than trying to repurpose key > > > derivation? Some KDFs support this fairly well, but it's not clear to > > > me that it is a universal property. For example, the proof in [H2019] > > > seems to be assuming HKDF but this draft does not (as is clearly seen > > > from the use of the X9.63 KDF in one of the examples). > > > > NIST SP 800-56 Revision 1 offers this high-level interface to the KDF: > > > > KDF(Z, OtherInput) > > > > - Z: a byte string that represents the shared secret. This ic called > IKM in the HKDF terminology. > > > > - OtherInput includes: > > > > -- salt - a non-null (secret or non-secret) byte string. > > > > -- L - a positive integer that indicates the length (in > bits) of the secret keying material to be derived. > > > > -- FixedInfo - a bit string of context-specific data that is > appropriate for the relying key-establishment scheme. > > > > I do not think that this very high level of API really solves your > concern, but it did guide my thinking in writing the document. > > It is helpful to see this and understand the origin of what's in the > document. (Also that the salt is listed as "secret or non-secret" here, as > in at least one other place I looked at during my background reading I saw > it listed as "not-secret", which would be problematic when we want to put a > secret key in it!) > > > The KDF algorithm identifier has this structure: > > > > AlgorithmIdentifier ::= SEQUENCE { > > algorithm OBJECT IDENTIFIER, > > parameters ANY DEFINED BY algorithm OPTIONAL } > > > > The algorithm part lets us name many different KDFs. As you point out, > the examples in Appendix A and Appendix B use HKDF and X9.63 KDF. > > > > Recent discussions in the LAMPS WG show a big bias against complex > parameter strictures. Instead, people have voiced a strong preference for > an object identifier that names all of the options. This leads to more > object identifier assignments, but clear understanding of all options when > one is chosen or negotiated. The one exception is an initialization > vector, where a fresh value is expected each time the algorithm is invoked. > > Agreed. > > > So, in this document, I have defined a structure of the OtherInput > portion of the NIST API. If a particular KDF needs to use a value from > that structure in a particular way, is can do so. The document uses HKDF > terminology. > > > > If a KDF requires a salt, then it should be provided as a parameter. I > can certainly add that to the document. I believe that KMAC128 and KMAC256 > are algorithms that require a salt. > > Okay, but I'm not sure we've really gotten onto the same page. > > I think my main question is whether we're comfortable using a KDF > abstraction like the above (KDF(secret, otherInput)) in a fully general > sense, and asking for this mix-with-psk to work properly for all possible > KDFs. For example, would you be comfortable using the construction in this > document with PBKDF1 as the KDF? I don't even see where we could slot in > the PSK from this document into PBKDF1 -- the API just doesn't seem to be > flexible enough. PBKDF2 allows a more-than-8-octet salt, but is that going > to provide the kind of mixing that we need? > > I just don't know if all KDFs are going to guarantee the contributory > behavior from the otherInput that we need in order for this scheme to work. > The ability to change algorithm is a good thing. But proliferation of mechanisms is not. I really dislike the fact that we have three dozen SASL mechanisms that do the same thing. The ability to use a KDF keyed by a different hash function seems like it is useful agility. I really cannot imagine a situation in which we discovered an urgent need to move away from HKDF that didn't require us to think really hard about the replacement algorithm as well.
- [lamps] Benjamin Kaduk's Discuss on draft-ietf-la… Benjamin Kaduk via Datatracker
- Re: [lamps] Benjamin Kaduk's Discuss on draft-iet… Russ Housley
- Re: [lamps] Benjamin Kaduk's Discuss on draft-iet… Russ Housley
- Re: [lamps] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [lamps] Benjamin Kaduk's Discuss on draft-iet… Phillip Hallam-Baker
- Re: [lamps] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [lamps] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [lamps] Benjamin Kaduk's Discuss on draft-iet… Phillip Hallam-Baker
- Re: [lamps] Benjamin Kaduk's Discuss on draft-iet… Russ Housley
- Re: [lamps] Benjamin Kaduk's Discuss on draft-iet… Russ Housley
- Re: [lamps] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk