Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-hash
Daniel Van Geest <daniel.vangeest.ietf@gmail.com> Wed, 07 February 2024 15:39 UTC
Return-Path: <daniel.vangeest.ietf@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61999C14F602 for <spasm@ietfa.amsl.com>; Wed, 7 Feb 2024 07:39:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EDQlQc7DSIlo for <spasm@ietfa.amsl.com>; Wed, 7 Feb 2024 07:39:23 -0800 (PST)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83333C14F618 for <spasm@ietf.org>; Wed, 7 Feb 2024 07:39:23 -0800 (PST)
Received: by mail-wm1-x335.google.com with SMTP id 5b1f17b1804b1-40fb7427044so2383585e9.0 for <spasm@ietf.org>; Wed, 07 Feb 2024 07:39:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707320361; x=1707925161; darn=ietf.org; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=F//uN3yQZJi2IAPjhx4FmUKIm5pBERd+kilzsnncRbk=; b=jRud1+xlkg3U7SN9H7jm6IYPpZ7nZOvoVm+n2frjI5jj1pvc/B4t4VuoSEz5nSg+at RnuVxrxxQ7oev4HSPlkgJudqblPK49R3Q4saSZvT8pcHANaiv3lZv1Tu58CrkC8yXqPo bL+ufJMRBFkChKA7Lh6WBa09C2Gs9oPNh7tKQe0S4LO0XXpkBLl79Q3kZww5IEJ8kSMv akA8km92I22zIw4Bw44VIUWaKUeMs3RJhCuey+dY6G3BPewqBFrjhlL7sF/FXTdRGjdz 2TEmCu1VXLbP3owUvjcirl7oRoqpvo99AE9SPRS9r9fWCxIwri47kEMtlWDNTYoSXWSo 4IUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707320361; x=1707925161; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=F//uN3yQZJi2IAPjhx4FmUKIm5pBERd+kilzsnncRbk=; b=VbUf237OYlzj2yJtPwL4kweIM4UtFfNFoMC3buabHMWPMGGgMOCc2KdfWR7gjG2it0 MMEHyCPwvLP261srQ2dXArKW6Zskq68op2gOoev1s/wBNxrKkHbkIlNDQ2vdWWBNUxTo +3e/wFNywr1FnL2Yf+H/KSuTUsgjshfk2OT8Tv4CgEl4CmTnZXQXsqZpcztcZnkN/k9q aOpG3nI+4+DJFVqsQjciJHoP1HNqu6UJBEiDOU6HBmlN0xd2uP15JrrNP4ffZc+0vFNR V0IiCaqPbfGVT+jQbYh/F2eWsq5Pe5aI7hs0Mcm+ZNNMoPFTOnPtndrgrM2sodfopBbI UmhA==
X-Forwarded-Encrypted: i=1; AJvYcCUxzaNaukiREUBujgFvHnk0hbqddazfSnZEE+f+wuQVByT7iqu+fHCpSnKfGej9C5QyHv/qr6fsvRVj8zJYVw==
X-Gm-Message-State: AOJu0Yxpy4kU+bUlUlNub5UQ5X9L+TuykjU2tBC90Vt9a3RmDsc8XfKy 2L2oU4/NqA9mQ7Rf4v/FW7STbAg3vdvey9hAsoqh5Yqgd1uf+2o5
X-Google-Smtp-Source: AGHT+IGsvEGdMfxc/VADTxaz15r29vQbIKSo4hfT4MQWqavGdicj7JdwxMRcVDhA7y3CipfuZ8rhGA==
X-Received: by 2002:a05:6000:12c3:b0:33b:39bd:a78b with SMTP id l3-20020a05600012c300b0033b39bda78bmr4069202wrx.6.1707320361034; Wed, 07 Feb 2024 07:39:21 -0800 (PST)
X-Forwarded-Encrypted: i=1; AJvYcCXn0CjpTaiZEPHu0WuDr8v2mgl3ZQlyo0rCoYg77KOCt3vtgOWM5w9ZJ7fhQFRLz+Dz18LSunTMiggf+hHDhnQ+PNLx3EKPw+Y5778pI1TqdhBWZiMn+2y7osnSby5eOAiDn+RmSnnr0/BQapMclqllVN88bIKs6CnavjQmvso=
Received: from DESKTOPUE07G7D ([2001:8a0:6a10:d300:150f:c26d:79f4:67df]) by smtp.gmail.com with ESMTPSA id g7-20020adff3c7000000b0033b512b2031sm955258wrp.114.2024.02.07.07.39.20 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Feb 2024 07:39:20 -0800 (PST)
From: Daniel Van Geest <daniel.vangeest.ietf@gmail.com>
To: 'Russ Housley' <housley@vigilsec.com>, 'Mike Ounsworth' <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "'Markku-Juhani O. Saarinen'" <mjos@pqshield.com>
Cc: 'Tim Hollebeek' <tim.hollebeek=40digicert.com@dmarc.ietf.org>, 'SPASM' <spasm@ietf.org>
References: <SN7PR14MB6492B10C0593B89D36FE221E837D2@SN7PR14MB6492.namprd14.prod.outlook.com> <CH0PR11MB5739C5F3417263871C60C5649F462@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB5739E26AF94E538B30D440389F462@CH0PR11MB5739.namprd11.prod.outlook.com> <0F0F606F-6B33-4896-ACDF-8388E28BC258@vigilsec.com>
In-Reply-To: <0F0F606F-6B33-4896-ACDF-8388E28BC258@vigilsec.com>
Date: Wed, 07 Feb 2024 15:39:22 -0000
Message-ID: <02e401da59db$d2d2c830$78785890$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_02E5_01DA59DB.D2D51220"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQG78XSjZkq1rD4S//IRAb8A1H/1VAK6wn3dApp0NJgBs/i2wrEDeLMA
Content-Language: en-ca
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/lzC_7HHlSR9TQaDsDG2hZ9xHzWk>
Subject: Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-hash
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 15:39:27 -0000
I didn’t make the request, but draft-ietf-lamps-cms-kyber currently references the KDF OIDs, so that could be the source. I’ve just started rewriting that draft to mirror rfc5990bis. ML-KEM uses SHAKE128, SHAKE256, SHA3-256 and SHA3-512 internally. SHA3-512 is used to derive the 32 byte shared secret, so it would arguably be considered the internal KDF and should also be the basis for the KDF when using ML-KEM with KEMRecipientInfo. Though since the KEMRI KDF takes an output length, SHAKE256 could be a better choice. KEMRI requires a KDF which takes a shared secret and info parameter. HKDF with SHA3 fits that bill, although in an unnecessarily complicated way. As I understand them (barely, they’re paywalled and I haven’t done anything to get them yet), KDF2 and KDF3 would also fit the bill, but they also have unnecessary iterations. NIST SP 800-108 allows a simple KDF wrapping KMAC128/KMAC256. As far as I know there are no OIDs defined for that, and also KMAC is based on cSHAKE, not SHA3, so it’s possibly out of scope for draft-ietf-lamps-cms-sha3. But for the purposes of ML-KEM in KEMRI, this would probably be the best option. So then, are there any suggestions on what to do with this? Keep hkdf-with-sha3* and make <mailto:mjos@pqshield.com> @Markku-Juhani O. Saarinen unhappy? Slide KMAC into draft-ietf-lamps-cms-sha3-hash? Spin up a new draft for KMAC? Define an OID for KMAC in draft-ietf-lamps-cms-kyber (yuck)? Force draft-ietf-lamps-cms-kyber to use KDF3 like rfc5990bis (and further commit to a paywalled spec)? Thanks, Daniel From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley Sent: Tuesday, February 6, 2024 8:51 PM To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>; Markku-Juhani O. Saarinen <mjos@pqshield.com> Cc: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>; SPASM <spasm@ietf.org> Subject: Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-hash Mike and Markku: Section 5 was added in October 2023because someone asked for KDFs. I do not recall the source of the request. Russ On Feb 6, 2024, at 3:21 PM, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org <mailto:Mike.Ounsworth=40entrust.com@dmarc.ietf.org> > wrote: Sorry, too quick on the SEND. Markku is questioning why we need section 5.1 HKDF with SHA3. --- Mike Ounsworth From: Spasm < <mailto:spasm-bounces@ietf.org> spasm-bounces@ietf.org> On Behalf Of Mike Ounsworth Sent: Tuesday, February 6, 2024 2:20 PM To: Tim Hollebeek < <mailto:tim.hollebeek=40digicert.com@dmarc.ietf.org> tim.hollebeek=40digicert.com@dmarc.ietf.org>; SPASM < <mailto:spasm@ietf.org> spasm@ietf.org>; Markku-Juhani O. Saarinen < <mailto:mjos@pqshield.com> mjos@pqshield.com> Subject: [EXTERNAL] Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-hash I’m just gonna lob this in on <mailto:mjos@pqshield.com> @Markku-Juhani O. Saarinen’s behalf. He commented this morning that it’s un-necessary to do HMAC with SHA3. If you need a MAC, then KMAC is a single invocation of SHA3 vs two invocations in HMAC. And if you only need a KDF then (I think?) naked SHA3 is fine? I’ll leave it to Markku to give the details here, but I wanted to make sure this got logged before WGLC closes. --- Mike Ounsworth From: Spasm < <mailto:spasm-bounces@ietf.org> spasm-bounces@ietf.org> On Behalf Of Tim Hollebeek Sent: Tuesday, January 30, 2024 2:43 PM To: SPASM < <mailto:spasm@ietf.org> spasm@ietf.org> Subject: [EXTERNAL] [lamps] WGLC for draft-ietf-lamps-cms-sha3-hash Hello, Russ has suggested that draft-ietf-lamps-cms-sha3-hash might be ready for WGLC, and since it’s a pretty simple draft that seems like a pretty reasonable way to flush out any remaining comments and problems. Therefore this is the WGLC for draft-ietf-lamps-cms-sha3-hash: Use of the SHA3 One-way Hash Functions in the Cryptographic Message Syntax (CMS) <https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-sha3-hash/> https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-sha3-hash/ Abstract This document describes the conventions for using the four one-way hash functions in the SHA3 family with the Cryptographic Message Syntax (CMS). Please send comments to the list by 12 February 2024. -Tim _______________________________________________ Spasm mailing list <mailto:Spasm@ietf.org> Spasm@ietf.org <https://www.ietf.org/mailman/listinfo/spasm> https://www.ietf.org/mailman/listinfo/spasm
- [lamps] WGLC for draft-ietf-lamps-cms-sha3-hash Tim Hollebeek
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Mike Ounsworth
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Daniel Van Geest
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Russ Housley
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Daniel Van Geest
- [lamps] Fwd: WGLC for draft-ietf-lamps-cms-sha3-h… Russ Housley
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Mike Ounsworth
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Mike Ounsworth
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Russ Housley
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Tim Hollebeek
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Daniel Van Geest
- Re: [lamps] [EXT] Re: WGLC for draft-ietf-lamps-c… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] [EXT] Re: WGLC for draft-ietf-lamps-c… Russ Housley
- Re: [lamps] [EXTERNAL] Re: [EXT] Re: WGLC for dra… Mike Ounsworth
- Re: [lamps] [EXTERNAL] [EXT] Re: WGLC for draft-i… Russ Housley
- Re: [lamps] [EXTERNAL] [EXT] Re: WGLC for draft-i… Mike Ounsworth
- Re: [lamps] [EXTERNAL] RE: WGLC for draft-ietf-la… Mike Ounsworth
- Re: [lamps] WGLC for draft-ietf-lamps-cms-sha3-ha… Tim Hollebeek