Re: [lamps] Key Derivation in draft-ietf-lamps-cms-kemri
Daniel Van Geest <daniel.vangeest.ietf@gmail.com> Tue, 30 January 2024 17:12 UTC
Return-Path: <daniel.vangeest.ietf@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F23D4C14F5F1 for <spasm@ietfa.amsl.com>; Tue, 30 Jan 2024 09:12:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZANi0zrrBeA for <spasm@ietfa.amsl.com>; Tue, 30 Jan 2024 09:12:06 -0800 (PST)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22AE0C14EB17 for <spasm@ietf.org>; Tue, 30 Jan 2024 09:12:06 -0800 (PST)
Received: by mail-wr1-x430.google.com with SMTP id ffacd0b85a97d-33af9d67855so139288f8f.0 for <spasm@ietf.org>; Tue, 30 Jan 2024 09:12:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706634723; x=1707239523; darn=ietf.org; h=mime-version:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=1bCP7HL+0KASNmG9iCbOediG8FhEMr3RTs6M8PrrfP8=; b=E7LEp0LCDplBsUA/eRwWOlwz16ZPrKjIUHT2uHpNDpvtuiG344b9SWdrA5OPgo9eIi cr/kDFdFjVtF5tWMVlCw9cQvPnZWonD3MopOkoWugHk97UrYyH3Mvv0BSBe1k9QbP7pm vCo+O9PJbxyib4lVnoopA50KSlNEoTQPW6Jtga3T+1+dy3bNiD4MycLcpaVMMO3J/hGg EMuiKPrrtGoyw/Mn6h2Uv2/H8IjRocMABJfKiAFu8zXU+j1ZmquK+Jx4G6do6h2Epgp5 kO5DR8kYTz0cxIGhNeOLQyt2xZZ2FihyGXR/vZo9eXJeKAjGS9vG3XqUlwsplsAaK5/s QJiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706634723; x=1707239523; h=mime-version:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1bCP7HL+0KASNmG9iCbOediG8FhEMr3RTs6M8PrrfP8=; b=BiM5clViR3zCK/6xL1gc98+wyUtOI34VTaCVG0bpMyNCUFoUnibBN3a1BDHIsOtu54 I7xkaG165saZKZW2fOWLv0o03Rx3bzaQEbofm3WI74/XcCMH9OQLtKQia21oxj7eV9Ky 4MwP6dL12QTZCL9WCgY92xtcfztjD5Zw2yU9+4KP0dZDR2WgdBP6lcmKk8uOU/qBwsQI iS6GVW4z20U34ojLRqFbyCvC3+bsGtD91x78QQNN5/LjbInLVxI3DDQkuY1Nldu272fZ VO47VZlsfGiaYusJ7BeGKYYXaqIr74ToqIjJIgNvReGp82Qq+VzFZb6n+e9kaDeROCQB J/HQ==
X-Gm-Message-State: AOJu0Yxv486KzzZ/1Jk1wxdovGL03otDub/OSOlvRqz+VyYLtdSyJ7gX 5pK5tfCXbg78UbEEibORyj/GOpOxEZX/jeqJXybO3a4sqgU93VMeA6gPWniT
X-Google-Smtp-Source: AGHT+IE4jkc0vyb+wnu0v+JBhU20lM85VCiGM2cAKokSW25tgVdhVa+RqFYjPoylM5372bTDVqKe0w==
X-Received: by 2002:adf:ae52:0:b0:337:c50c:27d7 with SMTP id u18-20020adfae52000000b00337c50c27d7mr6588865wrd.7.1706634723323; Tue, 30 Jan 2024 09:12:03 -0800 (PST)
X-Forwarded-Encrypted: i=0; AJvYcCWLHDnqQPzBTWwgM9XtPrhskozZk5/7RWC2fdU0qv83gavixDJqK62GOyGf/VSgwIA5Axwy15NUyV4kzBqa90p5b5EbvU9EeNn3Govr6JlFTRreZNB6KKGGrEhjA2fqeEY=
Received: from VI1PR08MB3534.eurprd08.prod.outlook.com ([2603:1026:302:85::5]) by smtp.gmail.com with ESMTPSA id k14-20020adff28e000000b003392172fd60sm11178654wro.51.2024.01.30.09.12.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 09:12:02 -0800 (PST)
From: Daniel Van Geest <daniel.vangeest.ietf@gmail.com>
To: Carl Wallace <carl@redhoundsoftware.com>, Russ Housley <housley@vigilsec.com>, Mike Ounsworth <Mike.Ounsworth@entrust.com>
CC: LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] Key Derivation in draft-ietf-lamps-cms-kemri
Thread-Index: AdpCaC+It7iW3LwtQaS8gH3/erKdhQADc+YABEmrHwAAAGGE3AAAOO9q
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Tue, 30 Jan 2024 17:12:01 +0000
Message-ID: <VI1PR08MB3534BCC1AE87C27BF6890859AF7D2@VI1PR08MB3534.eurprd08.prod.outlook.com>
References: <10d001da4275$84783c10$8d68b430$@gmail.com> <27CC12F8-4D7D-4C65-9587-C54C9E017E40@vigilsec.com> <35E24FD1-8C52-4204-89B1-822ACAD1AF5D@redhoundsoftware.com> <VI1PR08MB35343612CE9F8F2165596E18AF7D2@VI1PR08MB3534.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR08MB35343612CE9F8F2165596E18AF7D2@VI1PR08MB3534.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_VI1PR08MB3534BCC1AE87C27BF6890859AF7D2VI1PR08MB3534eurp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/m_yZfN65e-FGu2-9Ac9X4sqFR58>
Subject: Re: [lamps] Key Derivation in draft-ietf-lamps-cms-kemri
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 17:12:07 -0000
Apologies... Previous message was sent too early. Continued... - specify required KDF (and wrap), similar to 5990bis, and allow for others (also similar) - security considerations. That's about it, a lot of the new draft will be pointing at other documents where OID/etc are already defined. Thanks, Daniel Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Daniel Van Geest <daniel.vangeest.ietf@gmail.com> Sent: Tuesday, January 30, 2024 5:09:16 PM To: Carl Wallace <carl@redhoundsoftware.com>; Russ Housley <housley@vigilsec.com>; Mike Ounsworth <Mike.Ounsworth@entrust.com> Cc: LAMPS <spasm@ietf.org> Subject: Re: [lamps] Key Derivation in draft-ietf-lamps-cms-kemri draft-ietf-lamps-cms-kyber-01 is out of date, it doesn't take KemRecipientInfo into consideration well enough (or at all?). I've spoken to my colleague Julien about taking over the draft since I've been implementing kemri anyways, I just need to find the time for both. I envision the draft being simplified, and following the model of rfc5990bis: - discuss KEMs and ML-KEM in (very) brief. There seem to be many draft repeating the same info where it would be better to refer to the NIST specs (or a CFRG doc covering them). - specify OIDs for ML-KEM in CMS (again pointing to other drafts) Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Carl Wallace <carl@redhoundsoftware.com> Sent: Tuesday, January 30, 2024 4:52:12 PM To: Russ Housley <housley@vigilsec.com>; Daniel Van Geest <daniel.vangeest.ietf@gmail.com>; Mike Ounsworth <Mike.Ounsworth@entrust.com> Cc: LAMPS <spasm@ietf.org> Subject: Re: [lamps] Key Derivation in draft-ietf-lamps-cms-kemri Russ and Mike, Section 5.2.1 of draft-ietf-lamps-cms-kyber-01 states the following: “If the session key obtained from the KEM algorithm is long enough to fit into the WRAP algorithm, then the KDF could be equal to the identity function.” Given this, should the kdf and kekLength fields be OPTIONAL in KEMRecipientInfo? Carl From: Spasm <spasm-bounces@ietf.org> on behalf of Russ Housley <housley@vigilsec.com> Date: Monday, January 8, 2024 at 4:02 PM To: Daniel Van Geest <daniel.vangeest.ietf@gmail.com> Cc: LAMPS <spasm@ietf.org> Subject: Re: [lamps] Key Derivation in draft-ietf-lamps-cms-kemri Daniel: It can use an KDF, but I expect that most implementers will want to use the same KDF that was used internal to the KEM algorithm to keep the implementation small. Russ On Jan 8, 2024, at 3:59 PM, Daniel Van Geest <daniel.vangeest.ietf@gmail.com> wrote: I’m implementing draft-ietf-lamps-cms-kemri and have a question about the ` kdf KeyDerivationAlgorithmIdentifier` field in KEMRecipientInfo. Is it intended that any (IKM, L, info) KDF can be thrown there (respecting Security Considerations), or should the KEM-instantiating documents specify which KDFs to use with which KEMs. e.g. draft-ietf-lamps-cms-kyber should specify to use id-alg-hkdf-with-sha256 with Kyber512, id-alg-hkdf-with-sha384 with Kyber768 and id-alg-hkdf-with-sha512 with Kyber1024? If they should do this, should the kdf field for KEMRecipientInfo be parameterized by allowed KDF ids (or whatever the right ANS.1 terminology is)? KEMRecipientInfo ::= SEQUENCE { … kdf KeyDerivationAlgorithmIdentifier{KEY-DERIVATION, KEMRIKeyDevAlgs}, … } KEMRIKeyDevAlgs KEY-DERIVATION ::= {kda-hkdf-with-sha256, kda-hkdf-with-sha384, kda-hkdf-with-sha512, …} And KEM instantiating docs can add to KeyDevAlgs if needed. Thanks, Daniel _______________________________________________ Spasm mailing list Spasm@ietf.org<mailto:Spasm@ietf.org> https://www.ietf.org/mailman/listinfo/spasm _______________________________________________ Spasm mailing list Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm
- Re: [lamps] Key Derivation in draft-ietf-lamps-cm… Russ Housley
- [lamps] Key Derivation in draft-ietf-lamps-cms-ke… Daniel Van Geest
- Re: [lamps] Key Derivation in draft-ietf-lamps-cm… Carl Wallace
- Re: [lamps] Key Derivation in draft-ietf-lamps-cm… Daniel Van Geest
- Re: [lamps] Key Derivation in draft-ietf-lamps-cm… Daniel Van Geest
- Re: [lamps] Key Derivation in draft-ietf-lamps-cm… Mike Ounsworth