Re: [lamps] Problems with the current ALGORITHM information object class
Russ Housley <housley@vigilsec.com> Tue, 12 May 2020 14:19 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01BB93A0AC1 for <spasm@ietfa.amsl.com>; Tue, 12 May 2020 07:19:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9p3jGLxxfiH4 for <spasm@ietfa.amsl.com>; Tue, 12 May 2020 07:18:59 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FD913A0AB9 for <spasm@ietf.org>; Tue, 12 May 2020 07:18:52 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id AED5F300B3C for <spasm@ietf.org>; Tue, 12 May 2020 10:18:49 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Ls6LD30pRIuY for <spasm@ietf.org>; Tue, 12 May 2020 10:18:47 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-72-66-113-56.washdc.fios.verizon.net [72.66.113.56]) by mail.smeinc.net (Postfix) with ESMTPSA id EC861300A91; Tue, 12 May 2020 10:18:46 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <15833649-2B4C-49ED-9ACD-6F9AF9B41FFD@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_01B89F3D-5E2A-44D6-98ED-01FC6F31B4CF"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Date: Tue, 12 May 2020 10:18:48 -0400
In-Reply-To: <001f01d6285c$d614adb0$823e0910$@x500.eu>
Cc: LAMPS <spasm@ietf.org>
To: Erik Andersen <era@x500.eu>
References: <000001d62762$8385a360$8a90ea20$@x500.eu> <97737DBD-54DB-4336-A387-E22C59E78B11@vigilsec.com> <001f01d6285c$d614adb0$823e0910$@x500.eu>
X-Mailer: Apple Mail (2.3445.104.14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/nmOTjvV7c30qymAQwnMU0_woFOo>
Subject: Re: [lamps] Problems with the current ALGORITHM information object class
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2020 14:19:02 -0000
If I was going to make a change that was not backward compatible, that is not the one that I would pick. In my view, a better answer would be:
aes256-GCM-icv12 ALGORITHM ::= {
PARMS GCMNonce
IDENTIFIED BY aes256-GCM-icv12 }
aes256-GCM-icv13 ALGORITHM ::= {
PARMS GCMNonce
IDENTIFIED BY aes256-GCM-icv13 }
aes256-GCM-icv14 ALGORITHM ::= {
PARMS GCMNonce
IDENTIFIED BY aes256-GCM-icv14 }
aes256-GCM-icv15 ALGORITHM ::= {
PARMS GCMNonce
IDENTIFIED BY aes256-GCM-icv15 }
aes256-GCM-icv16 ALGORITHM ::= {
PARMS GCMNonce
IDENTIFIED BY aes256-GCM-icv16 }
GCMNonce ::= OCTET STRING -- recommended size is 12 octets
However, I do not advocate a change that breaks backward compatibiliy.
Russ
> On May 12, 2020, at 8:57 AM, Erik Andersen <era@x500.eu> wrote:
>
> Hi Russ,
>
> The problem was identified when a vendor was implementing IEC 62351-4, where we were faced with the question: When negotiating e.g., symmetric key algorithm, should we just specify the OID or should we also include the parameters. The answer is that sometimes you should only use the OID and in other cases you will also need to include the parameters. In some other cases, like aes256-GCM, you shall include part of the parameter. What do you then tell the implementor?
>
> aes256-GCM is an example with a mixture of parameters.:
>
> aes256-GCM ALGORITHM ::= {
> PARMS GCMParameters
> IDENTIFIED BY id-aes256-GCM }
>
>
>
> GCMParameters ::= SEQUENCE {
> aes-nonce OCTET STRING, -- recommended size is 12 octets
> aes-ICVlen AES-GCM-ICVlen DEFAULT 12 }
>
> AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16)
>
>
>
> An alternative algorithm should be defined as:
>
>
>
> newAes256-GCM ALGORITHM ::= {
> PARMS AES-GCM-ICVlen DEFAULT 12,
> DYN-PARMS OCTET STRING
>
> IDENTIFIED BY <some other OID> }
>
>
>
> Sure, there could be an interworking problem, but it can be handled. Implementations of a standard specifying the original algorithm will still interwork. Implementations of a standard specifying the modified algorithm will also interwork.
>
>
>
> For the sake of IEC 62351-4 and X.510, we need a solution. We can either do it unilateral or we can find a common solution, like who defines the alternative algorithms and allocate new OIDs..
>
>
>
> Erik
>
> From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley
> Sent: 11 May 2020 18:35
> To: Erik Andersen <era@x500.eu <mailto:era@x500.eu>>
> Cc: LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>
> Subject: Re: [lamps] Problems with the current ALGORITHM information object class
>
> If both parameter types are present, then interoperability will be gravely impacted.
>
> Russ
>
>
>
>> On May 11, 2020, at 3:05 AM, Erik Andersen <era@x500.eu <mailto:era@x500.eu>> wrote:
>>
>> In our work with IEC 62351-4 and X.510 we have identified a limitation with the current ALGORITHM information object class. The current definition is
>>
>> ALGORITHM ::= CLASS {
>> &Type OPTIONAL,
>> &id OBJECT IDENTIFIER UNIQUE }
>> WITH SYNTAX {
>> [PARMS &Type]
>> IDENTIFIED BY &id }
>>
>> The PARM field is used for defining parameters associated with the algorithms. However, the parameters are of two types:
>>
>> 1. Parameters that provide additional information about the procedure to be applied according to the algorithm. An example is ecPublicKey, where the parameter value is the elliptic curve to be used.
>> 2. Parameters that specified the syntax of the value to be used when the algorithm is deployed. An example is the AES algorithms that require a value of the parameter transferred together with the encrypted data.
>>
>> This causes problems when negotiating the use of algorithms. When specifying ecPublicKey algorithms in such negotiation, the parameter value is relevant. When specifying AES-CBC in such a negotiation, the random value of some InitializationVector is not relevant. This make algorithm negotiation cumbersome.
>>
>> We have therefore suggested to extend the ALGORITHM information object class in the following way.
>>
>> ALGORITHM ::= CLASS {
>> &Type OPTIONAL,
>> &DynParms OPTIONAL,
>> &id OBJECT IDENTIFIER UNIQUE }
>> WITH SYNTAX {
>> [PARMS &Type]
>> [DYN-PARMS &DynParms]
>> IDENTIFIED BY &id }
>>
>> A suggested update to the ALGORITHM information object class is attached. It also includes three derivative parameterized data types. By using those data types it has been possible to define the wrapper protocol without “hard coding” specific algorithm details, e.g., we have avoided a specific component for an initialization vector. This has allowed different cryptographic algorithms to be used for different communication instances make life a little more difficult for adversaries.
>>
>> Certain algorithms have to be redefined, which could cause some negative reactions. As an example the aes256-CBC algorithm must be changed from
>>
>> aes256-CBC ALGORITHM ::= {
>> PARMS AES-InitializationVector
>> IDENTIFIED BY { aes 42 } }
>>
>> To
>>
>> aes256-CBC ALGORITHM ::= {
>> DYN-PARMS AES-InitializationVector
>> IDENTIFIED BY { <some OID> } }
>>
>> However, most algorithms do not need to be modified.
>>
>> The current version of X.510 may be found at https://www.dropbox.com/s/i7mizfvoy9uo21x/x510.docx?dl=0 <https://www.dropbox.com/s/i7mizfvoy9uo21x/x510.docx?dl=0>.
>>
>> Any comments?
>>
>> Best regards,
>>
>> Erik
>>
>>
>>
>>
>>
>>
>> <algorithms.docx>_______________________________________________
>> Spasm mailing list
>> Spasm@ietf.org <mailto:Spasm@ietf.org>
>> https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm>
- [lamps] Problems with the current ALGORITHM infor… Erik Andersen
- Re: [lamps] Problems with the current ALGORITHM i… Russ Housley
- Re: [lamps] Problems with the current ALGORITHM i… Russ Housley
- Re: [lamps] Problems with the current ALGORITHM i… Erik Andersen
- Re: [lamps] Problems with the current ALGORITHM i… Salz, Rich
- Re: [lamps] Problems with the current ALGORITHM i… Russ Housley
- Re: [lamps] Problems with the current ALGORITHM i… Erik Andersen
- Re: [lamps] Problems with the current ALGORITHM i… Salz, Rich
- Re: [lamps] Problems with the current ALGORITHM i… Erik Andersen