IETF Logo Mail Archive

Re: [lamps] draft-ietf-lamps-cms-shakes

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Thu, 12 September 2019 04:21 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67F9E120025 for <spasm@ietfa.amsl.com>; Wed, 11 Sep 2019 21:21:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Srdbs2+e; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=dMdE8rMX
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yocwkqHLZdmN for <spasm@ietfa.amsl.com>; Wed, 11 Sep 2019 21:21:54 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 207FD120019 for <spasm@ietf.org>; Wed, 11 Sep 2019 21:21:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4039; q=dns/txt; s=iport; t=1568262114; x=1569471714; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=wnarrWlWxHV7RyiNkppH3t21pOr1l5UmVYBcpURvLCQ=; b=Srdbs2+e8uYHdPke6+96Sk6K26B4pf1bmztmfzAnLJ1yMNp0AoruFWlK kUauPWnq7rOH09j93vq15DAdHK2De/vOzbkWj3p32ULkl3e5c3Nchj8Uu rFg9MdKSNvNBsuD4bwkC0zJvG8ZLLf8Fb/9cV3IcAGoMydel1FAx16AsM 0=;
IronPort-PHdr: 9a23:rPKRLBXsY3NugtYseSdHRO8AnhrV8LGuZFwc94YnhrRSc6+q45XlOgnF6O5wiEPSA9yJ8OpK3uzRta2oGXcN55qMqjgjSNRNTFdE7KdehAk8GIiAAEz/IuTtankiH81HTFZj9lmwMFNeH4D1YFiB6nA=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AVAAAFx3ld/5hdJa1mGgEBAQEBAgEBAQEHAgEBAQGBVQMBAQEBCwGBRFADbVYgBAsqh2gDimdNgg+XcIEugSQDVAkBAQEMAQEYCwoCAQGEPwKCVSM2Bw4CAwkBAQQBAQECAQYEbYUuDIVKAQEBAQMBARAoBgEBLAwLBAIBCBEEAQEeARAnCx0IAgQBEggagwGBagMdAQIMn2oCgTiIYYIlgn0BAQWFBRiCFgMGgTQBi3cYgUA/gRFGgkw+gmEBAQIBgWCDO4ImrEsKgiGHAY4RmQqNf4gEkGoCBAIEBQIOAQEFgVkBMIFYcBU7gmyCQoNyhRSFP3MBgSiOfwEB
X-IronPort-AV: E=Sophos;i="5.64,495,1559520000"; d="scan'208";a="329896755"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 12 Sep 2019 04:21:53 +0000
Received: from xch-rcd-011.cisco.com (xch-rcd-011.cisco.com [173.37.102.21]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id x8C4Lrk5024825 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 12 Sep 2019 04:21:53 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-011.cisco.com (173.37.102.21) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 11 Sep 2019 23:21:52 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 11 Sep 2019 23:21:47 -0500
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 11 Sep 2019 23:21:47 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bvQACOGAfJdyZyqX4/9eROIJihogu1m0+dLM+9Ma4hrbMn7cgTb+thMYcCE3P2H/zsK2a6GHXmgcGM1k2/++xDq2dNNMAjz0ILdIpnI0bHKllqbw102xjy6veiZJS/LIl4SzkvDhzqqxtZ1IJ8RaJXHDaAeWEFJcIiF2prbMHYC1Zu0lyY8/ERtASbjSFA1xKs1DCPA1B42QKrVtN2gi+EbfyoCeIYpDe5Vw929SSFwa+Q/6UbZA2lS/CNeH8BDGcuAbeKb0x/ImVd53KqAxqrK46cYhuSZ4GritvjalFv6/zduL8+v0Lr88DD130tD3RPxjedissuLmrWxWw6CSpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6BIcC48T7C6A70MPy+6bQI/6whEWZYLypTT10jGw0Ak=; b=CTZNxZ8H3CBz03jVMoUAkTLcrIlgoOIoHH5ypZrNOdAyMPuH7X6mLHn0SxghU8rnXP2oH27AL4/IO4qGyzYnaj6rLLGRio6QPGWD0pfMspB8e11emA8gZ+pJE4LWdMTEO+BCk1gO0x9CnwLQofaJRhus7wB87li2ZKL2MRMt9LtudEgfbVoha3A0mAfMesoVW9zhpvozOZsjsU+3EwGI+YiJrK31oPoi4Sr+TEJXLaHlOZEZcaIGSl5HjoT9pOETMoPsVeQXOphPyzjeF1LFXVmLXlEUCe+qXnHJxYk4/oJKbG1x+lfOGHBqrdxRFH8au5oCgkHhYvXYvj8XjKH6ig==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6BIcC48T7C6A70MPy+6bQI/6whEWZYLypTT10jGw0Ak=; b=dMdE8rMXcH6hwxonvy/osP7PlopQVur/NOv3bQr6WMaISX9a/lLF8wgyrRtu3/VRIlqoyfxW7r+CtrINwNzozoGPUpuPrxDBfITqgrqBp9Emje57z6fltBrPnbOvdUrPeBecMKK/PW5MjpSF0Pw0fdkytCPFNT/IPo1GXGgoD3Q=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (52.135.255.146) by BN7PR11MB2756.namprd11.prod.outlook.com (52.135.246.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2220.19; Thu, 12 Sep 2019 04:21:46 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::20df:b3df:537d:fd20]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::20df:b3df:537d:fd20%7]) with mapi id 15.20.2263.016; Thu, 12 Sep 2019 04:21:46 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Russ Housley <housley@vigilsec.com>, LAMPS WG <spasm@ietf.org>
Thread-Topic: [lamps] draft-ietf-lamps-cms-shakes
Thread-Index: AQHVaNQPFcxLGZJUgkqHUOMyu7XEmacnawkA
Date: Thu, 12 Sep 2019 04:21:45 +0000
Message-ID: <BN7PR11MB2547BEF4B27B52ECBF64525EC9B00@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <6FA94952-63C4-42A3-A85F-AAB0A8145F68@vigilsec.com>
In-Reply-To: <6FA94952-63C4-42A3-A85F-AAB0A8145F68@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pkampana@cisco.com;
x-originating-ip: [2001:420:c0c4:1004::49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 67a0b8aa-53dd-479e-c08b-08d73738b93e
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BN7PR11MB2756;
x-ms-traffictypediagnostic: BN7PR11MB2756:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BN7PR11MB2756D7CEB563140D33F77685C9B00@BN7PR11MB2756.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 01583E185C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(136003)(376002)(366004)(396003)(39860400002)(189003)(199004)(13464003)(51444003)(99286004)(229853002)(7736002)(25786009)(476003)(33656002)(7696005)(19627235002)(6436002)(256004)(14444005)(86362001)(55016002)(9686003)(486006)(6306002)(76176011)(6116002)(46003)(81166006)(76116006)(8676002)(966005)(478600001)(66476007)(66556008)(64756008)(74316002)(66446008)(6246003)(446003)(186003)(11346002)(316002)(66946007)(110136005)(102836004)(81156014)(8936002)(71200400001)(6506007)(53546011)(66574012)(53936002)(52536014)(14454004)(305945005)(5660300002)(71190400001)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR11MB2756; H:BN7PR11MB2547.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 90/3pZgB/yYipT5wiSWyV5R564B5tY6hWpunvfJpYxxToJCo7Itr61hOCOtNOt9RPySqWZbkJEFSg/Ks8P+GdtZo5QAb1dWYrXqa0JkZTEAE3WHJ5EYBkYbrkIZ1bl8IFhpEunX3yc6OGTQCf6o0zlykIqbgBgjfzUVF4dveYv5R543jH0S1KeAMNpj65qMK8zRM0EM2C1IqBsKxYlQWrt0jXbUb3ley7HFqHPa8XR2oilgq1j/j9SAnmrXTpNwmzvvAonVglW+M9cT0d4raeUrt4hOGKzLwEb777G7SzJhZEuJO3PnsGZ75DuzTuAyC6q77/z3DLRvAMfR7M88h+yClDgPtWmfWmDjh9C0sQ8w2s331iRqSx368YQg6SgUZMNH/v3qVLLJkfFM9P2XIWJa3JtA/jufqQZPhpByPs08=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 67a0b8aa-53dd-479e-c08b-08d73738b93e
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Sep 2019 04:21:45.9919 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6Ebqy1GScECuvU7l9R435wHSLwtDVJtjpzEFYS3s8evQ63aoJOS3OLV8VaoCKX5+GVA1RqEC32LKPlQ377oSKg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2756
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.21, xch-rcd-011.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/oV_A7gsziU9Oh18UuyB6UT9leWo>
Subject: Re: [lamps] draft-ietf-lamps-cms-shakes
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2019 04:21:56 -0000

Hi Russ, 

Hmm, do we need it? 

CMS imports AlgorithmIdentifier from PKIX which we updated in the PKIX SHAKEs draft. And then CMS uses these algorithm identifiers in the SignedData SignerInfo signatureAlgorithm field. 

https://tools.ietf.org/html/rfc5753#appendix-A.2 does import sa-ecdsawithXXX as you are suggesting, but I am not sure it needed to. I mean we could import the new sa-ecdsawithshake and sa-rsassapssWithSHAKE and put them SignatureAlgs to make it easier, but it would be commented out like https://tools.ietf.org/html/rfc5753#appendix-A.2 does because it already exists in the PKIX SHAKEs ASN.1

Rgs,
Panos


-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Wednesday, September 11, 2019 3:06 PM
To: LAMPS WG <spasm@ietf.org>
Subject: [lamps] draft-ietf-lamps-cms-shakes

I was just working on an implementation, and I discovered an omission in the ASN.1 for draft-ietf-lamps-cms-shakes.

The ASN.1 module for draft-ietf-lamps-pkix-shake includes:

    -- RSASSA-PSS with SHAKE128
    sa-rsassapssWithSHAKE128 SIGNATURE-ALGORITHM ::= {
      IDENTIFIER id-RSASSA-PSS-SHAKE128
      PARAMS ARE absent
          -- The hashAlgorithm is mda-shake128
          -- The maskGenAlgorithm is id-shake128
          -- Mask Gen Algorithm is SHAKE128 with output length
          -- (8*ceil((n-1)/8) - 264) bits, where n is the RSA
          -- modulus in bits.
          -- The saltLength is 32. The trailerField is 1
      HASHES { mda-shake128 }
      PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE128 }
      SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE128 }
    }
    id-RSASSA-PSS-SHAKE128  OBJECT IDENTIFIER  ::=  { iso(1)
            identified-organization(3) dod(6) internet(1)
            security(5) mechanisms(5) pkix(7) algorithms(6)
            TBD1 }

    -- RSASSA-PSS with SHAKE256
    sa-rsassapssWithSHAKE256 SIGNATURE-ALGORITHM ::= {
      IDENTIFIER id-RSASSA-PSS-SHAKE256
      PARAMS ARE absent
          -- The hashAlgorithm is mda-shake256
          -- The maskGenAlgorithm is id-shake256
          -- Mask Gen Algorithm is SHAKE256 with output length
          -- (8*ceil((n-1)/8) - 520)-bits, where n is the
          -- RSA modulus in bits.
          -- The saltLength is 64. The trailerField is 1.
     HASHES { mda-shake256 }
     PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE256 }
     SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE256 }
    }
    id-RSASSA-PSS-SHAKE256  OBJECT IDENTIFIER  ::=  { iso(1)
            identified-organization(3) dod(6) internet(1)
            security(5) mechanisms(5) pkix(7) algorithms(6)
            TBD2 }

    -- ECDSA with SHAKE128
    sa-ecdsaWithSHAKE128 SIGNATURE-ALGORITHM ::= {
      IDENTIFIER id-ecdsa-with-shake128
      VALUE ECDSA-Sig-Value
      PARAMS ARE absent
      HASHES { mda-shake128 }
      PUBLIC-KEYS { pk-ec }
      SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake128 }
    }
    id-ecdsa-with-shake128 OBJECT IDENTIFIER  ::=  { iso(1)
            identified-organization(3) dod(6) internet(1)
            security(5) mechanisms(5) pkix(7) algorithms(6)
            TBD3 }

    -- ECDSA with SHAKE256
    sa-ecdsaWithSHAKE256 SIGNATURE-ALGORITHM ::= {
      IDENTIFIER id-ecdsa-with-shake256
      VALUE ECDSA-Sig-Value
      PARAMS ARE absent
      HASHES { mda-shake256 }
      PUBLIC-KEYS { pk-ec }
      SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake256 }
    }
    id-ecdsa-with-shake256 OBJECT IDENTIFIER  ::=  { iso(1)
            identified-organization(3) dod(6) internet(1)
            security(5) mechanisms(5) pkix(7) algorithms(6)
            TBD4 }

I think that the draft-ietf-lamps-cms-shakes ASN.1 module should repeat this information in exactly the same format or it should IMPORT these definitions.

Russ
_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm

v2.39.1 | Report a Bug | By Email | System Status