Re: [lamps] [EXTERNAL] Murray Kucherawy's No Objection on draft-ietf-lamps-cms-kemri-08: (with COMMENT)
Orie Steele <orie@transmute.industries> Thu, 07 March 2024 15:24 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 050E7C13AE28 for <spasm@ietfa.amsl.com>; Thu, 7 Mar 2024 07:24:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.084
X-Spam-Level:
X-Spam-Status: No, score=-2.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r9QTpXMugoMH for <spasm@ietfa.amsl.com>; Thu, 7 Mar 2024 07:24:40 -0800 (PST)
Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7535C151532 for <spasm@ietf.org>; Thu, 7 Mar 2024 07:24:35 -0800 (PST)
Received: by mail-pg1-x532.google.com with SMTP id 41be03b00d2f7-5c229dabbb6so747681a12.0 for <spasm@ietf.org>; Thu, 07 Mar 2024 07:24:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1709825075; x=1710429875; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Pel5wsD7ubDcixeNz0SGVseH3PePtzE+j3tQp/ijOeY=; b=gf/A4HREKyHDa1rtM85CAkLaV+bVSkftrQGIbMVIk7crZOQmc5r53QqsM7GhGLzTQw R1/gKz+jUQlpoCLhcbKf9Z11jqJTacAFRvjfxvMibgaigGe0xlXoAqrg8tBFucoRNGJl tlXi6Pbe69pDa7//Zu3faf0cz6cP8vUwo1VJHr7q9s65hz5uUVwCEcq0JVKP+bNko7KI VJlAsmAQSVnzxQMwEF9S+uDZtnqaxZP23RicmwVTCHawWT3VVR97HZtG1gVIw+Zy+8H4 iYo3k7aMS3Rjn+hb185hsgFl9H+KTDz1o9qH7ls6XbO1OzqCdhHnvBU2ytlE4GgW3j/K Mo2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709825075; x=1710429875; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Pel5wsD7ubDcixeNz0SGVseH3PePtzE+j3tQp/ijOeY=; b=brdCp8eYZS9bJbDW6rDcl0wW4Pz58A2/SwZQ9SaeM3qhoe42gahBoF5BHtNMRJgcfw m5A449InNSaTvAHnwhNdG2ab+Bb5pn9tLzhFtDU0ZhkA7Z/TP3C888FhmyKwDchlbikG qgqx1d7b/1uc5qCGzYSVNVfV9E+Wl6dyfJCYWqC3bUrVUQVWXxCVSyrQTQQmGjHok/5A OdAiDnKWY42KMnf15Y1JlUWo+N7EbQNG7wvUFbyOX0yZMaIJA3dqDaIYLAFYd+aaDdoX 4r5uQNpOeZHI+Fb7VMMuORW3ZPEwdAxjv8+1iT31pq7ixz4CnSNTK924rLm8Lj6x/Mc6 PeHw==
X-Forwarded-Encrypted: i=1; AJvYcCXrtUbUcxWpwxyzVi6W0xvEESriakXBsJExrPAvI+qKnBEYIazNPtYTLPJYnGu3cv1CK2tQMSRskmBWgufq+A==
X-Gm-Message-State: AOJu0Yyu/3n+r7BYlTWqRVSglm00pTZwckCzGmB2TspRsG2o8ft0/MBR Lz1zxxI3tC5FoXDes8tM4PYwzgX/COMDKRRhZrh6j/lEAj9DjOe32TwDVvbYacSbQq0OcvqJQHO eADEMgfQKE3nNeCvIY/x1ueJTnJvwa3yaAgCQ+Q==
X-Google-Smtp-Source: AGHT+IH1l2l5F1LGHpvDw0aSDnEyEBoWDqGwUPrSsDAqq/Y8YUlBPyNIx3/G01LIzuhzdZzhI03GLWs8/pCoNPC7aSI=
X-Received: by 2002:a17:90a:a884:b0:29a:9c12:785 with SMTP id h4-20020a17090aa88400b0029a9c120785mr15967893pjq.1.1709825074965; Thu, 07 Mar 2024 07:24:34 -0800 (PST)
MIME-Version: 1.0
References: <170979580187.63516.11101857365652932121@ietfa.amsl.com> <CH0PR11MB5739C6B07D229865D3072AC09F202@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739C6B07D229865D3072AC09F202@CH0PR11MB5739.namprd11.prod.outlook.com>
From: Orie Steele <orie@transmute.industries>
Date: Thu, 07 Mar 2024 09:24:24 -0600
Message-ID: <CAN8C-_+xsF1HdFdCDzWnAKmBymu+ZYmg5iR-T-qib16QT=UjEg@mail.gmail.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: Murray Kucherawy <superuser@gmail.com>, The IESG <iesg@ietf.org>, "draft-ietf-lamps-cms-kemri@ietf.org" <draft-ietf-lamps-cms-kemri@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "tim.hollebeek@digicert.com" <tim.hollebeek@digicert.com>, "corey.bonnell@digicert.com" <corey.bonnell@digicert.com>
Content-Type: multipart/alternative; boundary="00000000000038c915061313ac45"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/rV6sidxHa6yOBVCoJhK1dkV5Gu4>
Subject: Re: [lamps] [EXTERNAL] Murray Kucherawy's No Objection on draft-ietf-lamps-cms-kemri-08: (with COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Mar 2024 15:24:45 -0000
Hey Mike, I'm not a CMS expert, I'll refine the possible attack, and if my refinement still doesn't convince anyone it's possible, I'm happy to have displayed my ignorance so publicly : ) Let's imagine a scenario where you have content encrypted with AES-GCM, and the CEK is encrypted to multiple recipients. The attacker knows one of the recipients supports AES-CBC, and changes the content encryption algorithm to AES-CBC, hoping the recipient will leak leaks part of the AES-GCM key per, the attack described in https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-cek-hkdf-sha256/ When you have direct encryption, the KDF can bind the context of the content encryption algorithm. When you have wrap encryption, that is still possible, but you need to know more than just "this is a wrapped key", you would need to know "this is a wrapped key for AES-GCM". There are other possible mitigations depending on the constructions used, for KEMs "info" seems to be where that binding would take place. This is possibly an issue in COSE with -29, https://www.iana.org/assignments/cose/cose.xhtml#key-type <https://www.iana.org/assignments/cose/cose.xhtml#key-type>, because -29 only commits to "A128KW" in the KDF... it does not commit to "and then use that key with AES-GCM", hence: https://www.rfc-editor.org/rfc/rfc9459.html#section-8 We want an attacker changing the content encryption algorithm to fail closed, I am unsure if that property is achieved in the document, based on my inexperience with CMS. OS On Thu, Mar 7, 2024 at 9:12 AM Mike Ounsworth <Mike.Ounsworth@entrust.com> wrote: > Hi @Orie Steele <orie@transmute.industries> > > > > I am intrigued by your comments, but I don’t fully understand them. > > > > My understanding: > > CMS has some data payload to encrypt. The sender will generate a random > CEK or CAEK. It will encrypt the payload with AES-CBC or AES-GCM. So far > this is all basic CMS RFC5652 behaviour. The KEMRI draft adds the ability > to protect the CEK or CAEK for one or more recipients’ KEM certificate – > more than one recipient is for things like email with more than one person > in the TO: field, so you encrypt the CEK / CAEK multiple times rather than > encrypting the entire payload multiple times. > > > > So with that understanding, I don’t think I follow your comments. > > > > The payload will be encrypted once, with either AES-CBC or AES-GCM, with a > unique key per payload. I don’t see where cross-mode attacks are introduced. > > > > The CMS headers will specify both the KeyEncryptionAlgorithmIdentifier > (inside KEMRecipientInfo), and ContentEncryptionAlgorithmIdentifier (inside > EncryptedContentInfo). If those specify that, for example, the payload was > encrypted with ContentEncryptionAlgorithmIdentifier = AES-CBC, and the CEK > was encrypted with KeyEncryptionAlgorithmIdentifier = AES-GCM. I don’t see > how you get an attack here. > > > > --- > > *Mike* Ounsworth > > > > *From:* Spasm <spasm-bounces@ietf.org> *On Behalf Of *Murray Kucherawy > via Datatracker > *Sent:* Thursday, March 7, 2024 1:17 AM > *To:* The IESG <iesg@ietf.org> > *Cc:* draft-ietf-lamps-cms-kemri@ietf.org; lamps-chairs@ietf.org; > spasm@ietf.org; tim.hollebeek@digicert.com; corey.bonnell@digicert.com > *Subject:* [EXTERNAL] [lamps] Murray Kucherawy's No Objection on > draft-ietf-lamps-cms-kemri-08: (with COMMENT) > > > > Murray Kucherawy has entered the following ballot position for > draft-ietf-lamps-cms-kemri-08: No Objection When responding, please keep > the subject line intact and reply to all email addresses included in the To > and CC lines. (Feel free to > > Murray Kucherawy has entered the following ballot position for > > draft-ietf-lamps-cms-kemri-08: No Objection > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to https://urldefense.com/v3/__https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxS-023Peg$ <https://urldefense.com/v3/__https:/www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxS-023Peg$> > > for more information about how to handle DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-kemri/__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxSZn3FNhw$ <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-lamps-cms-kemri/__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxSZn3FNhw$> > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > === > > > > >From Orie Steele, incoming ART Area Director: > > > > Thanks to Sean Turner for the ARTART review, and the PR. > > > > The security considerations mentions both AES-GCM and AES-CBC. > > > > Is there a need to comment on binding the CEK or CAEK to a specific symmetric > > encryption algorithm, similar to: > > > > https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-housley-lamps-cms-cek-hkdf-sha256/__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxQa702bBQ$ <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-housley-lamps-cms-cek-hkdf-sha256/__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxQa702bBQ$> > > > > Or the algorithm integrity protection comments in: > > > > https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc9459.html*section-8__;Iw!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxQbrRdCPw$ <https://urldefense.com/v3/__https:/www.rfc-editor.org/rfc/rfc9459.html*section-8__;Iw!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxQbrRdCPw$> > > > > I am concerned about how cross mode attacks are or are not mitigated by this > > document, but I lack the CMS experience to be able to compare the security > > properties to COSE. > > > > """ > > In this environment, security depends on three things. First, the KEM algorithm > > must be secure against adaptive chosen ciphertext attacks. Second, the > > key-encryption algorithm must provide confidentiality and integrity protection. > > Third, the choices of the KDF and the key-encryption algorithm need to provide > > the same level of security as the KEM algorithm. """ > > > > It seems like there is possibly a missing criteria that assures that the same > > content encryption algorithm is used on both sides of the KEM interface, after > > the CEK or CAEK is decrypted? > > > > > > > > _______________________________________________ > > Spasm mailing list > > Spasm@ietf.org > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxT8KnKO4w$ <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!Y3B2eNStiUUjdo-t3e_Ujl1ugvxIR_giHweh7ipifWddvC5DjKdkJIAXTJgrkpABvkWWRp3eqGs7CAhvmxT8KnKO4w$> > > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [lamps] Murray Kucherawy's No Objection on draft-… Murray Kucherawy via Datatracker
- Re: [lamps] [EXTERNAL] Murray Kucherawy's No Obje… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Murray Kucherawy's No Obje… Orie Steele
- Re: [lamps] [EXTERNAL] Murray Kucherawy's No Obje… Mike Ounsworth
- Re: [lamps] Murray Kucherawy's No Objection on dr… Russ Housley
- Re: [lamps] Murray Kucherawy's No Objection on dr… Orie Steele