Re: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Mon, 17 September 2018 18:08 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D9091252B7 for <spasm@ietfa.amsl.com>; Mon, 17 Sep 2018 11:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level:
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzR7ma5fSWbw for <spasm@ietfa.amsl.com>; Mon, 17 Sep 2018 11:08:53 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E3BF130E3F for <spasm@ietf.org>; Mon, 17 Sep 2018 11:08:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15086; q=dns/txt; s=iport; t=1537207733; x=1538417333; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=20ZpzgKQEFu7EcrrPcBf382/RkAHyNmU2dJ3ZUupops=; b=BEWxh4KLBO8CDfXCXxG/u+ez3+tIJYuTRYoyOGFyZ/+uEOaoVeB3FVib RmhtYffoZew/y71/Cezbf2xAa5JPFf46fh0k+W3tFyW4z5G1mVEpwG9Kx s+ASQqnY/ylZM3X5JzfDo2cbUG5RJ/rPHp9kF0WuvoC/EP/MNu+rW5Mp3 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CpAAC07J9b/5BdJa1bGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYJhSC9lfygKg2iUQIINkRCHNQuEbAIXg1shOBQBAwEBAgE?= =?us-ascii?q?BAm0ohTgBAQEBAyMKTBACAQgOAwQBASgDAgICMBQJCAIEAQ0FCIMagR1kpX6?= =?us-ascii?q?BLooHim0XgUE/gREBgxKFFQ8QgkuCVwKNTY53CQKQCx+PDZQoAhEUgSU0IYF?= =?us-ascii?q?VcBWDJ4IkGI4Xb4wvgR4BAQ?=
X-IronPort-AV: E=Sophos;i="5.53,386,1531785600"; d="scan'208,217";a="443056176"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Sep 2018 18:08:52 +0000
Received: from XCH-ALN-009.cisco.com (xch-aln-009.cisco.com [173.36.7.19]) by rcdn-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id w8HI8pGj022475 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 17 Sep 2018 18:08:52 GMT
Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-ALN-009.cisco.com (173.36.7.19) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 17 Sep 2018 13:08:51 -0500
Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1395.000; Mon, 17 Sep 2018 13:08:51 -0500
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Jim Schaad <ietf@augustcellars.com>, "'Russ Housley'" <housley@vigilsec.com>
CC: "'SPASM'" <spasm@ietf.org>, "'Quynh Dang'" <quynh.dang@nist.gov>
Thread-Topic: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01
Thread-Index: AQHURSkaniClVRghDkKKYr/JNnv/R6TiOdIAgAAN+oCAAAggAIAAAx8AgBJO9ACAAGCAgP//rIFQ
Date: Mon, 17 Sep 2018 18:08:51 +0000
Message-ID: <e1ebcfeb9d09415bad5647a0edad73c9@XCH-ALN-010.cisco.com>
References: <00be01d42b65$b8452ee0$28cf8ca0$@augustcellars.com> <DM6PR09MB274668C47815881BE3159EB7F3020@DM6PR09MB2746.namprd09.prod.outlook.com> <086101d44538$2c0d47e0$8427d7a0$@augustcellars.com> <DM6PR09MB274676943D27C9D6CD80221AF3020@DM6PR09MB2746.namprd09.prod.outlook.com> <087301d44543$390807e0$ab1817a0$@augustcellars.com> <DM6PR09MB274607D636D86A71778431D7F3020@DM6PR09MB2746.namprd09.prod.outlook.com> <09C752C4-CF6C-4455-961F-6121D07B9F1A@vigilsec.com> <019201d44e9c$827ad620$87708260$@augustcellars.com>
In-Reply-To: <019201d44e9c$827ad620$87708260$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.82.172.227]
Content-Type: multipart/alternative; boundary="_000_e1ebcfeb9d09415bad5647a0edad73c9XCHALN010ciscocom_"
MIME-Version: 1.0
X-Outbound-SMTP-Client: 173.36.7.19, xch-aln-009.cisco.com
X-Outbound-Node: rcdn-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/sInuxnB932BbJAe_5N2qgazhsIk>
Subject: Re: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2018 18:08:56 -0000

I think that falls outside the scope of this spec and the LAMPS charter to be honest.
I mean, introducing a new MFG should not be taken lightly even if it is straightforward.
Panos

From: Jim Schaad [mailto:ietf@augustcellars.com]
Sent: Monday, September 17, 2018 11:39 AM
To: 'Russ Housley' <housley@vigilsec.com>om>; 'Quynh Dang' <quynh.dang@nist.gov>ov>; Panos Kampanakis (pkampana) <pkampana@cisco.com>
Cc: 'SPASM' <spasm@ietf.org>
Subject: RE: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01

Russ,

That is not the question that I was asking.  I think that replacing SHA-1 with SHAKE in the MFG function is correct.  I was proposing replacing the MFG function in its entirety with a new MFG function.

Jim


From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley
Sent: Monday, September 17, 2018 2:53 AM
To: Quynh Dang <quynh.dang@nist.gov<mailto:quynh.dang@nist.gov>>; Panos Kampanakis <pkampana@cisco.com<mailto:pkampana@cisco.com>>
Cc: SPASM <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] WGLC comments draft-ietf-lamps-cms-shakes-01

Here is a part of a message to resolve the WG Last Call comments on draft-ietf-lamps-cms-shakes-01 ...

* Message Digests - are the limits on the size only for CMS or do they apply
everywhere that the algorithm is used.  If it is everywhere how do we
reconcile with the usage in RSA-PSS?


Comment 5: Only in CMS, when a message digest is generated. For RSA-PSS,  a SHAKE has 2 different output sizes for 2 different uses: hashing a message to be signed and generating a masking value in MGF 1.
[JLS] After looking at this a second time, I propose that this problem be solved by creation of a new mask generation function MGF-V.   We can eliminate the counter from the operation as being un-needed and just compute the mask length and generate that many bits of input from a SHAKE function.


I thought about that. But that would be another standard function which have not been defined  yet. How could we go from here ? And this route would take time. Using the existing MGF 1 would waste only 1 division: to figure out counter number is zero: so there is only one hash function execution.
[JLS2] No it is more than that.  It takes both the one division AND a concatenation AND the strangeness for trying to decide how long the SHAKE output is if one is placing it into an existing MGF1 piece of code.  If you define a new MGF-V then there is a new function that is called – which code should potentially be setup for – and zero extra work beyond that.  The size of the mask is the size of the output, no concatenation.  It is much cleaner in my opinion.

Does anyone think that using SHAKE in the RSA-PSS mask generation function is the wrong approach?

Russ