IETF Logo Mail Archive

[lamps] KeyTransRecipientInfo vs. KEMRecipientInfo

Russ Housley <housley@vigilsec.com> Tue, 13 December 2022 00:40 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6A98C14F744 for <spasm@ietfa.amsl.com>; Mon, 12 Dec 2022 16:40:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PTwNgqIeo6Yr for <spasm@ietfa.amsl.com>; Mon, 12 Dec 2022 16:40:55 -0800 (PST)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5954FC14F749 for <spasm@ietf.org>; Mon, 12 Dec 2022 16:40:55 -0800 (PST)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id E155D16136F for <spasm@ietf.org>; Mon, 12 Dec 2022 19:40:53 -0500 (EST)
Received: from [10.0.1.2] (pfs.iad.rg.net [198.180.150.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id CCD0C1617DA for <spasm@ietf.org>; Mon, 12 Dec 2022 19:40:53 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Message-Id: <A77D708D-EBAC-4F86-8B2B-DCB41E83CFCB@vigilsec.com>
Date: Mon, 12 Dec 2022 19:40:53 -0500
To: LAMPS <spasm@ietf.org>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.10 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/sm7YDi1J4bwnfnwKGEUnUxMkj18>
Subject: [lamps] KeyTransRecipientInfo vs. KEMRecipientInfo
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Dec 2022 00:40:59 -0000

I have been looking at RSA-KEM to try and decide whether KeyTransRecipientInfo or a new KEMRecipientInfo is the better way forward for CMS with Kyber.

RFC 5990 defines RSA-KEM and specifies the use with KeyTransRecipientInfo.  The result is a fairly complex use of the parameters of AlgorithmIdentifier.

    SEQUENCE {
       id-rsa-kem,                                   -- RSA-KEM cipher
       SEQUENCE {                           -- GenericHybridParameters
          SEQUENCE {                    -- key encapsulation mechanism
             id-kem-rsa,                                    -- RSA-KEM
             SEQUENCE {                            -- RsaKemParameters
                SEQUENCE {                  -- key derivation function
                   id-kdf-kdf3,                                -- KDF3
                   SEQUENCE {                     -- KDF3-HashFunction
                      id-sha256  -- SHA-256; no parameters (preferred)
                   },
                16                              -- KEK length in bytes
                },
          SEQUENCE {                   -- data encapsulation mechanism
             id-aes128-Wrap             -- AES-128 Wrap; no parameters
          }
       }
    } 

Lately, we have been trying to make the eliminate parameters, and when we cannot do so, we keep them very simple.

On one hand, the KeyTransRecipientInfo is already defined and it can be made to work.

On the other hand, KEMRecipientInfo would simply carry KEM algorithm identifier, the KDF algorithm identifier, and the Key Wrap algorithm identifier, the KEK length, and any other information that we need in a straightforward structure.

For this reason, I am leaning toward the definition of KEMRecipientInfo.  I am willing to work on a draft.

What do others think?

Russ

v2.30.2 | Report a Bug | By Email | System Status