Re: [lamps] Proposal for PBMAC1 in PKCS#12

Jonathan Hammell <jfhamme.cccs@gmail.com> Tue, 28 June 2022 17:34 UTC

Return-Path: <jfhamme.cccs@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1FAEC15A727 for <spasm@ietfa.amsl.com>; Tue, 28 Jun 2022 10:34:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5K1PZMS1AV_o for <spasm@ietfa.amsl.com>; Tue, 28 Jun 2022 10:34:02 -0700 (PDT)
Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 886CBC157B42 for <spasm@ietf.org>; Tue, 28 Jun 2022 10:34:01 -0700 (PDT)
Received: by mail-vs1-xe32.google.com with SMTP id j1so12673085vsj.12 for <spasm@ietf.org>; Tue, 28 Jun 2022 10:34:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=HGEwdt0zVaKJRm0qWBQAA607L1Mjugy8B+CeLoAqmW0=; b=p5jSCS4e/i3Kqqvf5KvOHic4RhYN+VRiR03/5prflGZXOMIv940VgEJ8NIPMynObgH eTPvO05Od4Xhs8tyK6C3FWFN27y082kO33aeGYE1421ba6JAeDKGvtqMm09ePxM3dR4e n7Fg5DfjdeYbdl/ln78UAi6wI4He4DApx8jaWnSuYMz6QS5MdleyvN5pQu68sxqs1uw1 t1oEXXKEFuqZxF42N2gFw/tehjXBShcbEKrBfy34ay47WPXI7JyUzso2aWxGfhsBhjRT HG84B0vN87jtdFyi1IY+HPurlN3nkh0d5wJTkJNTBjFGS9gILO/9XgOX6V6NamyelEDa fXsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=HGEwdt0zVaKJRm0qWBQAA607L1Mjugy8B+CeLoAqmW0=; b=O01sL59dp4dlUNDNSYaZ9nWWHzz2Z3pLGjBIwYuTXBZ45rTGCuH98iTUHGZbVdvxUP vCMSXPg9zwE34UIIEWpXuCjROYj26kA7gh54VSk2F2RShIxnqcTXniit1Ex/7N8Br6A8 1JgUoFW17EgOqUxBYm1Bo0yfzh+iF7EnbMbzoBuAGGwje5h4nSQKCHuriN351sMmO1LR k8qvKxInKBPZDoOVbaaIjc/FXVzTbAq7JRG+jmN0LN3ZxYFotlMmENiKWMLJAP+2QuD6 DGPd3mASsfP7glpeU1bfnwQBPQ3ZafWTWCugpAF4iYfbZPvXRB38Y/YL7R0GQ45o8+/D 2HYQ==
X-Gm-Message-State: AJIora9fxwKCHsUi0Nfp7DHA+yKsx+sNk91zekU1qKiepNa46bNT3XPS pFh8mkE0kiiEsSrnY4S7EmNBzne5QfuETv4UYZxoYhZAvYs=
X-Google-Smtp-Source: AGRyM1uHi8JmxNltz9xxXitGxH6ER1+pQ8HiqqIyNvcNX9k/UcVK6iOqR0G2fH7TEIO/iVo0EASPfjtsW0SPvAYUXc0=
X-Received: by 2002:a05:6102:3548:b0:354:34a1:e8f1 with SMTP id e8-20020a056102354800b0035434a1e8f1mr2251077vss.53.1656437640040; Tue, 28 Jun 2022 10:34:00 -0700 (PDT)
MIME-Version: 1.0
References: <c282cba9-f6ae-4412-8e93-0810cffb16f2@redhat.com> <99D0A4AF-89CF-467A-A934-9144636B6A17@vigilsec.com> <ec537743-cf16-42e0-a266-856c03f002fa@redhat.com> <6D67B402-3E26-43EB-8EBD-7155E429CA01@vigilsec.com>
In-Reply-To: <6D67B402-3E26-43EB-8EBD-7155E429CA01@vigilsec.com>
From: Jonathan Hammell <jfhamme.cccs@gmail.com>
Date: Tue, 28 Jun 2022 13:33:48 -0400
Message-ID: <CALhKWgiA5Cq9i--QAVqVgDPSRaFX=cgQeBkw_xXd3=4AwG2e0A@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Hubert Kario <hkario@redhat.com>, LAMPS <spasm@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/tYnzN3psY3Br-zRuiZ8N8OXGvDU>
Subject: Re: [lamps] Proposal for PBMAC1 in PKCS#12
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2022 17:34:04 -0000

Hi Hubert,

Note that there was a lengthy thread last year debating updating PKCS
#12 or the use of alternative structures for private key protection:
https://mailarchive.ietf.org/arch/msg/spasm/v-xapjceJ4i6uvCgUAe_nOhYbm8/

Looking at your I-D draft-kario-pkcs12-pbmac1, it seems to be a simple
proposal.  However, I'm not sure what you are referring to in the
rationale when you state that you considered "extending the PKCS #5 by
a new field allowing integrity protection".  What structure were you
considering in PKCS #5?  For example, in PBES2-params you could use
authenticated encryption like AES-GCM for the encryptionScheme to get
integrity protection.  That said, the solution proposed in the I-D has
the benefit of protecting the entire AuthenticatedSafe, including any
certificates.

Best regards,
Jonathan

On Wed, Jun 22, 2022 at 11:41 AM Russ Housley <housley@vigilsec.com> wrote:
>
> Thanks.  I'll take a careful look at page 24 of RFC 7292.
>
> At this point, I am not suggesting any document changes.  Rather, I am saying that the existing structure has the necessary algorithm agility.  The problem comes from the text you reference from RFC 2315, where the context is always a message digest.
>
> Russ
>
>
> > On Jun 22, 2022, at 11:14 AM, Hubert Kario <hkario@redhat.com> wrote:
> >
> > On Wednesday, 22 June 2022 16:58:18 CEST, Russ Housley wrote:
> >> Hubert:
> >>
> >> Please point to the text in RFC 7292 that is causing your concern.
> >>
> >> The PFX structure is:
> >>
> >>   PFX ::= SEQUENCE {
> >>       version     INTEGER {v3(3)}(v3,...),
> >>       authSafe    ContentInfo,
> >>       macData     MacData OPTIONAL
> >>   }
> >>
> >>   MacData ::= SEQUENCE {
> >>       mac         DigestInfo,
> >>       macSalt     OCTET STRING,
> >>       iterations  INTEGER DEFAULT 1
> >>       -- Note: The default is for historical reasons and its
> >>       --       use is deprecated.
> >>   }
> >>
> >>  -- IMPORT FROM RFC 2315
> >>
> >>   DigestInfo ::= SEQUENCE {
> >>     digestAlgorithm DigestAlgorithmIdentifier,
> >>     digest Digest }
> >>
> >>   Digest ::= OCTET STRING
> >>
> >> It seems to me that DigestInfo would be better named macInfo.
> >
> > Sorry, I don't follow... You're suggesting I should rename the fields in
> > ASN.1 definitions or you're stating that the existing standard is confusing?
> >
> >> It carries the MAC algorithm identifier (and optional parameters) as the MAC itself.
> >
> > Correct, the problem is that the DigestAlgorithmIdentifier is specified in
> > RFC 2315 as:
> >
> >  The DigestAlgorithmIdentifier type identifies a message-digest
> >  algorithm. Examples include MD2 and MD5. A message-digest algorithm
> >  maps an octet string (the message) to another octet string (the
> >  message digest).
> >
> > I would not classify PBMAC1 as a "message-digest algorithm".
> >
> > Moreover, the RFC 7292 is quite explicit that the PBMAC1 can't be placed
> > in the PFX structure (see page 24):
> >
> >  This document recommends that future definitions of
> >  the PFX structure replace the existing MacData object, optionally
> >  present in password integrity mode, with a new object definition that
> >  holds a MAC based on PKCS#5 [13] [22] PBMAC1 message authentication
> >  scheme.  This change would simplify the requirements for key
> >  derivation functions used across all parts of the PFX structure.
> >
> >>> On Jun 22, 2022, at 6:35 AM, Hubert Kario <hkario@redhat.com> wrote:
> >>> Hello everybody,
> >>> The work on the new NIST FIPS 140-3 implementations made us aware that the
> >>> current PKCS #12 specification uses a legacy PBKDF for the calculation
> >>> of the whole-file MAC value: PBKDF1. The PKCS #12 standard also doesn't ...
> >>
> >
> > --
> > Regards,
> > Hubert Kario
> > Principal Quality Engineer, RHEL Crypto team
> > Web: www.cz.redhat.com
> > Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
> >
> > _______________________________________________
> > Spasm mailing list
> > Spasm@ietf.org
> > https://www.ietf.org/mailman/listinfo/spasm
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm