Re: [lamps] Review draft-ietf-lamps-cms-mix-with-psk-00
Russ Housley <housley@vigilsec.com> Thu, 15 November 2018 11:24 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5842F1276D0 for <spasm@ietfa.amsl.com>; Thu, 15 Nov 2018 03:24:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zw8cGoxQ1JIQ for <spasm@ietfa.amsl.com>; Thu, 15 Nov 2018 03:24:13 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A3D7124C04 for <spasm@ietf.org>; Thu, 15 Nov 2018 03:24:13 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 5C02B300AA4 for <spasm@ietf.org>; Thu, 15 Nov 2018 06:24:10 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id zWffrBsy8yFp for <spasm@ietf.org>; Thu, 15 Nov 2018 06:24:08 -0500 (EST)
Received: from dhcp-9bbe.meeting.ietf.org (dhcp-9bbe.meeting.ietf.org [31.133.155.190]) by mail.smeinc.net (Postfix) with ESMTPSA id 7F5A030078C; Thu, 15 Nov 2018 06:24:07 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <018d01d477fa$97522760$c5f67620$@augustcellars.com>
Date: Thu, 15 Nov 2018 06:24:04 -0500
Cc: SPASM <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <AE8CC8C9-20BA-4E38-BF11-E617A153500E@vigilsec.com>
References: <018d01d477fa$97522760$c5f67620$@augustcellars.com>
To: Jim Schaad <ietf@augustcellars.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/vTSvRLmi990CKJzIdX4PzAhJMTA>
Subject: Re: [lamps] Review draft-ietf-lamps-cms-mix-with-psk-00
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2018 11:24:15 -0000
Jim: Thanks for the careful review. > Abstract: Needs to be re-worded " if existing syntax the does not > accommodated them." I suggest: The invention of a large-scale quantum computer would pose a serious challenge for the cryptographic algorithms that are widely deployed today. The Cryptographic Message Syntax (CMS) supports key transport and key agreement algorithms that could be broken by the invention of such a quantum computer. By storing communications that are protected with the CMS today, someone could decrypt them in the future when a large-scale quantum computer becomes available. Once quantum-secure key management algorithms are available, the CMS will be extended to support the new algorithms, if the existing syntax the does not accommodate them. In the near-term, this document describes a mechanism to protect today's communication from the future invention of a large-scale quantum computer by mixing the output of key transport and key agreement algorithms with a pre-shared key. > Section 1: Needs to be re-worded "if current syntax the does not > accommodated them." I suggest: Once quantum-secure key management algorithms are available, the CMS will be extended to support them, if the existing syntax the does not already accommodate the new algorithms. > Section 1: Needs to be re-worded: " by mixing with a strong PSK with the > output" In suggest: In the near-term, this document describes a mechanism to protect today's communication from the future invention of a large-scale quantum computer by mixing the output of existing key transport and key agreement algorithms with a pre-shared key (PSK). ... > Section 2 - Which key? "generates the key" Pushing something from the next > two sentences forward would be useful. Not talking about generating the > ephemeral DH key. I suggest: The CMS enveloped-data content type [RFC5652] and the CMS authenticated-enveloped-data content type [RFC5083] support both key transport and key agreement public-key algorithms to establish the key used to encrypt the content. In both cases, the sender randomly generates the content-encryption key, and then all recipients obtain that key. All recipients use the sender-generated symmetric key for decryption. > Section 2 - you have not introduced the KDK yet and now I am creating one. > Perhaps a simple discussion on how what happens is that an additional key > wrap is inserted using ... I suggest: This specification defines two quantum-resistant ways to establish a symmetric key-derivation key. In both cases, the PSK is mixed with the key-derivation key to create a quantum-resistant key-encryption key. The PSK MUST be distributed to the sender and all of the recipients by some out-of-band means that does not make it vulnerable to the future invention of a large-scale quantum computer, and an identifier MUST be assigned to the PSK. The content-encryption key or content-authenticated-encryption key is quantum-resistant, and it is established using these steps: > Section 2 - It would be nice to add a sentence where you say that you are > introducing two new management techniques to say that they are agnostic > towards the underlying key management technique. I am not sure whether the above suggestion resolves this comment or not. > Section 3 - I am wondering if it would make more sense to use the > KEKIdentifier structure instead of just having an octet string for the > PreSharedKeyIdentifier type? KEKIdentifier ::= SEQUENCE { keyIdentifier OCTET STRING, date GeneralizedTime OPTIONAL, other OtherKeyAttribute OPTIONAL } I think you are suggesting that the PreSharedKeyIdentifier would represent a set of keys and that the date and other fields would be used to select among the keys in the set. I cannot see how that makes it easier to deploy. > Section 4 - This is twice that I have read this and am unclear what we are > doing. The sentence "private key and recipient's public key to generate a > pairwise key" From this and from information in my mind I am not completely > clear that this is the DH pairwise key or something else. I suggest: originator is a CHOICE with three alternatives specifying the sender's key agreement public key. Implementations MUST support all three alternatives for specifying the sender's public key. The sender uses their own private key and the recipient's public key to generate a pairwise symmetric secret value. A key derivation function (KDF) is used to mix the PSK and the pairwise symmetric secret value to produce a key-encryption key. The OriginatorIdentifierOrKey type is described in Section 6.2.2 of [RFC5652]. > Summary: Is it your thought that I should be able to implement this > document as written? A the moment I do not believe that this is possible. > Do we need to define how the KDF function operates? I needs to add text. In short, I see the secret input the the KDF simply being the concatenation of the PSK and the key-derivation key. In addition, the context string should be either "KeyTransPSKRecipientInfo" or "KeyAgreePSKRecipientInfo". Russ
- [lamps] Review draft-ietf-lamps-cms-mix-with-psk-… Jim Schaad
- Re: [lamps] Review draft-ietf-lamps-cms-mix-with-… Russ Housley
- Re: [lamps] Review draft-ietf-lamps-cms-mix-with-… Jim Schaad
- Re: [lamps] Review draft-ietf-lamps-cms-mix-with-… Russ Housley
- Re: [lamps] Review draft-ietf-lamps-cms-mix-with-… Russ Housley
- Re: [lamps] Review draft-ietf-lamps-cms-mix-with-… Jim Schaad
- Re: [lamps] Review draft-ietf-lamps-cms-mix-with-… Russ Housley
- Re: [lamps] Review draft-ietf-lamps-cms-mix-with-… Russ Housley
- Re: [lamps] Review draft-ietf-lamps-cms-mix-with-… Jim Schaad
- Re: [lamps] Review draft-ietf-lamps-cms-mix-with-… Russ Housley
- Re: [lamps] Review draft-ietf-lamps-cms-mix-with-… Jim Schaad
- Re: [lamps] Review draft-ietf-lamps-cms-mix-with-… Russ Housley
- Re: [lamps] Review draft-ietf-lamps-cms-mix-with-… Jim Schaad
- Re: [lamps] Review draft-ietf-lamps-cms-mix-with-… Russ Housley