Expand Scope to include CMS #26
Comments
|
Here's a first attempt. It's based on https://datatracker.ietf.org/doc/draft-ietf-lamps-kyber/ In the absence of any other OIDs I've used the following: id-kem-trans 1.3.6.1.4.1.22554.5 No KDF is specified (KDF is set to NULL in GenericKemTransParameters, I've assumed the others resolve to AlgorithmIdentifier), key wrapping is done using AES-128 KWP. The encrypted payload is the kyber certifcate (slowly working towards CMP). The kyber certificate can be verified using issuer_cert.pem which is a Dilithium certificate. Kyber public key has been encoded the same way we've been encoding Dilithium public keys (so value octets in the SubjectPublicKeyInfo BIT STRING). The Kyber private key in a OneAsymmetricKey and has been encoded as: https://www.ietf.org/archive/id/draft-uni-qsckeys-kyber-00.html for details. Here's the PEM files: Questions:
at the moment OPTIONAL would be enough as I can't really imagine the structure needing to change (I've generated a few different envelopes now, it seems to meet everything we currently try to do), that said experience has shown that my imagination is not always as wild as I think it is and that the extra flexibility that a tag provides might help in future. Any questions or feedback, please let me know. Thanks. |
|
Thanks David,
This is very timely. I have just started work on a KEMRecipientInfo draft with Russ and Tomofumi. We are going to propose that the OtherRecipientInfo type be used, and this is the structure we current have, but a couple pieces are in flux still (document hasn’t even been adopted by IETF yet), but still wanted to let you know what we are thinking.
KEM Recipient Information
This document defines KEMRecipientInfo for use with KEM algorithms.
As specified in Section 6.2.5 of [RFC5652], recipient information for
additional key management techniques are represented in the
OtherRecipientInfo type, and they are each identified by a unique
ASN.1 object identifier.
The object identifier associate with KEMRecipientInfo is:
id-ori OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) 13 }
id-ori-kem OBJECT IDENTIFIER ::= { id-ori TBD1 }
The KEMRecipientInfo type is:
KEMRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0
rid RecipientIdentifier,
kem KEMAlgorithmIdentifier,
kemct OCTET STRING,
kdf KeyDerivationAlgorithmIdentifier,
kekLength INTEGER (1..MAX),
tweak [0] OCTET STRING OPTIONAL,
wrap KeyEncryptionAlgorithmIdentifier,
encryptedKey EncryptedKey }
The fields of the KEMRecipientInfo type have the following meanings:
version is the syntax version number. The version MUST be 0. The
CMSVersion type is described in Section 10.2.5 of [RFC5652].
rid specifies the recipient's certificate or key that was used by the
originator to with the Encapsulate() function. The
RecipientIdentifier provides two alternatives for specifying the
recipient's certificate [RFC5280], and thereby the recipient's public
key. The recipient's certificate MUST contain a KEM public key.
Therefore, a recipient X.509 version 3 certificate that contains a
key usage extension MUST assert the keyEncipherment bit. The
issuerAndSerialNumber alternative identifies the recipient's
certificate by the issuer's distinguished name and the certificate
serial number; the subjectKeyIdentifier identifies the recipient's
certificate by a key identifier. When an X.509 certificate is
referenced, the key identifier matches the X.509 subjectKeyIdentifier
extension value. When other certificate formats are referenced, the
documents that specify the certificate format and their use with the
CMS must include details on matching the key identifier to the
appropriate certificate field. For recipient processing,
implementations MUST support both of these alternatives for
specifying the recipient's certificate. For originator processing,
implementations MUST support at least one of these alternatives.
kem identifies the KEM algorithm, and any associated parameters, used
by the originator. The KEMAlgorithmIdentifier is described in
Section 4.
kemct is the ciphertext produced by the Encapsulate() function for
this recipient.
kdf identifies the key-derivation algorithm, and any associated
parameters, used by the originator to generate the key-encryption
key. The KeyDerivationAlgorithmIdentifier is described in
Section 10.1.6 of [RFC5652].
keyEncryptionAlgorithm identifies a key-encryption algorithm used to
encrypt the content-encryption key. The
KeyEncryptionAlgorithmIdentifier is described in Section 10.1.3 of
[RFC5652].
kekLength is the length of the key encryption key (the key used to encrypted the content-encryption key)
tweak (maybe change to ukm) is optional data used based on Tweakable Ciphers. Could include nonce, IV or other data required for the kem algorithm being used. This is currently here thinking of future compatibility.
wrap KeyEncryptionAlgorithmIdentifier – The Algorithm Identifier for the algorithm that will protect the content-encryption key, which will be of length kekLength.
encryptedKey is the result of encrypting the content-encryption key
or the content-authenticated-encryption key with the key-encryption
key. EncryptedKey is an OCTET STRING.
Thoughts?
Cheers,
John Gray
From: David Hook ***@***.***>
Sent: Thursday, January 12, 2023 9:33 PM
To: IETF-Hackathon/pqc-certificates ***@***.***>
Cc: John Gray ***@***.***>; Author ***@***.***>
Subject: [EXTERNAL] Re: [IETF-Hackathon/pqc-certificates] Expand Scope to include CMS (Issue #26)
WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
…________________________________
Here's a first attempt.
It's based on https://datatracker.ietf.org/doc/draft-ietf-lamps-kyber/<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-lamps-kyber/__;!!FJ-Y8qCqXTj2!fBs_ToaQx6oFEWlZATOuP_TjDMNHu4Xj5vfn2_hgIrD4sMHGMT7ug8hQ-Lte-d6MKPyu6YDVxW5AfhBbWq7eIF-Z9KH8tiQ$>
In the absence of any other OIDs I've used the following:
id-kem-trans 1.3.6.1.4.1.22554.5
id-kyber512 1.3.6.1.4.1.22554.5.6.1
No KDF is specified (KDF is set to NULL in GenericKemTransParameters, I've assumed the others resolve to AlgorithmIdentifier), key wrapping is done using AES-128 KWP.
The encrypted payload is the kyber certifcate (slowly working towards CMP). The kyber certificate can be verified using issuer_cert.pem which is a Dilithium certificate. Kyber public key has been encoded the same way we've been encoding Dilithium public keys (so value octets in the SubjectPublicKeyInfo BIT STRING).
The Kyber private key in a OneAsymmetricKey and has been encoded as: https://www.ietf.org/archive/id/draft-uni-qsckeys-kyber-00.html<https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-uni-qsckeys-kyber-00.html__;!!FJ-Y8qCqXTj2!fBs_ToaQx6oFEWlZATOuP_TjDMNHu4Xj5vfn2_hgIrD4sMHGMT7ug8hQ-Lte-d6MKPyu6YDVxW5AfhBbWq7eIF-Zb7ZaO10$> for details.
KyberPrivateKey ::= SEQUENCE {
version INTEGER {v0(0)} -- version (round 3)
s OCTET STRING, -- EMPTY
hpk OCTET STRING -- EMPTY
nonce OCTET STRING, -- d
publicKey [0] IMPLICIT KyberPublicKey OPTIONAL,
}
Here's the PEM files:
kyber_cms.zip<https://urldefense.com/v3/__https:/github.com/IETF-Hackathon/pqc-certificates/files/10407496/kyber_cms.zip__;!!FJ-Y8qCqXTj2!fBs_ToaQx6oFEWlZATOuP_TjDMNHu4Xj5vfn2_hgIrD4sMHGMT7ug8hQ-Lte-d6MKPyu6YDVxW5AfhBbWq7eIF-Zp-1BCxU$>
Questions:
* is everyone happy with the OIDs? If so can we get them added to the oid_mapping,md file until some real ones are available, if not, would someone add the appropriate OIDs for the id-kem-trans and id-kyber512. If the OIDs are okay, id-kyber768 will be "1.3.6.1.4.1.22554.5.6.2" and id-kyber1024 will be "1.3.6.1.4.1.22554.5.6.3"
* GenericKemTransParameters feels really odd at the moment, it does make sense that the kdf is the second entry, but I'd like to suggest that it gets flagged as OPTIONAL and gets written as:
GenericKemTransParameters ::= {
kem KeyEncapsulationMechanism,
kdf [1] KeyDerivationFunction OPTIONAL,
wrap KeyWrappingMechanism
}
at the moment OPTIONAL would be enough as I can't really imagine the structure needing to change (I've generated a few different envelopes now, it seems to meet everything we currently try to do), that said experience has shown that my imagination is not always as wild as I think it is and that the extra flexibility that a tag provides might help in future.
Any questions or feedback, please let me know. Thanks.
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/IETF-Hackathon/pqc-certificates/issues/26*issuecomment-1381237376__;Iw!!FJ-Y8qCqXTj2!fBs_ToaQx6oFEWlZATOuP_TjDMNHu4Xj5vfn2_hgIrD4sMHGMT7ug8hQ-Lte-d6MKPyu6YDVxW5AfhBbWq7eIF-ZrWnFf2M$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/ANFGAWM6NXOBTC7UFRAUORDWSC5D7ANCNFSM6AAAAAATVMWOC4__;!!FJ-Y8qCqXTj2!fBs_ToaQx6oFEWlZATOuP_TjDMNHu4Xj5vfn2_hgIrD4sMHGMT7ug8hQ-Lte-d6MKPyu6YDVxW5AfhBbWq7eIF-Z3JVaFfU$>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
|
|
So, this would also work. In some ways it's cleaner, while following the practice of RFC 5990 with truncating the encapsulation and the wrapped key works okay, it does assume that the encapsulation will always be some easily known length, I'd agree for these algorithms that may not be an assumption which will always stand up (and apart from anything, it does save people the problem of splitting things up and it may make it easier to deal with HSM that just implement the generic operations). I think KDF should still be optional as well, With the RSA KEM you have to specify a KDF (the payload just being a big integer to use as a seed), but all the PQC KEMs already use one internally (at least as far as I can tell) - a KDF will only be necessary where the KEM's parameter set output doesn't match what's in kekLength, but where it does it's probably better to use the KEM as designed. One other suggestion, at the risk of being pedantic, I think "kemct" should be called "kemenc" (KEM ENCapsulation). I've spent a bit of time explaining these algorithms to people now - for programmers with some familiarity of the domain encapsulation is a better term to use. When people hear the word "cipher text" they immediately think these things behave like RSA OAEP/PKCS1.5 - I think we really need to get people away from that. While it's true that some KEMs can be used like that, the security strengths of the different parameter sets rely in part on how the payload is managed and the core shared secret generation is done on that basis. Of course this is also true with RSA, but as it's not really enforced, and getting around it is easy, I've had people come to us with uses of RSA that are, to put it plainly, frightening. I'd feel better if we could put as much distance between the use of KEMs and RSA's concept of cipher text as possible, so avoiding the term cipher text seems like a good thing. My 2 cents worth. |
|
a KDF will only be necessary where the KEM's parameter set output doesn't match what's in kekLength
To play devil's advocate, if it's too long, then you truncate. If it's too short then you should probably not just stretch it out cause it won't be full entropy; you should probably reject with an incompatible cipher suite error.
I think "kemct" should be called "kemenc" (KEM ENCapsulation). ... I'd feel better if we could put as much distance between the use of KEMs and RSA's concept of cipher text as possible, so avoiding the term cipher text seems like a good thing.
\+1
Ooo I like this. And it's consistent with RFC 9180 (HPKE):
\`shared\_secret, enc = AuthEncap(pkR, skS)\`
They use \`enc\` to refer to the KEM output, and \`ct\` to refer to the AES output.
|
Yes, I'd be scratching my head if I saw someone using a 128 bit secure KEM as the source for a 256 bit AES key... as for going the other way, everything I've read tells me truncation should be fine as well. Still, I know what some people are like about KDFs, so I think it's worth having one as optional and I guess, RFC 5990 notwithstanding, being able to provide a KDF would make this RFC "RSA-style KEM" complete, as in the structure would cover the known KEM universe at that point. |
|
We can make the KDF param OPTIONAL or nullable if we want to allow for cipher suites that omit the KDF. |
|
Hi everyone, So here's the new one, based on: https://www.ietf.org/id/draft-housley-lamps-cms-kemri-01.html I've used the following two made up OIDs: id-ori-kem 1.3.6.1.4.1.22554.5 id-kyber512 1.3.6.1.4.1.22554.5.6.1 I gather there's no prize for guessing what id-ori-kem will be, it just seemed a bit rude of me to preempt it. There's no UKM and after some consultation I've used SHAKE256_len as the KDF - as a dump given as: The key wrapping algorithm is AES256-WRAP with AES128-CBC being used for the encryption of the certificate. Sample files, same setup as before are here: I think it's correct, I can parse and validate it myself, so at least if it's wrong, I'm consistent if not correct. Anyway, any questions, thoughts, or comments, please let me know. Thanks. PS. minor correction, found where I was consistently wrong, should be correct now. |
|
Wow, we barely even got the draft up and you are already implementing it!
I haven’t had a chance to implement it yet myself, as I’ve been busy on working on the drafts. The composite ones are taking up my time these days!
You must be using your own KEM API’s in the BC toolkit at the moment (unless you have already refactored those as well to use the ones the Oracle JEP is proposing)?
I hope to add the JEP API into our Java toolkit sometime and hope it doesn’t change much from the proposed JEP. So many things to do!
Awesome work!
…---
John Gray
From: David Hook ***@***.***>
Sent: Friday, February 17, 2023 1:25 PM
To: IETF-Hackathon/pqc-certificates ***@***.***>
Cc: John Gray ***@***.***>; Author ***@***.***>
Subject: [EXTERNAL] Re: [IETF-Hackathon/pqc-certificates] Expand Scope to include CMS (Issue #26)
WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Hi everyone,
So here's the new one, based on:
https://www.ietf.org/id/draft-housley-lamps-cms-kemri-01.html<https://urldefense.com/v3/__https:/www.ietf.org/id/draft-housley-lamps-cms-kemri-01.html__;!!FJ-Y8qCqXTj2!arTFGOWWUU7DHyXd56n6oll6sl3VV32ZkMG4irvSvTSgd3JXAjcoZInHLlNaJgodz4lX2oc_gsCB_ClSVnLdzWyj5dCmTOg$>
I've used the following two made up OIDs:
id-ori-kem 1.3.6.1.4.1.22554.5
id-kyber512 1.3.6.1.4.1.22554.5.6.1
I gather there's no prize for guessing what id-ori-kem will be, it just seemed a bit rude of me to preempt it.
There's no UKM and after some consultation I've used SHAKE256_len as the KDF - as a dump given as:
DER Sequence
ObjectIdentifier(2.16.840.1.101.3.4.2.18)
Integer(256)
The key wrapping algorithm is AES256-WRAP with AES128-CBC being used for the encryption of the certificate.
Sample files, same setup as before are here:
kyber_cms.zip<https://urldefense.com/v3/__https:/github.com/IETF-Hackathon/pqc-certificates/files/10769842/kyber_cms.zip__;!!FJ-Y8qCqXTj2!arTFGOWWUU7DHyXd56n6oll6sl3VV32ZkMG4irvSvTSgd3JXAjcoZInHLlNaJgodz4lX2oc_gsCB_ClSVnLdzWyj2iNRxao$>
I think it's correct, I can parse and validate it myself, so at least if it's wrong, I'm consistent if not correct. Anyway, any questions, thoughts, or comments, please let me know. Thanks.
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/IETF-Hackathon/pqc-certificates/issues/26*issuecomment-1435068408__;Iw!!FJ-Y8qCqXTj2!arTFGOWWUU7DHyXd56n6oll6sl3VV32ZkMG4irvSvTSgd3JXAjcoZInHLlNaJgodz4lX2oc_gsCB_ClSVnLdzWyjt0rpSv0$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/ANFGAWJ27B53CQH7YW5T4HLWX667DANCNFSM6AAAAAATVMWOC4__;!!FJ-Y8qCqXTj2!arTFGOWWUU7DHyXd56n6oll6sl3VV32ZkMG4irvSvTSgd3JXAjcoZInHLlNaJgodz4lX2oc_gsCB_ClSVnLdzWyjkGHnA9c$>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
|
|
Cheers. Never underestimate the ability of jetlag as a means to find time to work when all is quiet ;-) Yes, it's currently based on the BC adaption. With the JEP, I've actually contacted Max at Oracle about this as well, just to clarify exactly where in the mix they expect things like user-keying-material to be passed in. Yep, this is the wrong year to give up caffeine... |
|
Here's an update - the revision for RFC 5990 includes the official OID for the KEM type for OtherRecipientInfo. This version uses that OID and also creates an EnvelopedData object with the correct version number (should have been 3). The files are generated using commented out code in the testKyberRequestWithDilithiumCA method of: |
Add support for CMS in the repo
Needs .zip file format update to include folders
output matrix needs to be updates
The text was updated successfully, but these errors were encountered: