draft-ietf-lamps-cms-mix-with-psk-04.txt   draft-ietf-lamps-cms-mix-with-psk-05.txt 
INTERNET-DRAFT R. Housley INTERNET-DRAFT R. Housley
Internet Engineering Task Force (IETF) Vigil Security Internet Engineering Task Force (IETF) Vigil Security
Intended Status: Proposed Standard Intended Status: Proposed Standard
Expires: 11 November 2019 10 May 2019 Expires: 5 December 2019 5 June 2019
Using Pre-Shared Key (PSK) in the Cryptographic Message Syntax (CMS) Using Pre-Shared Key (PSK) in the Cryptographic Message Syntax (CMS)
<draft-ietf-lamps-cms-mix-with-psk-04.txt> <draft-ietf-lamps-cms-mix-with-psk-05.txt>
Abstract Abstract
The invention of a large-scale quantum computer would pose a serious The invention of a large-scale quantum computer would pose a serious
challenge for the cryptographic algorithms that are widely deployed challenge for the cryptographic algorithms that are widely deployed
today. The Cryptographic Message Syntax (CMS) supports key transport today. The Cryptographic Message Syntax (CMS) supports key transport
and key agreement algorithms that could be broken by the invention of and key agreement algorithms that could be broken by the invention of
such a quantum computer. By storing communications that are such a quantum computer. By storing communications that are
protected with the CMS today, someone could decrypt them in the protected with the CMS today, someone could decrypt them in the
future when a large-scale quantum computer becomes available. Once future when a large-scale quantum computer becomes available. Once
skipping to change at page 2, line 27 skipping to change at page 2, line 27
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. ASN.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. ASN.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3. Version Numbers . . . . . . . . . . . . . . . . . . . . . 4 1.3. Version Numbers . . . . . . . . . . . . . . . . . . . . . 4
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. KeyTransPSKRecipientInfo . . . . . . . . . . . . . . . . . . . 6 3. KeyTransPSKRecipientInfo . . . . . . . . . . . . . . . . . . . 6
4. KeyAgreePSKRecipientInfo . . . . . . . . . . . . . . . . . . . 7 4. KeyAgreePSKRecipientInfo . . . . . . . . . . . . . . . . . . . 7
5. Key Derivation . . . . . . . . . . . . . . . . . . . . . . . . 9 5. Key Derivation . . . . . . . . . . . . . . . . . . . . . . . . 9
6. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . . . . 10 6. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . . . . 10
7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13
8. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 14 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 15
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
10.1. Normative References . . . . . . . . . . . . . . . . . . 15 10.1. Normative References . . . . . . . . . . . . . . . . . . 16
10.2. Informative References . . . . . . . . . . . . . . . . . 16 10.2. Informative References . . . . . . . . . . . . . . . . . 16
Appendix A: Key Transport with PSK Example . . . . . . . . . . . . 17 Appendix A: Key Transport with PSK Example . . . . . . . . . . . . 17
A.1. Originator Processing Example . . . . . . . . . . . . . . 17 A.1. Originator Processing Example . . . . . . . . . . . . . . 18
A.2. ContentInfo and AuthEnvelopedData . . . . . . . . . . . . 20 A.2. ContentInfo and AuthEnvelopedData . . . . . . . . . . . . 20
A.3. Recipient Processing Example . . . . . . . . . . . . . . . 22 A.3. Recipient Processing Example . . . . . . . . . . . . . . . 22
Appendix B: Key Agreement with PSK Example . . . . . . . . . . . . 23 Appendix B: Key Agreement with PSK Example . . . . . . . . . . . . 23
B.1. Originator Processing Example . . . . . . . . . . . . . . 23 B.1. Originator Processing Example . . . . . . . . . . . . . . 23
B.2. ContentInfo and AuthEnvelopedData . . . . . . . . . . . . 26 B.2. ContentInfo and AuthEnvelopedData . . . . . . . . . . . . 26
B.3. Recipient Processing Example . . . . . . . . . . . . . . . 27 B.3. Recipient Processing Example . . . . . . . . . . . . . . . 27
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 29 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 29
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 29 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 29
1. Introduction 1. Introduction
The invention of a large-scale quantum computer would pose a serious The invention of a large-scale quantum computer would pose a serious
challenge for the cryptographic algorithms that are widely deployed challenge for the cryptographic algorithms that are widely deployed
today. It is an open question whether or not it is feasible to build today. It is an open question whether or not it is feasible to build
a large-scale quantum computer, and if so, when that might happen. a large-scale quantum computer, and if so, when that might happen.
However, if such a quantum computer is invented, many of the However, if such a quantum computer is invented, many of the
cryptographic algorithms and the security protocols that use them cryptographic algorithms and the security protocols that use them
would become vulnerable. would become vulnerable.
The Cryptographic Message Syntax (CMS) [RFC5652][RFC5803] supports The Cryptographic Message Syntax (CMS) [RFC5652][RFC5083] supports
key transport and key agreement algorithms that could be broken by key transport and key agreement algorithms that could be broken by
the invention of a large-scale quantum computer [C2PQ]. These the invention of a large-scale quantum computer [C2PQ]. These
algorithms include RSA [RFC8017], Diffie-Hellman [RFC2631], and algorithms include RSA [RFC8017], Diffie-Hellman [RFC2631], and
Elliptic Curve Diffie-Hellman [RFC5753]. As a result, an adversary Elliptic Curve Diffie-Hellman [RFC5753]. As a result, an adversary
that stores CMS-protected communications today, could decrypt those that stores CMS-protected communications today, could decrypt those
communications in the future when a large-scale quantum computer communications in the future when a large-scale quantum computer
becomes available. becomes available.
Once quantum-secure key management algorithms are available, the CMS Once quantum-secure key management algorithms are available, the CMS
will be extended to support them, if the existing syntax does not will be extended to support them, if the existing syntax does not
skipping to change at page 14, line 12 skipping to change at page 14, line 12
KeyAgreePSKRecipientInfo. Doing so would make the content vulnerable KeyAgreePSKRecipientInfo. Doing so would make the content vulnerable
to the future invention of a large-scale quantum computer. to the future invention of a large-scale quantum computer.
Implementers should not send the same content in different messages, Implementers should not send the same content in different messages,
one using a quantum-resistant key management algorithm and the other one using a quantum-resistant key management algorithm and the other
using a non-quantum-resistant key management algorithm, even if the using a non-quantum-resistant key management algorithm, even if the
content-encryption key is generated independently. Doing so may content-encryption key is generated independently. Doing so may
allow an eavesdropper to correlate the messages, making the content allow an eavesdropper to correlate the messages, making the content
vulnerable to the future invention of a large-scale quantum computer. vulnerable to the future invention of a large-scale quantum computer.
This specification does not require that PSK is known only by the
sender and recipients. The PSK may be known to a group. Since
confidentiality depends on the key transport or key agreement
algorithm, knowledge of the PSK by other parties does not enable
eavesdropping. However, group members can record the traffic of
other members, and then decrypt it if they ever gain access to a
large-scale quantum computer. Also, when many parties know the PSK,
there are many opportunities for theft of the PSK by an attacker.
Once an attacker has the PSK, they can decrypt stored traffic if they
ever gain access to a large-scale quantum computer in the same manner
as a legitimate group member.
Sound cryptographic key hygiene is to use a key for one and only one Sound cryptographic key hygiene is to use a key for one and only one
purpose. Use of the recipient's public key for both the traditional purpose. Use of the recipient's public key for both the traditional
CMS and the PSK-mixing variation specified in this document would be CMS and the PSK-mixing variation specified in this document would be
a violations of this principle; however, there is no known way for an a violation of this principle; however, there is no known way for an
attacker to take advantage of this situation. However, an attacker to take advantage of this situation. That said, an
application should enforce separation whenever possible. For application should enforce separation whenever possible. For
example, an purpose identifier for use in the X.509 extended key example, an purpose identifier for use in the X.509 extended key
usage certificate extension [RFC5280] could be identified in the usage certificate extension [RFC5280] could be identified in the
future to indicate that a public key should only be used in future to indicate that a public key should only be used in
conjunction with a PSK, or only without. conjunction with a PSK, or only without.
Implementations must randomly generate key-derivation keys as well as Implementations must randomly generate key-derivation keys as well as
the content-encryption keys or content-authenticated-encryption keys. the content-encryption keys or content-authenticated-encryption keys.
Also, the generation of public/private key pairs for the key Also, the generation of public/private key pairs for the key
transport and key agreement algorithms rely on a random numbers. The transport and key agreement algorithms rely on a random numbers. The
skipping to change at page 16, line 21 skipping to change at page 16, line 38
Encoding Rules (CER) and Distinguished Encoding Rules Encoding Rules (CER) and Distinguished Encoding Rules
(DER)", ITU-T Recommendation X.690, 2015. (DER)", ITU-T Recommendation X.690, 2015.
10.2. Informative References 10.2. Informative References
[AES] National Institute of Standards and Technology, FIPS Pub [AES] National Institute of Standards and Technology, FIPS Pub
197: Advanced Encryption Standard (AES), 26 November 2001. 197: Advanced Encryption Standard (AES), 26 November 2001.
[C2PQ] Hoffman, P., "The Transition from Classical to Post- [C2PQ] Hoffman, P., "The Transition from Classical to Post-
Quantum Cryptography", work-in-progress, draft-hoffman- Quantum Cryptography", work-in-progress, draft-hoffman-
c2pq-03, February 2018. c2pq-04, August 2018.
[H2019] Hammell, J., "Re: [lamps] WG Last Call for draft-ietf-
lamps-cms-mix-with-psk", <https://mailarchive.ietf.org/
arch/msg/spasm/_6d_4jp3sOprAnbU2fp_yp_-6-k>, 27 May 2019.
[IANA-MOD] https://www.iana.org/assignments/smi-numbers/smi- [IANA-MOD] https://www.iana.org/assignments/smi-numbers/smi-
numbers.xhtml#security-smime-0. numbers.xhtml#security-smime-0.
[IANA-SMIME] https://www.iana.org/assignments/smi-numbers/smi- [IANA-SMIME] https://www.iana.org/assignments/smi-numbers/smi-
numbers.xhtml#security-smime. numbers.xhtml#security-smime.
[IANA-ORI] https://www.iana.org/assignments/smi-numbers/smi- [IANA-ORI] https://www.iana.org/assignments/smi-numbers/smi-
numbers.xhtml#security-smime-13. numbers.xhtml#security-smime-13.
skipping to change at page 23, line 39 skipping to change at page 23, line 39
Appendix B: Key Agreement with PSK Example Appendix B: Key Agreement with PSK Example
This example shows the establishment of an AES-256 content-encryption This example shows the establishment of an AES-256 content-encryption
key using: key using:
- a pre-shared key of 256 bits; - a pre-shared key of 256 bits;
- key agreement using ECDH on curve P-384 and X9.63 KDF - key agreement using ECDH on curve P-384 and X9.63 KDF
with SHA-384; with SHA-384;
- key derivation using HKDF with SHA-384; and - key derivation using HKDF with SHA-384; and
- key wrap using AES-256-KEYWRAP. - key wrap using AES-256-KEYWRAP.
In real-world use, the originator would treat themselves as an additional In real-world use, the originator would treat themselves as an
recipient by performing key agreement with their own static public key additional recipient by performing key agreement with their own
the ephemeral private key generated for this message. This is omited in static public key and the ephemeral private key generated for this
an attempt to simplify the example. message. This is omited in an attempt to simplify the example.
B.1. Originator Processing Example B.1. Originator Processing Example
The pre-shared key known to Alice and Bob: The pre-shared key known to Alice and Bob:
4aa53cbf500850dd583a5d9821605c6fa228fb5917f87c1c078660214e2d83e4 4aa53cbf500850dd583a5d9821605c6fa228fb5917f87c1c078660214e2d83e4
The identifier assigned to the pre-shared key is: The identifier assigned to the pre-shared key is:
ptf-kmc:216840110121 ptf-kmc:216840110121
Alice randomly generates a content-encryption key: Alice randomly generates a content-encryption key:
skipping to change at page 29, line 12 skipping to change at page 29, line 12
The resutling plaintext content is: The resutling plaintext content is:
48656c6c6f2c20776f726c6421 48656c6c6f2c20776f726c6421
Acknowledgements Acknowledgements
Many thanks to Burt Kaliski, Panos Kampanakis, Jim Schaad, Sean Many thanks to Burt Kaliski, Panos Kampanakis, Jim Schaad, Sean
Turner, and Daniel Van Geest for their review and insightful Turner, and Daniel Van Geest for their review and insightful
comments. They have greatly improved the design, clarity, and comments. They have greatly improved the design, clarity, and
implementation guidance. implementation guidance.
The security properties provided by the mechanisms specified in this
document can be validated using formal methods. A ProVerif proof in
[H2019] shows that an attacker with a large-scale quantum computer
that is capable of breaking the Diffie-Hellman key agreement
algorithm cannot disrupt the delivery of the content-encryption key
to the recipient and the attacker cannot learn the content-encryption
key from the protocol exchange.
Author's Address Author's Address
Russ Housley Russ Housley
Vigil Security, LLC Vigil Security, LLC
516 Dranesville Road 516 Dranesville Road
Herndon, VA 20170 Herndon, VA 20170
USA USA
EMail: housley@vigilsec.com EMail: housley@vigilsec.com
 End of changes. 11 change blocks. 
14 lines changed or deleted 38 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/