Using Pre-Shared Key (PSK) in the Cryptographic Message Syntax (CMS)
draft-ietf-lamps-cms-mix-with-psk-07

[Ballot comment]

Thanks for the work on this document. It seems like a useful tool
to add to the crypto toolkit, and it does a good job of explaining
exactly how to apply the described technique. I have one minor
comment.

§7:

I don't generally have a deep understanding of the math behind
encryption, and I didn't take the time to really align the technique
in this document with the bit of crypto that I do understand, so
forgive me if this is a naive observation: I was somewhat surprised
to see no text in here regarding the advisability (or lack thereof)
regarding re-use of PSKs across different sessions.

[Ballot comment]

Thanks for the work on this document. It seems like a useful tool
to add to the crypto toolkit, and it does a good job of explaining
exactly how to apply the described technique. I have one minor comment
and a nit.

---------------------------------------------------------------------------

§7:

I don't generally have a deep understanding of the math behind
encryption, and I didn't take the time to really align the technique
in this document with the bit of crypto that I do understand, so
forgive me if this is a naive observation: I was somewhat surprised
to see no text in here regarding the advisability (or lack thereof)
regarding re-use of PSKs across different sessions.

---------------------------------------------------------------------------

ID Nits reports:

  == Unused Reference: 'RFC6268' is defined on line 796, but no explicit
    reference was found in the text

[Ballot discuss]
I think we need to have a discussion about the abstract API for a
KEY-DERIVATION instance and how that relates to what we need for a key
combination operation.  In Section 5 we assume that we can use the
HKDF terminology, but that doesn't seem to hold universally for
KEY-DERIVATION; for example, while HKDF has IKM, salt, and info, PBKDF2
(from RFC 3211 that AFAICT introduces keyDerivationalgorithm for CMS) is
specified by RFC 2898 as taking just the input secret (password) and a
salt, with no separate 'info' (and of course the different iteration
count and PRF parameters needed for its construction).  I note (with
chagrin, as sponsoring AD) that RFC 8619 says "PARAMS ARE absent" for
the HKDF-based KEY-DERIVATION instances but is silent about how one is
supposed to know what to pass for salt/info (the IKM we can perhaps
assume will be obvious).

In short, should we be seeking to define a distinct key combination
operation like KRB-FX-CF2 (RFC6113) rather than trying to repurpose key
derivation?  Some KDFs support this fairly well, but it's not clear to
me that it is a universal property.  For example, the proof in [H2019]
seems to be assuming HKDF but this draft does not (as is clearly seen
from the use of the X9.63 KDF in one of the examples).

[Ballot comment]
Do we need to document the risk of "algorithm mismatch" that is present
because we use separate algorithm identifiers for KDF, key-encryption,
key-agreement, etc. (vs. a "cipher-suite"-like approach that bundles
together a known-good combination)?  In particular, I see we talk about
the key length for content- and key-encryption algorithms, but are there
other constraints that should be applied?

Section 2

                                  The PSK MUST be distributed to the
  sender and all of the recipients by some out-of-band means that does
  not make it vulnerable to the future invention of a large-scale
  quantum computer, and an identifier MUST be assigned to the PSK.

What are the uniqueness/scope requirements for that identifier?

Section 3

      ktris contains one KeyTransRecipientInfo type for each recipient;
      it uses a key transport algorithm to establish the key-derivation
      key.  KeyTransRecipientInfo is described in Section 6.2.1 of
      [RFC5652].

I think we need to be more clear that the 'encryptedKey' member of
KeyTransRecipientInfo contains not the "result of encrypting the
content-encryption key for this recipient" per RFC 5652, but rather the
"result of encrypting the key-derivation key for this recipient".  That
is, to call out how we are deviating from RFC 5652.

Section 5

  Many key derivation functions (KDFs) internally employ a one-way hash
  function.  When this is the case, the hash function that is used is
  identified by the KeyDerivationAlgorithmIdentifier.  HKDF [RFC5869]

(editorial?) This reads as if the KeyDerivationAlgorithmIdentifier is
going to be (e.g.) 2.16.840.1.101.3.4.2.1 for regular SHA-256, which is
presumably not the case.  It sounds more like "indicated by" or
"indicated as part of the semantics of the" would be more appropriate.

(side note) Is there a story behind using 5 and 10 for the ENUMERATED
values?

        CMSORIforPSKOtherInfo ::= SEQUENCE {
          psk                    OCTET STRING,
          keyMgmtAlgType        ENUMERATED {
            keyTrans              (5),
            keyAgree              (10) },
          keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
          pskLength              INTEGER (1..MAX),
          kdkLength              INTEGER (1..MAX) }

If psk is encoded as an OCTET STRING (i.e., including its length), why
do we need a separate pskLength field?

Section 7

  material.  Compromise of the key-encryption key may result in the
  disclosure of all content-encryption keys or content-authenticated-
  encryption keys that were protected with that keying material, which
  in turn may result in the disclosure of the content.

a nit, but for the key-agreement variant we have two things that we call
"key-encryption key"s, so use of the definite article here is
potentially ambiguous.

  This specification does not require that PSK is known only by the
  sender and recipients.  The PSK may be known to a group.  Since
  confidentiality depends on the key transport or key agreement
  algorithm, knowledge of the PSK by other parties does not enable
  eavesdropping.  However, group members can record the traffic of

Would it be appropriate to add either "inherently" (enable
eavesdropping) or "with currently available technology"?

  Implementers should be aware that cryptographic algorithms become
  weaker with time.  As new cryptoanalysis techniques are developed and

nit: "cryptanalysis"

Section 8

With respect to "not really making privacy worse", this does seem to
risk exposing that a group of (identified) recipients/participants share
access to a single PSK (identity), which could potentially correlate
them for other sorts of surveillance/attack.

Section 10.2

Don't RFCs 5911, 5912, and 6268 need to be normative since we import
from them in the ASN.1 module?

Section A.1

[I did not attempt to validate the examples.]

  The pre-shared key known to Alice and Bob:
      c244cdd11a0d1f39d9b61282770244fb0f6befb91ab7f96cb05213365cf95b15

(Should we say it's in hex?  Similarly for other non-ASCII-armored
fields, especially the PSK identifier which looks like it is more of a
string than a hex-encoded binary blob)

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-lamps-cms-mix-with-psk-05. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator understands that, upon approval of this document, there are three actions which we must complete.

First, in the SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0) registry on the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry page located at:

https://www.iana.org/assignments/smi-numbers/

a single, new registration is to be made as follows:

Decimal: [ TBD-at-Registration ]
Description: id-mod-cms-ori-psk-2017
Reference: [ RFC-to-be ]

As this document requests registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC.

Second, in the SMI Security for S/MIME Mail Security (1.2.840.113549.1.9.16) registry also on the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry page located at:

https://www.iana.org/assignments/smi-numbers/

a single, new registration is to be made as follows:

Decimal: [ TBD-at-Registration ]
Description: id-ori
Reference: [ RFC-to-be ]

As this also requests registrations in a Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC.

Third, a new registry is to be created on the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry page located at:

https://www.iana.org/assignments/smi-numbers/

The new registry will be called the SMI Security for Other Recipient Info Identifiers (1.2.840.113549.1.9.16.TBD) registry where TBD will be chosen at the time of registry creation. The new registry will be managed through Specification Required as defined in RFC 8126.

There are two, initial registrations in the new registry as follows:

Decimal: 1
Description: id-ori-keyTransPSK
Reference: [ RFC-to-be ]

Decimal: 2
Description: id-ori-keyAgreePSK
Reference: [ RFC-to-be ]

The IANA Functions Operator understands that these are the only actions required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

Thank you,

Sabrina Tanamal
Senior IANA Services Specialist

The following Last Call announcement was sent out (ends 2019-08-06):

From: The IESG
To: IETF-Announce
CC: rdd@cert.org, lamps-chairs@ietf.org, draft-ietf-lamps-cms-mix-with-psk@ietf.org, spasm@ietf.org, Tim Hollebeek , tim.hollebeek@digicert.com
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Using Pre-Shared Key (PSK) in the Cryptographic Message Syntax (CMS)) to Proposed Standard


The IESG has received a request from the Limited Additional Mechanisms for
PKIX and SMIME WG (lamps) to consider the following document: - 'Using
Pre-Shared Key (PSK) in the Cryptographic Message Syntax (CMS)'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2019-08-06. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the beginning of
the Subject line to allow automated sorting.

Abstract


  The invention of a large-scale quantum computer would pose a serious
  challenge for the cryptographic algorithms that are widely deployed
  today.  The Cryptographic Message Syntax (CMS) supports key transport
  and key agreement algorithms that could be broken by the invention of
  such a quantum computer.  By storing communications that are
  protected with the CMS today, someone could decrypt them in the
  future when a large-scale quantum computer becomes available.  Once
  quantum-secure key management algorithms are available, the CMS will
  be extended to support the new algorithms, if the existing syntax
  does not accommodate them.  In the near-term, this document describes
  a mechanism to protect today's communication from the future
  invention of a large-scale quantum computer by mixing the output of
  key transport and key agreement algorithms with a pre-shared key.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-mix-with-psk/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-mix-with-psk/ballot/


No IPR declarations have been submitted directly on this I-D.

Shepherd Write-up for draft-ietf-lamps-cms-mix-with-psk-04


(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)?  Why is this the proper type of RFC?  Is this type of RFC indicated in the title page header?

  Proposed Standard.  Yes, the title page indicates that type of RFC.
 

(2) The IESG approval announcement includes a Document Announcement Write-Up.  Please provide such a Document Announcement Write-Up.  Recent examples can be found in the "Action" announcements for approved documents.  The approval announcement contains the following sections:

  Technical Summary:

  This document specifies a way of mixing a pre-shared key into the
  output of key transport and key agreement algorithms used as part
  of messages encoding using Cryptographic Message Syntax (CMS).
  This is a mechanism that can be used today that will protect against
  message decryption by future adversaries once cryptographically
  relevant quantum computers become available.  This bridges the gap
  until quantum-safe key transport and key agreement algorithms are
  available.

  Working Group Summary:

  There is consensus for this document in the LAMPS WG.

  Document Quality:

  The document is well-written and easy to understand.

  Personnel:

    Tim Hollebeek is the document shepherd.
    Roman Danyliw is the responsible area director.


(3) Briefly describe the review of this document that was performed by the Document Shepherd.  If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.

  The document shepherd and other LAMPS WG participants reviewed the
  document during WG Last Call.  All issues raised have been resolved.


(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

  No concerns.


(5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization?  If so, describe the review that took place.

  No special review needed.


(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of?  For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it.  In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

  No concerns.


(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed.  If not, explain why?

  The author explicitly stated that he is unaware of any unexpired
  IPR related to this document.


(8) Has an IPR disclosure been filed that references this document?  If so, summarize any WG discussion and conclusion regarding the IPR disclosures.

  No IPR disclosures have been submitted against this Internet-Draft.


(9) How solid is the WG consensus behind this document?  Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

  There is consensus for this document in the LAMPS WG.


(10) Has anyone threatened an appeal or otherwise indicated extreme discontent?  If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director.  (It should be in a separate email because this questionnaire is publicly available.)

  No one has threatened an appeal.


(11) Identify any ID nits the Document Shepherd has found in this document.  (See https://clicktime.symantec.com/a/1/mJ8dA2wWdcXXM71Yd0IddY-lwAt2yeRx83pbYppWa24=?d=5shhEuiydQMrl0niiphC1LwkE65Ww0n3r25YMt4QduXHvaMTca-iiV48Uv7xO_aHWyhofeX31lcmFeLlMf7ghvvHbQ7uxAfTkymoUOEcsfcKrsVKPBM7d2Yob47WtoPdSWiCNaW4bnKmSyEBp40pKEUpO7TLrHz_Mk0Uy7Oc1ZbdIKBSbyELNjQ7lvrYdgl9d2t9hh6-EK4XTNMI5ab1WURwg_2iRSQIK1SYBJcaEURJBlihcu4zuA21TiD8QMsDPath1xl8sPRDp4NIdlrkPL8MvGREiUuKiGIXO8Xna_-r9QTFL52kA5ValgaNiFgHBYTRBlpr6u5NUNm3--iZuChm8-s53fGHPOFdeuNx4wZQiOEaCxETEaAob4H6hw4EX0JsnrnYAKztuQ5FLZ5vi_dGd3-ecXIe-k0Rb1JlH9Q%3D&u=http%3A%2F%2Fwww.ietf.org%2Ftools%2Fidnits%2F and the Internet-Drafts Checklist).  Boilerplate checks are not enough; this check needs to be thorough.

  The author has been informed of some trivial mistakes; fixes will be rolled into any other changes generated as part of IETF Last Call:

  - Two lines slightly longer than 72 characters.
  - Typo: RFC 5803 should be RFC 5083.

(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews.

  None needed.


(13) Have all references within this document been identified as either normative or informative?

  Yes, the references are divided into normative and informative.


(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state?  If such normative references exist, what is the plan for their completion?

  All references are already published.


(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in the Last Call procedure.

  There are no downward references.


(16) Will publication of this document change the status of any existing RFCs?  Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction?  If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed.  If this information is not in the document, explain why the WG considers it unnecessary.

  Publication of this document will not change the status of any
  other document.


(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document.  Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly identified.
Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226).

  Referenced IANA registries are clearly identified.


(18) List any new IANA registries that require Expert Review for future allocations.  Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

  No new IANA registries are needed.


(19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc.

  ASN.1 is used, and the module in Section 6 compiles without
  errors or warnings.

Shepherd Write-up for draft-ietf-lamps-cms-mix-with-psk-04


(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)?  Why is this the proper type of RFC?  Is this type of RFC indicated in the title page header?

  Proposed Standard.  Yes, the title page indicates that type of RFC.
 

(2) The IESG approval announcement includes a Document Announcement Write-Up.  Please provide such a Document Announcement Write-Up.  Recent examples can be found in the "Action" announcements for approved documents.  The approval announcement contains the following sections:

  Technical Summary:

  This document specifies a way of mixing a pre-shared key into the
  output of key transport and key agreement algorithms used as part
  of messages encoding using Cryptographic Message Syntax (CMS).
  This is a mechanism that can be used today that will protect against
  message decryption by future adversaries once cryptographically
  relevant quantum computers become available.  This bridges the gap
  until quantum-safe key transport and key agreement algorithms are
  available.

  Working Group Summary:

  There is consensus for this document in the LAMPS WG.

  Document Quality:

  The document is well-written and easy to understand.

  Personnel:

    Tim Hollebeek is the document shepherd.
    Roman Danyliw is the responsible area director.


(3) Briefly describe the review of this document that was performed by the Document Shepherd.  If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.

  The document shepherd and other LAMPS WG participants reviewed the
  document during WG Last Call.  All issues raised have been resolved.


(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

  No concerns.


(5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization?  If so, describe the review that took place.

  No special review needed.


(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of?  For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it.  In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

  No concerns.


(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed.  If not, explain why?

  The author explicitly stated that he is unaware of any unexpired
  IPR related to this document.


(8) Has an IPR disclosure been filed that references this document?  If so, summarize any WG discussion and conclusion regarding the IPR disclosures.

  No IPR disclosures have been submitted against this Internet-Draft.


(9) How solid is the WG consensus behind this document?  Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

  There is consensus for this document in the LAMPS WG.


(10) Has anyone threatened an appeal or otherwise indicated extreme discontent?  If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director.  (It should be in a separate email because this questionnaire is publicly available.)

  No one has threatened an appeal.


(11) Identify any ID nits the Document Shepherd has found in this document.  (See https://clicktime.symantec.com/a/1/mJ8dA2wWdcXXM71Yd0IddY-lwAt2yeRx83pbYppWa24=?d=5shhEuiydQMrl0niiphC1LwkE65Ww0n3r25YMt4QduXHvaMTca-iiV48Uv7xO_aHWyhofeX31lcmFeLlMf7ghvvHbQ7uxAfTkymoUOEcsfcKrsVKPBM7d2Yob47WtoPdSWiCNaW4bnKmSyEBp40pKEUpO7TLrHz_Mk0Uy7Oc1ZbdIKBSbyELNjQ7lvrYdgl9d2t9hh6-EK4XTNMI5ab1WURwg_2iRSQIK1SYBJcaEURJBlihcu4zuA21TiD8QMsDPath1xl8sPRDp4NIdlrkPL8MvGREiUuKiGIXO8Xna_-r9QTFL52kA5ValgaNiFgHBYTRBlpr6u5NUNm3--iZuChm8-s53fGHPOFdeuNx4wZQiOEaCxETEaAob4H6hw4EX0JsnrnYAKztuQ5FLZ5vi_dGd3-ecXIe-k0Rb1JlH9Q%3D&u=http%3A%2F%2Fwww.ietf.org%2Ftools%2Fidnits%2F and the Internet-Drafts Checklist).  Boilerplate checks are not enough; this check needs to be thorough.

  The author has been informed of some trivial mistakes; fixes will be rolled into any other changes generated as part of IETF Last Call:

  - Two lines slightly longer than 72 characters.
  - Typo: RFC 5803 should be RFC 5083.

(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews.

  None needed.


(13) Have all references within this document been identified as either normative or informative?

  Yes, the references are divided into normative and informative.


(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state?  If such normative references exist, what is the plan for their completion?

  All references are already published.


(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in the Last Call procedure.

  There are no downward references.


(16) Will publication of this document change the status of any existing RFCs?  Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction?  If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed.  If this information is not in the document, explain why the WG considers it unnecessary.

  Publication of this document will not change the status of any
  other document.


(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document.  Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly identified.
Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226).

  Referenced IANA registries are clearly identified.


(18) List any new IANA registries that require Expert Review for future allocations.  Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

  No new IANA registries are needed.


(19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc.

  ASN.1 is used, and the module in Section 6 compiles without
  errors or warnings.