lamps

Summary

The LAMPS working group meeting covered a range of topics including updates on documents progressing through the IESG, discussion of KEM integration in CMS and CMP, and the AES CBC/GCM attack mitigation proposal. Several documents are nearing working group last call. A new draft regarding signaling of clear text copies in encrypted email messages was presented, and the working group will consider adoption.

Key Discussion Points

KEMRI Document (draft-ietf-lamps-cms-kemri): Currently in IESG state. External party raised concerns about inverse CBC decryption Oracle attack. Question raised about whether to include content encryption algorithm in CMS. Discussed CMS never doing HBKE.
CMP DiscNet (draft-ietf-lamps-cmp-algorithms & draft-ietf-lamps-cmp-updates): Incorporating RFC 9480 material as requested by the IESG. Need more review on KEM integration into CMP. Seeking feedback on content for KEM other info.
PKS P12 PBES2 (draft-ietf-lamps-pkcs12-pbmac-08): In working group last call. Resolved issues with DMP string encoding for password. Need to check ASN.1.
CSR Attestation (draft-ietf-lamps-csr-attestation): Aiming to integrate hardware key attestation into CSRs. Discussed changes to ASN.1 structure (evidence bundles), addressing CRMF incompatibility, and handling freshness/nonces in attestations.
EST/CMP Nonce (draft-hietala-lamps-est-cmp-nonce): Presentation on how to introduce nonces to enrollment protocols like EST and CMP to provide freshness for attestations.
OCSP (draft-zhou-lamps-ocsp-ecdsa): Ready for working group last call.
Kyber Certs (draft-brown-lamps-kyber-certs): Update on draft. Discussed potential name change to ML-KEM and private key format. Will include example certificates with a warning about it using old version.
CMS Kyber (draft-jivsov-lamps-cms-kem): Editorial changes, adding references to other drafts. Discussed renaming to ML-KEM and algorithm configurations. AES192 to be updated to AES256.
End-to-End Mail Guidance (draft-richardson-lamps-e2e-mail-guidance): Discussed scenarios where a single message might be sent encrypted to some recipients and in clear text to others, and how mail user agents should handle this.

Decisions and Action Items

Action Item: Note taker to initiate working group last call for the policy graph document (draft-ietf-lamps-cert-policy-data).
Action Item: Working group to consider adoption of the end-to-end mail guidance document (draft-richardson-lamps-e2e-mail-guidance).
Action Item: Note taker to initiate working group call for adoption for the end-to-end mail guidance document.

Next Steps

Address open issues and comments raised for each document.
Continue discussion on the mailing list for key design choices.
Advance documents towards working group last call where applicable.

Session Date/Time: 08 Nov 2023 13:30

lamps

Summary

The LAMPS working group meeting covered a range of topics, including a new downgrade attack on CMS, potential mitigations for that attack, updates on existing drafts related to header protection and email guidance, composite KEMs and signatures, and a discussion of strategies for dealing with large public keys in certificates. Several drafts were discussed with calls for adoption initiated for some.

Key Discussion Points

Downgrade Attack on CMS (Falco):
- A new attack was presented that exploits CBC decryption within CMS when AAD modes are used, potentially allowing for the recovery of low-entropy blocks.
- The attack works by crafting messages that, when processed by a vulnerable system, return garbled data that can be used to deduce information.
- SMIME was initially investigated but the exploit is not as straightforward; focus shifted to the broader CMS context.
- A key separation mitigation was proposed to bind encryption algorithms to specific keys.
- The attack impacts CCA2 security of AAD modes due to CBC decryption allowing modified messages.
Mitigation via KDF (Scott):
- Proposed a solution involving a Key Derivation Function (KDF) applied to the CEK (Content Encryption Key), incorporating the algorithm identifier.
- This KDF would be triggered by a new OID in the unprotected attributes of CMS structures.
- Removing the OID would deny the attacker access to the content, mitigating the attack, but may cause a denial of service.
- The generated CEK must be dependent on the mode used.
- Suggested the inclusion of context-specific salt for CMS within the HKDF to prevent cross-protocol attacks, or, maybe do not include.
End-to-End Mail Guidance and Header Protection (DKG):
- Updates were provided on both drafts, with only minor changes since the last IETF meeting, after working group last call.
- A request was made to advance both documents out of working group last call.
- Discussion on external resources in end-to-end email.
Composite KEMs (Antonio):
- Draft updates included a formal definition of generating encapsulation and decapsulation, pseudo code, and reworked wire formats to remove generics in ASN.1.
- Changes from sequence of subject public key info to sequence of bit string in ASN.1 structure, which is now Composite KEM PublicKey rather than Composite PublicKey.
- Removed a dependency on KEMs by lifting the text into KEMs and SIGs
- Discussion about how to handle combinations of KDF primitives, including the use of KDF3 with SHA3. Discussion on the security considerations of combining key sizes, security levels, symmetric primitives.
- DHKEM dependency.
No Revocation Available (Toma):
- Presentation covered a draft specifying a "no revocation available" certificate extension for short-lived certificates.
- Concerns were raised about how OCSP responders should treat certificates with this extension and use cases like device certificates.
- Should use valid response in OCSP.
- Considerations around the validity period of this type of certificate.
CMC Bis (Sean):
- Draft updates focused on removing SHA-1 as the default and updating algorithms in line with current best practices.
- The working group looked at a revision of CMS Best.
- Discussion on appropriate default algorithms to transition to.
SHA3 CMS Individual Draft (Russ):
- Draft exists to publish OIDs for Shaw 3, but whether it would be used in conjunction with the composite draft.
Hash Based Signatures (Max):
- Updates covered addressing previous comments.
- Discussion about use cases, specifically code signing for manufacturers and use of hash-based signatures at the root level, and, therefore, alignment to related documents is important.
- Discussion about whether to split the document into different documents.
- Open issue on dealing with Stateful signatures.
Composite Signatures (Kevin):
- Rework of the wire format.
- Remove all signatures that has confidence at signature parameters. The OID now fully specifies the component algorithms.
- Add NLDSA 44 combinations
- Discussion about hash of Durham coded OID or hash of full algorithm ID or using hash of the full composite key, related to property requirements/functionality.
External Public Keys (David):
- Discussion on public keys in certificates that are extremely large. Instead of putting in certificate, use a URL and a hash of the public key in the certificate.

Decisions and Action Items

KDF Mitigation: Scott will write an internet draft for the proposed KDF-based mitigation.
End-to-End Mail Guidance and Header Protection: Chairs to follow up on list to move document to ISG.
No Revocation Available: Chair to start a call for adoption on mailing list.
CMC Bis: Remain as current, to allow updates.
Hash Based Signatures: Chair to start a call for adoption on mailing list.
Composite Signatures: After changes, move to a call for adoption.

Next Steps

Authors to continue work on the respective drafts, addressing feedback from the working group.
Working group to review the drafts and provide additional feedback on the mailing lists.
Chairs to initiate calls for adoption for the "No Revocation Available," "Hash Based Signatures," and "Composite Signatures" drafts.