Hi Peter,
On the definition of Auth-Enveloped for hash-based MAC or other MACs, I have
several comments:
1. In section 3, change KEK( master_secret ) || HMAC( encrypt( data ) ) to KEK(
master_secret ) || encrypt( data ) || MAC( encrypt( data ) ). There is no
description to state that HMAC's output includes its input.
2. On the generation of CEK-K and HMAC-K, I don't see strong case that the
method describe in the draft should be adopted. One call to a KDF to generate
both keys from a master key is much simpler and this method is also used in
many other standards such ISO 18033-2.
3. One may want to use other MAC methods instead of HMAC in considering the
security of hash functions.
I'd like to suggest the following generic definition following ISO18033-2's DEM
definition.
Following the CCMP ang GCMP definitions for Auth-Enveloped-Data:
ContentEncryptionAlgorithmIdentifier ALGORITHM ::={
{ OID id-aes128-CCM PARAMS CCMParameters } |
{ OID id-aes128-GCM PARAMS GCMParameters } |
{ OID id-data-encapsulation PARMS DEMParams } |
... -- Expect additional algorithms --
}
DEMParams ::= SEQUENCE {
keyDerivationFunction KeyDerivationFunction,
encAlgo SymmetricCipher,
macAlgo MacAlgorithm }
KeyDerivationFunction ::= AlgorithmIdentifier {{ KDFAlgorithms }}
KDFAlgorithms ALGORITHM ::= {
{ OID id-PBKDF2 PARAMS PBKDF2-params} | -- For password based authenticated
encryption
{ OID id-kdf-kdf1 PARMS HashFunction } |
{ OID id-kdf-kdf2 PARMS HashFunction } , -- For the schemes with the master
secret generated by the key transport or key agreement method
... -- Expect additional algorithms --
}
SymmetricCipher::= AlgorithmIdentifier {{ SymmetricCiphers }}
SymmetricCiphers ALGORITHM ::= {
{ OID id-aes128-cbc PARMS AES-IV } ,
... -- Expect additional algorithms --
}
AES-IV ::= OCTECT STRING
MacAlgorithm ::= AlgorithmIdentifier {{ MACAlgorithms }}
MACAlgorithms ALGORITHM ::= {
{ OID hMAC-SHA1 PARMS NULL } ,
... -- Expect additional algorithms such as OMAC or EMAC
}
Regards,
Michael Cheng
-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org Turner, Sean P.
Sent: 2007-12-10 20:50
To: ietf-smime(_at_)imc(_dot_)org
Cc:
Subject: FW: I-D Action:draft-gutmann-cms-hmac-enc-00.txt
The following draft was produced by Peter as a result of a thread on the
S/MIME list from about a year ago. The draft specifies how to use
Authenticated-Enveloped-Data type with HMAC. Since it has been a year
I'd
like to gauge interest in adopting the draft in the WG. I for one think
we
should address it in S/MIME.
spt
-----Original Message-----
From: Internet-Drafts(_at_)ietf(_dot_)org
[mailto:Internet-Drafts(_at_)ietf(_dot_)org]
Sent: Monday, December 10, 2007 5:00 AM
To: i-d-announce(_at_)ietf(_dot_)org
Subject: I-D Action:draft-gutmann-cms-hmac-enc-00.txt
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
Title : Using HMAC-authenticated Encryption in the
Cryptographic Message Syntax (CMS)
Author(s) : P. Gutmann
Filename : draft-gutmann-cms-hmac-enc-00.txt
Pages : 13
Date : 2007-12-10
This document specifies the conventions for using HMAC-authenticated
encryption with the Cryptographic Message Syntax (CMS) authenticated-
enveloped-data content type. This mirrors the use of HMAC combined
with an
encryption algorithm that's already employed in IPsec, SSL/ TLS, and
SSH,
which is widely supported in existing crypto libraries and hardware,
and has
been extensively analysed by the crypto community.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-gutmann-cms-hmac-enc-00.txt
To remove yourself from the I-D Announcement list, send a message to
i-d-announce-request(_at_)ietf(_dot_)org with the word unsubscribe in
the body of the
message.
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
to change your subscription settings.
Internet-Drafts are also available by anonymous FTP. Login with the
username
"anonymous" and a password of your e-mail address. After logging in,
type
"cd internet-drafts" and then
"get draft-gutmann-cms-hmac-enc-00.txt".
A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html or
ftp://ftp.ietf.org/ietf/1shadow-sites.txt
Internet-Drafts can also be obtained by e-mail.
Send a message to:
mailserv(_at_)ietf(_dot_)org(_dot_)
In the body type:
"FILE /internet-drafts/draft-gutmann-cms-hmac-enc-00.txt".
NOTE: The mail server at ietf.org can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail
readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e. documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.