Hi Jim, I was OOO, catching up with my e-mails..
>>I am trying to figure out what you believe that is going to be added by this. >> Unless you see a need to have authenticated attributes at the key wrap level >>there is no additional benefit from using the KWP mode rather than the KW >>mode. As these have the same construction and are built on the same >>primitive they have the same set of variabilities. First in the context of AES/FIPS Approved Algorithm Usage, this is a minor point, since KW is already providing FIPS Approved Key Wrapping. The initial motivation for KWP was based on an Constrained Devices Service API only 'offering' AES-KWP [1] (e.g. for Protected Storage of an ECC P-521 Private Key), which would then have the option to reuse KWP for AES Key Wrap in COSE. But as you state, KWP is built on the same primitives (is an extension to KW), the other option is that the Constrained Device Service API also 'offers' KW for Key Wrap in COSE Key Distribution. Another aspect was on Key Size Length Flexibility: I understand for the defined COSE Key Wrap Distribution 'Consumer' Algorithms (AES Keys and HMAC Keys) the keys are always a multiple of 64 bits, but thought KWP would give 'higher Layers', which want to use COSE Structures, the option to wrap Key Material not being a multiple of 64 bits (if required). Thanks, Markus [1] https://tools.ietf.org/html/rfc5649 -----Original Message----- From: Jim Schaad <[email protected]> Sent: Mittwoch, 22. August 2018 21:33 To: Gueller Markus (IFAG CCS ESS TCE CE) <[email protected]>; [email protected] Cc: Hamm Ralph (IFAG CCS ESS D SW A) <[email protected]>; [email protected] Subject: RE: [COSE] AES/FIPS Approved Algorithm Usage > -----Original Message----- > From: COSE <[email protected]> On Behalf Of > [email protected] > Sent: Wednesday, August 22, 2018 7:14 AM > To: [email protected] > Cc: [email protected]; [email protected] > Subject: [COSE] AES/FIPS Approved Algorithm Usage > > All, > > In the context of SUIT we did some analysis how to 'map' SUIT Manifest > and Payload into some COSE Crypto Containers with the focus on usage > of Algorithms, with the following properties: > > (1) Usage of FIPS Approved Algorithms AND > (2) Usage of Cipher (AES) Based Algorithms > > Below are some observations, potential suggestions based on our > current understanding we would like to share, in case others have > interest in usage of > AES Based/FIPS Approved Algorithms in COSE. > > > A. Cipher Based MAC [COSE-9.2] > > Currently AES-CBC-MAC is specified in COSE. > Algorithm Identifier for AES-CMAC as specified in [800-38B]/[RFC4493] would > allow the FIPS approved AES-CMAC Algorithm for usage in COSE MAC > Crypto Containers. > > > B. Key Derivation Functions [COSE-11] > > For KDF Usage of Secrets that are _uniformly random_: > > _PRF_ Algorithm Identifier(s) based on CMAC, as specified in [800- > 38B]/[RFC4493] and approved in [800-108] would allow for an FIPS > Approved Cipher based PRF. > > _KDF_ Algorithm Identifier(s) (specifying Modes of Iteration) that > refer to [800- > 108] FIPS Approved KDF Algorithm would present a preferred option to > allow the Cipher based FIPS Approved KDFs in COSE, since [800-108] > seems to be the > relevant FIPS Approved KDF Spec for the use case of secrets that are _uniformly > random_. > > > C. Content Key Distribution 'Direct Key with KDF' [COSE-12.1.2] > > Algorithm Identifiers for Direct Key with KDF using the KDFs from > Point B. > above would allow Cipher based FIPS Approved 'Direct Key with KDF' in Content > Key Distribution/ Recipient Algorithms in COSE. > > > D. AES Key Wrap [COSE-12.2.1] > > COSE Key Wrap is referring to [RFC3394], which is satisfying NIST Key > Wrap Requirements. > My understanding is that COSE usage of [RFC3394] supports AES Key Wrap > (KW) Mode of [800-38F], but does not support AES Key Wrap with Padding > (KWP) Mode of [800-38F]. > Algorithm Identifier for KWP would provide and additional Approved Key Wrap > Mode within COSE. I am trying to figure out what you believe that is going to be added by this. Unless you see a need to have authenticated attributes at the key wrap level there is no additional benefit from using the KWP mode rather than the KW mode. As these have the same construction and are built on the same primitive they have the same set of variabilities. Jim > > > > Thanks, > Markus > > > [COSE-9.2] https://tools.ietf.org/html/rfc8152#section-9.2 > [COSE-ref] https://tools.ietf.org/html/rfc8152#ref-MAC > [COSE-11] https://tools.ietf.org/html/rfc8152#section-11 > [COSE-12.1.2] https://tools.ietf.org/html/rfc8152#section-12.1.2 > [COSE-12.2.1] https://tools.ietf.org/html/rfc8152#section-12.2.1 > > > [RFC4493] https://tools.ietf.org/html/rfc4493 > [800-38B] https://csrc.nist.gov/publications/detail/sp/800-38b/final > > [800-108] https://csrc.nist.gov/publications/detail/sp/800-108/final > > [800-38F] https://csrc.nist.gov/publications/detail/sp/800-38f/final > > _______________________________________________ > COSE mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cose _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
