Re: ACTION-317: Move derived keys into XML Enc v1.1. from Magnus Nyström on 2009-06-22 (public-xmlsec@w3.org from June 2009)

From: Magnus Nyström <magnus@rsa.com>
Date: Mon, 22 Jun 2009 12:07:15 +0200 (W. Europe Daylight Time)
To: Frederick Hirsch <frederick.hirsch@nokia.com>
cc: XMLSec WG Public List <public-xmlsec@w3.org>
Message-ID: <Pine.WNT.4.64.0906221123220.5012@W-JNISBETTEST-1.tablus.com>
Frederick,

Thanks for reviewing so quickly. My responses below.

On Fri, 19 Jun 2009, Frederick Hirsch wrote:

> Magnus
>
> I have a couple of questions.
>
> Questions related to 5.4:
>
> http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/Overview.htm#sec-Alg-KeyDerivation
>
> (1) Regarding section 5.4.1 in XML Encryption, why does the schema not 
> also define SuppPrivInfo to correspond to that item in Section 5.8.1 of 
> NIST 800-56A, it seems this may also need to be optionally conveyed?

This is an oversight, the schema should allow for this.

> (2) Do we need to specify which alternative algorithm in Section 5.8.1 of 
> NIST 800-56A is used, the difference being how OtherInfo is encoded? Perhaps 
> we need a sentence on which encoding is to be used?

Not sure. Brian and Kelvin had suggested that the value "00" be 
interpreted for 3DES and AES-128. I copied that text. Looking at this 
again, it may make sense to add a sentence stating that in this case, the 
complete KDF output is to be interpreted as the key.

> (3) I must be misinterpreting section 5.8 of NIST 800-56A since it seems to 
> read that you can only use a KDF once on a secret, yet I thought the secret 
> could be retained and used with the KDF more than once to generate a variety 
> of keys.
>
> "Each call to the KDF requires a freshly computed shared secret, and this 
> shared secret shall be zeroized immediately following its use. "

For compliance with NIST 800-56A, when using a key derivation function 
_with a key agreement scheme_, the input should be different each time. 
But this just means that either you use at least one ephemeral key pair or 
you make sure to use fresh nonce.

Once you have established the shared keying material, an application can 
derive other keys from it by use of a fresh nonce, for example.

> (4) Maybe it is better to include the Algorithm attribute with URI value in 
> the PRF element, rather than relying on a default value from the schema?
> Perhaps mandate this?

This is in the context of PBKDF2. Yes, including it might be better, 
especially given that PKCS #5 v2.0 Amd.1 defaults to HMAC-SHA1. I'd be 
open to this change (profiling of PKCS #5 v2.0 Amd.1.).

> (5) I notice that the references related to PKCS#5 point to the generic RSA 
> PKCS page rather than the specific PKCS documents. When I tried to access 
> those documents I could not retrieve from the RSA site, had to find mirrors 
> on the internet...

They are available, I have checked in an update with more precise 
references.

> questions on 3.5.2 The DerivedKey Element
>
> (6) What does it mean if there is more than one KeyDerivationMethod? Should 
> there be a maxOccurs of 1?

Maybe I'm confused, but isn't that the default in the schema? ("when an 
element ... is declared without a maxOccurs attribute, the element may not 
occur more than once" (from the Schema Primer).

> (7) In the text " If no MasterKeyName is provided" the formatting of "no" 
> seems wrong. (nit)

There's no special formatting of it in the source.

> (8) Does having Recipient make sense for DerivedKey, given that the Derived 
> Key is used in the same document? Does it make sense?

I am certainly willing to discuss it. I did not originally have this 
attribute, but added it in the May version of Derived Keys after comparing 
with the xenc:EncryptedKey element. It seemed to me that it could make 
sense when an element has been encrypted for several recipients in that it 
could assist a particular recipient in quickly finding the correct 
DerivedKey element (there's no guarantee the MasterKeyName is unique among 
recipients).

> Thanks for updating the XML Encryption 1.1 specification with this material, 
> it seems to be appropriate in this document.

Well thanks for reviewing, Frederick. I wanted to make sure to get this 
ready for review before my vacation (which has now started) so that we 
don't loose time. Intend to dial in tomorrow.

-- Magnus

> On Jun 17, 2009, at 6:49 PM, ext Magnus Nyström wrote:
>
>> This is in response to ACTION-317 that I got during last week's call.
>> 
>> I have now checked in a version of XML Encryption version 1.1 that
>> includes key derivation. In particular, I have:
>> 
>> - Created a new subsection 3.5.2
>> - Created a new subsection 5.4 (and up-ed the numbering of remaining
>>  subsections in Section 5)
>> - Modified section 5.1
>> - Modified section 5.6 - but there remains some work here, especially for
>>  "ordinary" DH - but this is Brian's and Kelvin's ACTION-319.
>> 
>> The above also includes several new examples.
>> 
>> I also added PKCS #5 v2.0 and PKCS #5 v2.0 Amd.1 to the references and
>> updated the reference to PKCS #1 to v2.1 from v2.0.
>> 
>> The schema file has been updated too (it validates) but I have not created
>> a redline version. I have also not changed the explain.html file as I
>> wanted to give the group a chance to review this work before doing so.
>> 
>> -- Magnus
>> 
>
>
Received on Monday, 22 June 2009 10:07:42 UTC