-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposed addition/modification to CMS artifacts section in README.md #166
Comments
For simplicity, and to avoid combinatorial explosion, should we just stick to the MUSTs for CMS artifacts? |
Not sure. Having test artifacts beyond the MTIs isn't necessarily a bad thing. |
@carl-wallace sure. But I think the above description is clearer right? The file names etc. and the MTI artifacts which MUST be present. We can also verify anything else submitted as well, no harm. But the test should fail if an MTI is not present. |
I don't think anything MUST be present for any provider in this repo. To my eye, the utility of this endeavor is in teasing out spec bugs, making sure there is interoperability where there are common algorithms between implementations, etc. The above description seems useful to me, but is brainpool actually an MTI for composite KEM? |
@carl-wallace the musts are from the drafts. For example,
https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-kem/ Section 8.1 |
Thanks for the reference (the current data tracker outage impeded my loading the draft). Be that as it may, I don't see "failing a test" because one only submitted a subset of artifacts. But that's just, like, my opinion:-) But, it's also only a draft at present. I wonder if these MTIs will all stick. |
@jethrolow created an automation: I was thinking we could do something similar for CMS artifacts. So, from that point of view, what would be the rows? Just MTI artifacts? If not just MTI artifacts, it would be difficult to list all possible combinations as rows right? |
This is not a comment about the draft. Nor does it express an opinion on what MTI artifacts should be. This is a comment about the language in the README.md file and about its clarity to, at least, developers like me. And, how we can create an automation to test CMS artifacts. Perhaps we can test the MTI artifacts as rows in an automation page. And have one extra row as Others which tests the rest and shows pass/fail in that row. |
Perhaps the following can weigh in here:
[✅] @carl-wallace
[❓] @dghgit
[❓] @ounsworth
CMS -- artifacts_cms_v2.zip
This is version 2 of the CMS artifacts format. It may change, if it needs to change.
Within
providers/<provider_name>/[implementation_name/]
artifacts_cms_v2/
subfolder which will contain the artifactsartifacts_cms_v2/expected_plaintext.txt
# The message which was encrypted and can be compared against the decrypted artifacts.artifacts_cms_v2/ukm.txt
# The User Keying Material (UKM) included in some of the enveloped messages.artifacts_cms_v2/<ta oid>_<ta friendly name>_ta.der
# ML-DSA trust anchor used to sign the KEM end-entity certificates:- For MlKem512 use MlDsa44
- For MlKem768 and MlKem768 based composites, use MlDsa65
- For MlKem1024 and MlKem1024 based composites use MlDsa87
artifacts_cms_v2/<oid>_<friendly>_ee.der
# The KEM certificate that the message is enveloped to.artifacts_cms_v2/<oid>_<friendly>_priv.der
# The private key to decrypt the enveloped messages.artifacts_cms_v2/<oid>_<friendly>_kemri_ukm_<kdf>.der
# An Enveloped artifact using KEMRI’s UKM field and one of the Mandatory to Implement (MTI) KDFs for the KEM algorithm.artifacts_cms_v2/<oid>_<friendly>_kemri_auth_<kdf>.der
# An AuthEnveloped artifact using KEMRI without UKM and one of the MTI KDFs for the KEM algorithm.artifacts_cms_v2/<oid>_<friendly>_kemri_<kdf>.der
# Enveloped artifacts using KEMRI without UKM and the specified KDF.Friendly
Per #96 we would like a text description of the algorithm in the artifact names to make artifacts directory listings easier to read. Stick something same in there, for example the appropriate name from oid_mapping.md.
Trust Anchor
A trust anchor isn't necessary to verify the KEMRecipientInfo artifacts, but if you provide it, we can test that the EE certificate is signed by the TA. If it is not provided, this test will be skipped.
DER vs PEM
We picked DER encoding so there's not an extra layer to mess up. You probably have a DER<->PEM re-encoding tool.
Encryption Algorithms
Use
id-aes<size>wrap
for KEK algorithm where<size>
is appropriate for your<oid>
. Each I-D/RFC should specify this.Use
aes-<size>-gcm
for the CEK algorithm in the<oid>_kemri_auth_<kdf>.der
artifact. Useaes-<size>-cbc
for all others.MTI KDFs
Each RFC will specify MTI KDFs, and allow for others as well.
You MUST have a
<oid>_<friendly>_kemri_<kdf>
,<oid>_<friendly>_kemri_ukm_<kdf>.der
, and<oid>_<friendly>_kemri_auth_<kdf>.der
artifacts for all MTI KDFs.You MAY provider artifacts for other KDFs with the following caveats:-
Pure ML-KEM (
draft-ietf-lamps-cms-kyber-05
Section 2.2.2):Composite ML-KEM (
draft-ietf-lamps-pq-composite-kem-05
Section 8.1):The following are the MTI KDFs for ML-KEM based pure and composites:
<kdf> string
The following is the MTI KDF for RSA-KEM:
<kdf> string
* Based on draft-ietf-lamps-cms-kyber-05
** Based on draft-ietf-lamps-pq-composite-kem-05
*** Based on draft draft-ietf-lamps-rfc5990bis-10
The markdown for the above is:
The text was updated successfully, but these errors were encountered: