[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: KMIP Spec v1.2 wd05: Multiple Cryptographic Parameters for a Single Key
I wonder if anyone else has any concerns about this: KMIP Spec v1.2 wd05 Section 2.1.4 Key Value The key value may optionally contain Attribute Objects. Multiple Attribute Objects are permitted. Section 3.6 Cryptographic Parameters This is an Attribute Object that may contain cryptographic parameters such as Block Cipher Mode, Padding Method, and Cryptographic Algorithm, amongst others. Multiple instances of this Attribute Object are permitted. Question: Does allowing multiple instances mean that the same field in multiple instances is allowed, and if so, is it allowed to contain different values? I suspect that a literal interpretation of the text would result in an answer of, "Yes. Yes." But is this what was intended? Or is this what we want it to mean going forward? Another interpretation that we could apply is that multiple instances of the Attribute Object are permitted, but that fields SHALL not be repeated in each instance. For example, if instance 0 of the attribute has the Block Cipher Mode value set to ECB, then instances 1 through n SHALL not contain a Block Cipher Mode. If this restriction was not imposed, then it would be possible to have a single key defined to be used in different Block Cipher Modes. The same applies to Padding Method, Cryptographic Algorithm, and other cryptographic parameters. I suspect that using the same key in different modes, with different padding methods, and/or with different algorithms would be a security concern. Can anyone confirm or refute this? Is this something that we should clarify or fix in v1.2? Should we require that if certain cryptographic parameters are supplied, and if multiple Cryptographic Parameters Attribute Objects are present, then cryptographic parameters such as Block Cipher Mode, Padding Method, and Algorithm, (for example) SHALL be specified no more than once? John ---------------------------------------------------------------------- John Leiseboer QuintessenceLabs Pty Ltd Chief technology Officer Suite 23, Physics Building #38 Phone: +61 7 5494 9291 (Qld) Science Road Phone: +61 2 6125 9498 (ACT) Australian National University Mobile: +61 409 487 510 Acton ACT 0200 Fax: +61 2 6125 7180 AUSTRALIA Email: JL@quintessencelabs.com www.quintessencelabs.com ----------------------------------------------------------------------
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]