Groups - KMIP Spec updates for OAEP and PSS.pdf uploaded

[Bruce Rich<bar@cryptsoft.com>]

        Submitter's message
        It started out innocently enough.  All I was trying to do was to make my way through cs-ac-m-2-13.xml (Verify a Signature done with RSA2048 bit key), but I found a few things missing.

One thing that's not actually missing but you'd better note is the PaddingMethod in the CryptographicParameters for the PublicKey, which tells you that we should be doing RSA/PSS.  Good luck finding support for that in Java.  OK, BouncyCastle, or a service update on Java 8 from IBM.  

But then you have to know the SaltLength, as it turns out the example created from OpenSSL is NOT using the default salt length of 20 bytes, but rather the keysize minus the hash length minus two.  But that suggests that we minimally need to add SaltLength into CryptographicParameters to help interoperability, as not everyone is using a SaltLength that defaults to the hash block size.

So that got me looking at RSA-OAEP (for key wrapping), as well as the aforementioned RSA/PSS (for signing).  Here's my list of KMIP additions for interoperability:

Add SaltLength integer, as needed for PSS, as noted above
Add MaskGenerator enum with 1=MGF1, and nothing else.  Not strictly a requirement, as there are no others, but why not get it in now and parameterize it at the start.  Used by both PSS and OAEP.
Add MaskGeneratorHashingAlgorithm enum with same selections as HashingAlgorithm, (otherwise the MGF1 default is SHA-1, and SHA-1 is so passe).  Needed by OAEP for sure, as one can have a different hash in the MGF than in OAEP itself.
Add PSource as a byte array.  Turns out it's usually an empty array, but why hardwire that?  Needed by OAEP.
Add TrailerField (it's not a redneck thing) integer, optional and 1 is the only currently-valid number, so either omitted or specified as 1.  Needed by PSS.

I also wanted to put together some known-answer tests to demonstrate all this, and will upload a zip of them.  There are a couple of issues...it's difficult to get modern examples of RSA with modern padding.  It's almost as if the owners of the technology went out of business...  So I found some GitHub examples in cryptography.io where the encrypt side had been done in Python and the decrypt side in Java.  So I borrowed some of their data for the test vectors.  The even-numbered examples are verify-only.  The odd-numbered examples will need to be self-verifying (changes I still need to make), as the padding variability means you end up with different ciphertext every time you run them.  Test #8 illustrates OAEP usage where the mask hash algorithm (SHA256) is different from the OAEP hash of SHA384, and #10 adds to that by using a non-default PSource.

KMIP needs at least SaltLength, MaskGeneratorHashingAlgorithm and PSource.  MaskGenerator and TrailerField are optional, but I would recommend adding them with the others.
        
-- Mr. Bruce Rich

Document Name: KMIP Spec updates for OAEP and PSS.pdf

---

No description provided.
Download Latest Revision
Public Download Link

---

Submitter: Mr. Bruce Rich
Group: OASIS Key Management Interoperability Protocol (KMIP) TC
Folder: Drafts
Date submitted: 2016-08-31 07:00:31