OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

kmip message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: KMIP Spec v1.2 wd05: Multiple Cryptographic Parameters for a Single Key

I wonder if anyone else has any concerns about this:

KMIP Spec v1.2 wd05

Section 2.1.4 Key Value
The key value may optionally contain Attribute Objects. Multiple Attribute Objects are permitted.

Section 3.6 Cryptographic Parameters
This is an Attribute Object that may contain cryptographic parameters such as Block Cipher Mode, Padding Method, and Cryptographic Algorithm, amongst others. Multiple instances of this Attribute Object are permitted.

Question: Does allowing multiple instances mean that the same field in multiple instances is allowed, and if so, is it allowed to contain different values? I suspect that a literal interpretation of the text would result in an answer of, "Yes. Yes." But is this what was intended? Or is this what we want it to mean going forward?

Another interpretation that we could apply is that multiple instances of the Attribute Object are permitted, but that fields SHALL not be repeated in each instance. For example, if instance 0 of the attribute has the Block Cipher Mode value set to ECB, then instances 1 through n SHALL not contain a Block Cipher Mode. If this restriction was not imposed, then it would be possible to have a single key defined to be used in different Block Cipher Modes. The same applies to Padding Method, Cryptographic Algorithm, and other cryptographic parameters.

I suspect that using the same key in different modes, with different padding methods, and/or with different algorithms would be a security concern. Can anyone confirm or refute this?

Is this something that we should clarify or fix in v1.2?

Should we require that if certain cryptographic parameters are supplied, and if multiple Cryptographic Parameters Attribute Objects are present, then cryptographic parameters such as Block Cipher Mode, Padding Method, and Algorithm, (for example) SHALL be specified no more than once?

John

----------------------------------------------------------------------
John Leiseboer                          QuintessenceLabs Pty Ltd
Chief technology Officer                Suite 23, Physics Building #38
Phone:  +61 7 5494 9291 (Qld)           Science Road
Phone:  +61 2 6125 9498 (ACT)           Australian National University
Mobile: +61 409 487 510                 Acton ACT 0200
Fax:    +61 2 6125 7180                 AUSTRALIA
Email:  JL@quintessencelabs.com         www.quintessencelabs.com
----------------------------------------------------------------------

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]