Re: [pkcs11] RSA Key Import proposal

[Darren J Moffat <Darren.Moffat@Oracle.COM>]

On 04/03/13 07:32, Cohen, Doron wrote:
> Thanks Mike for your comments.
>
> The proposal I submitted was created under the assumption for minimal changes to the spec, but adding an explicit mechanism per you proposal below makes sense and will probably make it easier to understand and implement.   So I like it .
>
> As for using CKM_AES_KEY_WRAP_PAD - from a first look it seems to be a valid alternative to GCM and CCM  - I will go over that with my cryptograph to make sure I have not missed anything .

I would still like to see CKM_AES_CCM and CKM_AES_GCM made available for 
wrapping as part of the standard.  We already use them for key wrapping 
in ZFS on Solaris (but we do the wrap/unwrap with our in kernel API not 
PKCS#11).


> Doron
>
> -----Original Message-----
> From: pkcs11@lists.oasis-open.org [mailto:pkcs11@lists.oasis-open.org] On Behalf Of Michael StJohns
> Sent: Tuesday, April 02, 2013 7:12 PM
> To: pkcs11@lists.oasis-open.org
> Subject: Re: [pkcs11] RSA Key Import proposal
>
> On 4/2/2013 11:27 AM, Cohen, Doron wrote:
> > Proposal :
> >
> > We propose that the PKCS#11 specification explicitly state that a CKA_UNWRAP_TEMPLATE attribute can contain a CKA_UNWRAP_TEMPLATE to be applied to whatever key is unwrapped by the key in question. Currently this is ambiguous.  In addition, we recommend that CCM and GCM be enabled for wrap and unwrap. This is crucial for prevent oracle padding attacks.
>
>
> If you're worried about misuse of the AES key, then instead, how about
> defining a mechanism - CKM_RSA_AES_KEYWRAP?   This defines a mechanism
> which first unwraps the AES key using RSA, and then uses the AES key wrap mechanism to unwrap the actual data?  The AES key gets implicit attributes (and actually never gets a public handle) when unwrapped, and goes away once the other key is unwrapped.  The template on the original RSA private key applies to the finally unwrapped new RSA private key.
>
> On the wrapping side, the AES key is generated internally, wraps the data, is encrypted under the RSA public key, and then zeroized.
>
> For an elliptic curve equivalent you probably need something like CKM_ECIES_AES_KEYWRAP.
>
> Also,   RFC5649 is probably a much better choice for key wrapping than
> CCM or GCM.  That's CKM_AES_KEY_WRAP_PAD in the 2.30 draft.
>
> Mike
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
> The information contained in this electronic mail transmission
> may be privileged and confidential, and therefore, protected
> from disclosure. If you have received this communication in
> error, please notify us immediately by replying to this
> message and deleting it from your computer without copying
> or disclosing it.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

--
Darren J Moffat