Hi

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

I believe the document is ready with nits.

Yours, 
Daniel




LAMPS WG                                                   P. Kampanakis
Internet-Draft                                             Cisco Systems
Updates: 3370 (if approved)                                      Q. Dang
Intended status: Standards Track                                    NIST
Expires: December 19, 2019                                 June 17, 2019


  Use of the SHAKE One-way Hash Functions in the Cryptographic Message
                              Syntax (CMS)
                     draft-ietf-lamps-cms-shakes-11


2.  Introduction

   In the SHA-3 family, two extendable-output functions (SHAKEs),
   SHAKE128 and SHAKE256, are defined.  Four other hash function
   instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512 are also
   defined but are out of scope for this document.  A SHAKE is a
   variable length hash function defined as SHAKE(M, d) where the output
   is a d-bits long digest of message M.  The corresponding collision
   and second preimage resistance strengths for SHAKE128 are
   min(d/2,128) and min(d,128) bits respectively (Appendix A.1 [SHA3]).
   And, the corresponding collision and second preimage resistance
   strengths for SHAKE256 are min(d/2,256) and min(d,256) bits
   respectively.

<mglt>
since we are introducing d in this section and the specification fixes d
later, we may fix d here and list the associated security for the fixed
value. 

I would also suggest that additional resistance considerations be
mentioned in the security consideration with a reference to it in the
introduction. Additional consideration would also provide preimage
resistance and extends the considerations regarding 128/256 bit security
and post quantum resistance. 

</mglt>


   A SHAKE can be used in CMS as the message digest function (to hash
   the message to be signed) in RSASSA-PSS and ECDSA, message
   authentication code and as the mask generation function (MGF) in
   RSASSA-PSS.  This specification describes the identifiers for SHAKEs
   to be used in CMS and their meaning.


3.  Identifiers

   This section defines four new object identifiers (OIDs) for using
   SHAKE128 and SHAKE256 in CMS.

<mglt>
It is unclear to me if this section defines OIDs. Instead, it seems to
me that the section lists OIDs for convenience but these are defined in
other documents.  
</mglt>

   Two object identifiers for SHAKE128 and SHAKE256 hash functions are
   defined in [shake-nist-oids] and we include them here for
   convenience.

     id-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
          country(16) us(840) organization(1) gov(101) csor(3)
          nistAlgorithm(4) 2 11 }

     id-shake256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
          country(16) us(840) organization(1) gov(101) csor(3)
          nistAlgorithm(4) 2 12 }

   In this specification, when using the id-shake128 or id-shake256
   algorithm identifiers, the parameters MUST be absent.  That is, the
   identifier SHALL be a SEQUENCE of one component, the OID.

<mglt>
It might be clearer if the AlgoritmIdentifier structure is added
for convenience or referenced maybe by RFC5280 in the document.

On the other hand, I am also inclined to think that this section may be
replaced with a reference to lamps-pkix-shake.and the list of id-*. 
This could be one sentence in the introduction 
</mglt>


4.  Use in CMS

4.1.  Message Digests

   The id-shake128 and id-shake256 OIDs (Section 3) can be used as the
   digest algorithm identifiers located in the SignedData, SignerInfo,
   DigestedData, and the AuthenticatedData digestAlgorithm fields in CMS
 x  [RFC5652].  The encoding MUST omit the parameters field and the

<mglt>
I might be missing one level of encapsulation, but my understanding is
that digest algorithm identifiers and algorithm identifiers have the
same structure. If that is correct, it seems that the requirement to
omit the parameters is redundant with the definition of the algorithm
identifiers as well as with lamps-pkix-shake.

I am reading the sentence as it provides some requirements on the
message format (no parameters are provided) as well as the setting of an
output size. I interpret the output size as a parameter for the
message-digesting algorithm as opposed as a parameter that is provided
in the message. If that is the case, that might be specified explicitly
and maybe in two different sentences as to avoid coupling requirements
of different nature.
</mglt>


   output size, d, for the SHAKE128 or SHAKE256 message digest MUST be
   256 or 512 bits respectively.

   The digest values are located in the DigestedData field and the
   Message Digest authenticated attribute included in the
   signedAttributes of the SignedData signerInfo.  In addition, digest
   values are input to signature algorithms.  The digest algorithm MUST
   be the same as the message hash algorithms used in signatures.

4.2.  Signatures

   In CMS, signature algorithm identifiers are located in the SignerInfo
   signatureAlgorithm field of SignedData content type and
   countersignature attribute.  Signature values are located in the
   SignerInfo signature field of SignedData content type and
   countersignature attribute.

   Conforming implementations that process RSASSA-PSS and ECDSA with
   SHAKE signatures when processing CMS data MUST recognize the
   corresponding OIDs specified in Section 3.

   When using RSASSA-PSS or ECDSA with SHAKEs, the RSA modulus and ECDSA
   curve order SHOULD be chosen in line with the SHAKE output length.
   In the context of this document SHAKE128 OIDs are RECOMMENDED for
   2048 or 3072-bit RSA modulus or curves with group order of 256-bits.
   SHAKE256 OIDs are RECOMMENDED for 4096-bit RSA modulus and higher or
   curves with group order of 384-bits and higher.

<mglt>
I believe a reference to the security consideration  should be provided
with further discussions on the meaning of  "in line".  The security
consideration should maybe provide a reference that correlates symmetric
- as CMS can be used with AES -, factoring modulus Elliptic curves and
hash. Though the current security consideration reference SP800-78-4 and
SP800-107, maybe the following ones could be used in the security
consideration. They look more recent but I have not deeply looked at
those.    

* Algorithms, Key Size and Protocols Report (2018), H2020-ICT-2014 – Project 645421, D5.4, ECRYPT-CSA, 02/2018.
* Recommendation for Key Management, Special Publication 800-57 Part 1 Rev. 4, NIST, 01/2016.

</mglt>

4.2.1.  RSASSA-PSS Signatures

   The RSASSA-PSS algorithm is defined in [RFC8017].  When id-RSASSA-
   PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 specified in Section 3 is
   used, the encoding MUST omit the parameters field.  That is, the
   AlgorithmIdentifier SHALL be a SEQUENCE of one component, id-RSASSA-
   PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256.  [RFC4055] defines RSASSA-
   PSS-params that are used to define the algorithms and inputs to the
   algorithm.  This specification does not use parameters because the
   hash, mask generation algorithm, trailer and salt are embedded in the
   OID definition.

<mglt>
This is a similar comment as the one provided earlier. It does not seem
to me that this document "specifies" (in section 3) algorithms. It seems
to me these algorithms are provided for convenience but are specified in
pkix-shake. 

Similarly, the absence of parameter does not seems to me necessary here
- unless I am missing something. It seems that MUST and SHALL are
aiming at preventing the NULL parameter, I am wondering if there are any
reasons for having different terms. 

The explanation may be moved to section 3. 

</mglt>

   The hash algorithm to hash a message being signed and the hash
   algorithm as the mask generation function used in RSASSA-PSS MUST be
   the same, SHAKE128 or SHAKE256 respectively.  The output-length of
   the hash algorithm which hashes the message SHALL be 32 or 64 bytes
   respectively.

<mglt>
I suggest we use bytes or bits in the document. 
</mglt>

4.2.2.  ECDSA Signatures

   The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in
   [X9.62].  When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256
   (specified in Section 3) algorithm identifier appears, the respective
   SHAKE function is used as the hash.  The encoding MUST omit the
   parameters field.  That is, the AlgorithmIdentifier SHALL be a
   SEQUENCE of one component, the OID id-ecdsa-with-shake128 or id-
   ecdsa-with-shake256.

<mglt>
same comment regarding the parameter field
</mglt>


4.3.  Public Keys


   The identifier parameters, as explained in Section 3, MUST be absent.
<mglt>
Same comment as above.
</mglt>
4.4.  Message Authentication Codes

6.  Security Considerations

   This document updates [RFC3370].  The security considerations section
   of that document applies to this specification as well.

   NIST has defined appropriate use of the hash functions in terms of
   the algorithm strengths and expected time frames for secure use in
   Special Publications (SPs) [SP800-78-4] and [SP800-107].  These
   documents can be used as guides to choose appropriate key sizes for
   various security scenarios.

   When more than two parties share the same message-authentication key,
   data origin authentication is not provided.  Any party that knows the
   message-authentication key can compute a valid MAC, therefore the
   content could originate from any one of the parties.

<mglt>
I would suggest to add some considerations on resistance with post
quantum computers. 
</mglt>