HBrock
commented
1 year ago Meeting 11.05.23 Potentially add this topic to CMP Algorithms
Closed HBrock closed 1 year ago
HBrock
commented
1 year ago Meeting 11.05.23 Potentially add this topic to CMP Algorithms
HBrock
commented
1 year ago Proposal from John on email:
In CMS KEM draft-ietf-lamps-cms-kemri we have the following note:
To be appropriate for use with this specification, the KEM algorithm MUST explicitly be designed to be secure when the public key is used many times. For example, a KEM algorithm with a single-use public key is not appropriate because the public key is expected to be carried in a long-lived certificate [RFC5280] and used over and over. Thus, KEM algorithms that offer indistinguishability under adaptive chosen ciphertext attack (IND-CCA2) security are appropriate. A common design pattern for obtaining IND-CCA2 security with public key reuse is to apply the Fujisaki-Okamoto (FO) transform [FO] or a variant of the FO transform [HHK].
We could probably reuse some or most of this text because it is possible a CMP server or client could use a KEM key for a long period of time for message protection. We could recommend the server rotate its protection keys periodically to mitigate this issue (I think that would be a best practice). Therefore a KEM with a limited use key would not be acceptable, and an IND-CCA2 KEM should be recommended.
HBrock
commented
1 year ago This issue will be addressed in the context of #25
Potentially add something like in cms-kemri: KEM algorithms that offer indistinguishability under adaptive chosen ciphertext attack (IND-CCA2) security are appropriate