Encryption Updates


Proposal Editing Information

Requirement Summary

* Corrections_to_the_Encryption_Flow_description_in_IEEE_Std_1076.pdf: (Jerry Kaczynski). Based on the works of P1735 group.

    • Adopt recommendations (under development) from P1735 for Encryption -- JohnShields - 2011-06-09
      • required algorithm support for encryption and encoding
      • new pragmas for visibility and rights management
      • incorporation of use case and key management recommendations by reference

Note: Visibility and rights management issues have been moved to a separate proposal: P1735 Visibility Updates -- StevenDovich - 2014-03-20

Review

Review copy of Encryption is here Please login to get to the review page. There was a presentation(pptx) that overviewed what is in P1735 draft 3 and d3 addendum. It is attached to this page.

Review of 1076-2008 VS P1735

Review by PabloBlecua

P1735_d3_2013 Page 9 Line 52: "clarifies the rsa algorithm conventions" to IETF RFC 3447 whereas in the 1076-2008 24.1.3.2 only "rsa" is stated (IETF RFC 2417 [B21]).

P1735_d3_2013 Page 10 Line 10: key_public_key pragma in 1076-2008 is missing. See also P1735_d3_2013 6.4.2 and 6.5.2

P1735_d3_2013 Page 12 Line 50: Recommends to deprecate the "license" pragma in 1076-2008 and implement proposal from IEEE P1735 (see Clause 7 and Clause 8).

P1735_d3_2013 Page 13 5.3.4 Secure keyring: I could not find in the 1076-2008 any support for "Secure keyrings". After reading further looks like this might be out of the scope of the 1076-2008, but should be double checked.

P1735_d3_2013 Page 22 6.4.1.6 Mapping the pragma information to certificate fields: pragmas from P1735 and 1076-2008 should be harmonized:
P1735 1076-2008
keyowner key_keyowner (24.1.2.9)
keyname key_keyname (24.1.2.10)
keymethod key_method (24.1.2.11)
data_keyowner data_keyowner(24.1.2.13)
data_keyname data_keyname (24.1.2.14)
????? data_method (24.1.2.15)
This might be a comment to how P1735 is written, since they appeart to use different names for the same pragma in different sections (e.g. keyowner vs. key_keyowner).

P1735_d3_2013 Page 28 7.5 Syntax and markup:
common rights block is optional, and consists of language-specific markup and rights <- I am not sure that this exists in the 1076-2008
tool-specific rights block is mandatory, and consists of language-specific markup and rights followed by a digest <- I am not sure that this exists in the 1076-2008
Section 7.5.1 has an example of basic syntax that might need to be added to the 1076-2008

P1735_d3_2013 Page 29 7.5.2 Rights digest: Needs to be checkes if it is compatible with 1076-2008 24.1.3.3. Some pragmans probably need to be added: rights_digest, rights_digest_method
Digest algorithms in the P135 are sha1, md5 and sha256. sha256 is not listed in 1076-2008 24.1.3.3 so probably needs to be added. Some methods in the 1076-2008 are not in the P1735 (md2 and ripemd-160), so remove?

P1735_d3_2013 Page 30 7.5.3 Conditional rights: Missing in 1076-2008. Add rights_block, rights_keyowner, and rights control (e.g. 'protect control right = condition ? true-value:false-value)

P1735_d3_2013 Page 35 8.4 License specification: 1076-2008 in 24.1.2.24 uses deprecated ones see P1735_d3a_2013 (and comments below).

P1735_d3a_2013 Page 48 9.7.2 Deprecated IP protection pragma: decryp_license from 1076-2008 is deprecated (recommended to remove).

P1735_d3a_2013 Page 51 10.3.2 Viewport pragma: viewport seems to be OK for VHDL (see also P1735 9.3.4). However is recommended to apply it to the "run tool phase" (not clear if this has implications to the 1076-2008).

P1735_d3a_2013 Page 52 10.6.1 Granularity of encryption envelopes: Calls for actions about granularity of encryption in the VHDL standard.


I have read all of the above review comments and agree with them. I note that there are many new things in P1735 that do not appear in 1076-2008 and that is appropriate. They will have to be added or referenced, as appropriate. This work can be properly done after 1735 is balloted. -- JohnShields - 2013-04-12

Proposal

In 24.1.2.23 Page 435, replace the entire clause with the following text:

IEEE Std 1735-2014 clause 9.5 is incorporated by reference.

In 24.1.2.24 Page 436, insert a new paragraph before the text "If a protect decrypte license directive or protect runtime license directive appreads in an encryption envelope":

It is an error if a protect decrypt license directive or protect runtime license directive appears in a version 2 envelope.

After 24.1.2.25 Page 37, insert new text:

24.1.2.26 Protect version directive

IEEE Std 1735-2014 clause 5.2 is incorporated by reference.

24.1.2.27 Protect key public key directive

protect_key_public_key_directive ::= `protect key_public_key

A protect key public key directive identifies the public member of a key pair, and is the only portable mechanism available to version 1 envelopes to convey a public key to the tool. A protect key public key directive in an envelope indicates that a public key immediately follows.

In 24.1.4.2 Page 440, replace "encrypt_key_directive" grammar with:

encrypt_key_directive ::=

protect_key_keyowner_directive

| protect_key_keyname_directive

| protect_key_method_directive

| protect_key_public_key_directive

In 24.1.3.1 Page 437, edit the "uuencode" row of the table replacing "Required" with "Deprecated"

In 24.1.3.1 Page 437, edit the "quoted-printable" row of the table replacing "Optional" with "Deprecated"

In 24.1.3.1 Page 437, edit the "raw" row of the table replacing "Optional" with "Legacy"

In 24.1.3.1 Page 437, replace the paragraph following the encoding table with:

The encoding methods identified by required or legacy encoding type strings shall be inplemented by a tool. A tool may implement an encoding method identified by a deprecated encoding type string, but if it does implement such a method, it shall use the corresponding encoding type string to identify the method. Is is an error if a deprecated encoding type string used in a version 1 or version 2 envelope.

In 24.1.3.2 Page 438, edit the "des-cbc" row of the table replacing "Required" with "Deprecated"

In 24.1.3.2 Page 438, edit the "3des-cbc" row of the table replacing "Optional" with "Deprecated"

In 24.1.3.2 Page 438, edit the "aes128-cbc" row of the table replacing "Optional" with "Required"

In 24.1.3.2 Page 438, edit the "aes192-cbc" row of the table replacing "Optional" with "Legacy"

In 24.1.3.2 Page 438, edit the "aes256-cbc" row of the table replacing "Optional" with "Required"

In 24.1.3.2 Page 438, delete the "blowfish-cbc" row of the table

In 24.1.3.2 Page 438, delete the "twofish128-cbc" row of the table

In 24.1.3.2 Page 438, delete the "twofish192-cbc" row of the table

In 24.1.3.2 Page 438, delete the "twofish256-cbc" row of the table

In 24.1.3.2 Page 438, delete the "serpent128-cbc" row of the table

In 24.1.3.2 Page 438, delete the "serpent192-cbc" row of the table

In 24.1.3.2 Page 438, delete the "serpent256-cbc" row of the table

In 24.1.3.2 Page 438, delete the "cast128-cbc" row of the table

In 24.1.3.2 Page 438, edit the "rsa" row of the table replacing "Optional" with "Required", and replace the Cipher column of that row with:

RSAES-PKCS1-V1_5 (IETF RFC 3447 [B21]) Key lengths of 2048 bits or more shall be supported by the tool.

In 24.1.3.2 Page 438, delete the "elgamal" row of the table

In 24.1.3.2 Page 438, delete the "pgp-rsa" row of the table

In 24.1.3.2 Page 438, replace the paragraph following the table with:

The ciphers identified by required or legacy encryption method strings shall be inplemented by a tool. A tool may implement a cipher identified by a deprecated encryption method string, but if it does implement such a cipher, it shall use the corresponding encryption method string to identify that cipher. Is is an error if a deprecated encryption method string used in a version 1 or version 2 envelope. A tool may implement further ciphers and use other encryption method strings to identify those ciphers.

In 24.1.3.3 Page 439, edit the "sha1" row of the table replacing "Required" with "Deprecated"

In 24.1.3.3 Page 439, edit the "md5" row of the table replacing "Required" with "Deprecated"

In 24.1.3.3 Page 439, delete the "md2" row of the table

In 24.1.3.3 Page 439, edit the "ripemd-160" row of the table

In 24.1.3.3 Page 439, add a row at the end of the table setting the Digest method string column to "sha-256" the Required/optional column to "Required" and the Hash function column to "TBD"

In 24.1.3.3 Page 439, add a row at the end of the table setting the Digest method string column to "sha-512" the Required/optional column to "Required" and the Hash function column to "TBD"

In 24.1.3.3 Page 439, replace the paragraph following the table with:

The hash functions identified by required or legacy digest method strings shall be inplemented by a tool. A tool may implement a hash function identified by a deprecated digest method string, but if it does implement such a hash function, it shall use the corresponding digest method string to identify that hash function. Is is an error if a deprecated digest method string used in a version 1 or version 2 envelope. A tool may implement further hash functions and use other digest method strings to identify those hash functions.

In 24.1 Page 445, add the following new text at the end of the clause:

24.1.7 Key Management

Clause 6 of IEEE Std 1735-2014 is incorporated by reference. The specified pragma values from that clause share refer to the protect directives with the corresponding name.

24.1.8 Rights Managment

Clause 7 of IEEE Std 1735-2014 is incorporated by reference.

24.1.9 License Management

Clause 8 of IEEE Std 1735-2014 is incorporated by reference.

24.1.10 Visibility Management

Clause 9 of IEEE Std 1735-2014 is incorporated by reference.

24.1.11 Common Rights

Clause 10 of IEEE Std 1735-2014 is incorporated by reference.

Questions

General Comments

Supporters

Add your signature here to indicate your support for the proposal DanielKho

Topic attachments
I Attachment Action Size Date Who Comment
PowerPointpptx P1735_Overview.pptx manage 348.6 K 2013-04-10 - 04:50 JohnShields P1735 Overview Material
Edit | Attach | Print version | History: r10 < r9 < r8 < r7 < r6 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r8 - 2017-02-01 - 03:09:26 - StevenDovich
 
Copyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback