IETF Logo Mail Archive

Re: [Cfrg] Multi-recipient public key authenticated encryption

Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 30 April 2020 02:56 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 805273A0F04 for <cfrg@ietfa.amsl.com>; Wed, 29 Apr 2020 19:56:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vb567EVfL8vl for <cfrg@ietfa.amsl.com>; Wed, 29 Apr 2020 19:56:32 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9D403A0E57 for <cfrg@irtf.org>; Wed, 29 Apr 2020 19:56:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1588215389; x=1619751389; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=ZLyKLnDt3lNL6hDzRprGiaurnjGbU2fKhliVcBZTLeI=; b=vT0YqSA9cEqxr3lfYpoXIBHW5PXXlJJOohXe6zaAs2JT5NXYqCigI5C1 6gc/RNfHvFPfT6xTGmhyV5cHI9K7fQGH+r6bsO1OL+ImhuhM45PUwIS/q sddZoFcCkwVT9koVXTopnKEyHtFNYNz1p4sfExt8R8XqEHPXvM8728GnS uq26HfntMaN2EBhYXuKnTaFmKD5ChGR5nVDR3CdtryTHyVCiuB5c3fyi9 mGGhVoUVv0RbvDRZNL7+tZL6oar5DtHvyHgo4vVXbw2fJQGGF8f0heeCf WU9IIzqAT4yb67uXwugxYaK+MbLX0xkbWtekFuu73neL+4E1aUdmtcE+3 A==;
X-IronPort-AV: E=Sophos;i="5.73,333,1583146800"; d="scan'208";a="131339250"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.3 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-ogg-b.UoA.auckland.ac.nz) ([10.6.2.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 30 Apr 2020 14:56:25 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-b.UoA.auckland.ac.nz (10.6.2.3) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 30 Apr 2020 14:56:24 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) with mapi id 15.00.1497.006; Thu, 30 Apr 2020 14:56:24 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Neil Madden <neil.e.madden@gmail.com>, CFRG <cfrg@irtf.org>
Thread-Topic: [Cfrg] Multi-recipient public key authenticated encryption
Thread-Index: AQHWHJ3t4hpJnnyQYk+0n57tzwCbNaiQ/H3N
Date: Thu, 30 Apr 2020 02:56:24 +0000
Message-ID: <1588215384594.8845@cs.auckland.ac.nz>
References: <AD42E3BB-8AF2-4FC9-9407-9A8D8D5130B4@gmail.com>
In-Reply-To: <AD42E3BB-8AF2-4FC9-9407-9A8D8D5130B4@gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/1aRAG-9CfE05NsVSZmDt4_L2jyc>
Subject: Re: [Cfrg] Multi-recipient public key authenticated encryption
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2020 02:56:41 -0000

Neil Madden <neil.e.madden@gmail.com> writes:

>Given that many uses of this sign-then-encrypt pattern do not require the
>strong security properties of signatures, I have proposed [1] a public key
>authenticated encryption mode based on NIST’s one-pass unified model from SP
>800-56A. This avoids the nested structure and means that you don’t need
>multiple cryptographic primitives. The proposed algorithm uses two ECDH key
>agreements: one between the sender’s ephemeral private key and the
>recipient’s long-term public key; and a second between the two parties’ long
>term keys. The two shared secrets are concatenated and passed through a KDF
>along with some context arguments. For a single recipient this achieves
>sender authentication (subject to replay), and the single recipient case is
>what I am primarily concerned about.

Maybe I'm missing something about JOSE here, but rather than introducing
complex and exotic new encryption modes, couldn't you just define a signed +
encrypted message format like PGP and S/MIME have been using for thirty years
now?

Peter.

v2.20.3 | Report a Bug | By Email