IETF Logo Mail Archive

Re: [Cfrg] Fwd: New Version Notification for draft-barnes-cfrg-hpke-00.txt

John Mattsson <john.mattsson@ericsson.com> Tue, 12 March 2019 17:49 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CF521277E7 for <cfrg@ietfa.amsl.com>; Tue, 12 Mar 2019 10:49:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=KIqXNnxf; dkim=pass (1024-bit key) header.d=ericsson.com header.b=aKjiYbVg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8WAfteF0Aaq9 for <cfrg@ietfa.amsl.com>; Tue, 12 Mar 2019 10:49:21 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5531513112D for <cfrg@irtf.org>; Tue, 12 Mar 2019 10:49:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1552412958; x=1555004958; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=dvnZQJKQR0Sn+DeTNiVOGRfu8ErlO7ISclqmYTCuN0o=; b=KIqXNnxfm1cltuCjMo8sT6K3KDi8rP74g7n0Ifgg/cY1eZwsu/J9bKkgdwcfvL4z cX9n1weQQdGWRKBqoQNMvpw5F6xE9/UgCfjH/aEklbFURrPF1jLDqpY6EknLd+8c eOa2O5RJLZ7Xo0QsJgivpPDgYubydv5kwRkGNG50R3U=;
X-AuditID: c1b4fb2d-d9dff7000000062f-91-5c87f11e43be
Received: from ESESSMB501.ericsson.se (Unknown_Domain [153.88.183.119]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id A9.67.01583.E11F78C5; Tue, 12 Mar 2019 18:49:18 +0100 (CET)
Received: from ESESSMB505.ericsson.se (153.88.183.166) by ESESSMB501.ericsson.se (153.88.183.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Tue, 12 Mar 2019 18:49:18 +0100
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB505.ericsson.se (153.88.183.166) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Tue, 12 Mar 2019 18:49:18 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dvnZQJKQR0Sn+DeTNiVOGRfu8ErlO7ISclqmYTCuN0o=; b=aKjiYbVgk6S35HSOFzjISLH4KvMHtNIrnlPGbOvKEsVaOj2fvIXkQaE1bqz3yO32/eaBnnXZIvklUjruykgA/yWvdpSu5JJTmY5HeGTm0dNNxsTQox7uh7qnipvtihijUDvq4dlpRnVTIw2/cmJVHZxHb2ry38y5kXvpxLLIWfU=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB3433.eurprd07.prod.outlook.com (10.170.247.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.11; Tue, 12 Mar 2019 17:49:16 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::ace2:9258:766:85a8]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::ace2:9258:766:85a8%3]) with mapi id 15.20.1709.011; Tue, 12 Mar 2019 17:49:16 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Richard Barnes <rlb@ipv.sx>, Christopher Wood <christopherwood07@gmail.com>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [Cfrg] Fwd: New Version Notification for draft-barnes-cfrg-hpke-00.txt
Thread-Index: AQHUtxywS4VpcYmm7Ey2kqtYRgbl7KXE9hKAgAA+0gCAABGvgIBB+yqAgAFYnoA=
Date: Tue, 12 Mar 2019 17:49:16 +0000
Message-ID: <3F8C5972-5576-425F-A88B-6AB3D269082C@ericsson.com>
References: <4989B595-D57C-4D40-8B68-AB0AF8804AD3@wire.com> <CAO8oSX=KeW_yc8w4v+0E7GGZ1Hp0JNL8x3C5b-Jq=0YKv8XoDQ@mail.gmail.com> <20190128213642.GA2741@LK-Perkele-VII> <CAO8oSXkqYw09w8VT1RoiAo+73V3LCp0osCBFLVheDtt=sA0rYw@mail.gmail.com> <CAL02cgSQxh+LvoqCEZmYBa2rRDwudGCxTP1fS55-gm+noWS5LA@mail.gmail.com>
In-Reply-To: <CAL02cgSQxh+LvoqCEZmYBa2rRDwudGCxTP1fS55-gm+noWS5LA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.16.1.190220
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cc386c48-ebe8-4e6d-d8f7-08d6a7130be6
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB3433;
x-ms-traffictypediagnostic: HE1PR07MB3433:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <HE1PR07MB3433CFBFB00B47AF45E6270189490@HE1PR07MB3433.eurprd07.prod.outlook.com>
x-forefront-prvs: 09749A275C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(396003)(136003)(366004)(376002)(346002)(51444003)(189003)(199004)(85644002)(53754006)(86362001)(81166006)(81156014)(186003)(7736002)(8676002)(3846002)(6116002)(26005)(10710500007)(2906002)(561944003)(33656002)(25786009)(7110500001)(97736004)(66066001)(93886005)(36756003)(2420400007)(316002)(58126008)(110136005)(15650500001)(4326008)(99286004)(76176011)(6346003)(102836004)(6506007)(6246003)(53546011)(105586002)(68736007)(236005)(6436002)(606006)(14454004)(966005)(53936002)(8936002)(6306002)(54896002)(6512007)(478600001)(44832011)(229853002)(446003)(11346002)(2616005)(476003)(486006)(83716004)(14444005)(256004)(6486002)(71200400001)(71190400001)(82746002)(106356001)(5660300002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3433; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 2Lux9TrdO9R+JL3QwiyQnUzRVpwNxiMC6+O/U6WugQE52mwDZFFPNNGXDLnLOO4cLilS0WLx3PZY4qqsXkmp2Ma759/ku2h0Ob/k2FiD+nqiRkn8AqaPrdv6TqpuV778PD4sBCsCKta50wc2g4kI0RHRohB41H+z6KxFX8hy9RSYs6CjJ6nqkzo5wqqAH5NHROHJQExxD1WvJvRDGEmvAYGKtI3BxM9Hh4HDvc4ZoR85f7x3iRXg4WncgQ4avf533dnkBYEqaMdP94KbwwGtesSEGM1xF3W6IyhBo9n8TqPg6UqiAt4anXAmsC41KWVseEb7bobxC1ssyQzXs6xAdSFgyyhi/bZtoLqkEUDEWmo7zKBaYTqpu5d0BnUUOI9T8FKehH7tb/81H6i93kc+XMNf2XrRYeb/t0H2P/kLKAE=
Content-Type: multipart/alternative; boundary="_000_3F8C59725576425FA88B6AB3D269082Cericssoncom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: cc386c48-ebe8-4e6d-d8f7-08d6a7130be6
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2019 17:49:16.4028 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3433
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0hTYRjHec85OzubDc6WyyfNwIVkCy+lH1bYlRI/ZNmHLpSVQ09TnHPs zCuh9kEFTRumhPMeSmqGFpKuxPKKS5sUZjcka5aKSU1mWtlo21ngl5ff8zz/58pL4ZJnPF8q WaNndBqlWkYKiarz3ZnB221FcWGFHyMUJWv9mOL26hSpqCw7cBiPNhmn+dG3HhgJ5zNIxuIX hJGJjDo5g9GFHowXJpV/sfK04xaU1bNuIfPRTTMqRgIK6Ai4s/IUK0ZCSkIPIej9YMY54yeC xsaXfM5owqB1xuqOELQBh8q6Hx5ZBQbm8na+q5iEnkHg+HbOxSQdBrW9+aSLvenTYFu/jrkY pwGWhkzu5pvpM+B4W83nNGdhtOQXxvFJ6BybJFxM0IFQbrDwXCyiD8FrU6lnWBMGAyt97mSB s4FxbdQtQvQWWH3e7mnmA+9n6zFuUxqaeidwjqWwYHW49VI6FLrKZgjOHwBjfS0ejT+8qi/x XCkGJitt7o2BfodgerTUE5DDG8OQh31h1Wrjc5wCZRPznkLbnEVNJJdsJ6Ep30Ry52Lg7v0C ZEDBxg3DcpwAlqountG9tRjMVbOEEVFO/y7oeBzKSQKgouQTn+MgKKip5XOSaKhe3r1R0oCo NiRlGZZNVe0ND2F0yQksm6YJ0TD6h8j5r/q7/gT3oHuLRwYQTSHZJlHgfFGchKfMYLNTBxBQ uMxbpFA7XaJEZXYOo0u7oktXM+wA8qMImY9oXSKOk9AqpZ5JYRgto/sfxSiBbz463r2kLT46 GP69zkvVOtL4N+piw355syXyWmf2C6zSnnVZO+sIipV+fSQu3CnH9c1tucuqxa2/CxJSLALb qSfpc/45EXnhC/YTwx0xi/2Kq5mmsUs1a96Tw3kt/FR7d3yNzeLVPT54I0ocHj+yY6rJr+Uz E8IU5+3LnUs95jUslhFsknKPHNexyn8qOnRhUwMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/2eOwFPDv019yDsK0lvMJ51Ib9V0>
Subject: Re: [Cfrg] Fwd: New Version Notification for draft-barnes-cfrg-hpke-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2019 17:49:25 -0000

Hi,

This is just what I was looking for a few years ago when we convinced 3GPP to encrypt IMSIs in 5G with a ECIES. I think the move to a more general framework supporting future PQC KEMs is a good choice. A document like this could be very useful.

- "This type of public key encryption has many applications in practice,
   for example, in PGP [RFC6637] and in the developing Messaging Layer
   Security protocol [I-D.ietf-mls-protocol]."

   You could add ESNI and 3GPP TS 33.501 https://www.3gpp.org/DynaReport/33501.htm

- "Lack of a single standard"

   Defining yet another standard will for sure not help :) but the other standards have several problems:

   - most of them are behind paywalls
   - they are showing their age (old algorithms: SHA-1, no AEAD, no HKDF, and design choices that feel dated)
   - some of them do not seem to be updated anymore
   - some of them are not really directly implementable and are more a framework that another SDO can use to build an HPKE
   - some of them do not have test vectors.
   - some are not IND-CCA2

  I think these are problems worth solving.

- I think it would be good to explain the externally visible API in some early section.

- I am not convinced the sequence number based encryption is needed. What would the use cases be? If you have two-way communication, you should use a protocol that gives PFS. I might miss something in the notation, but how does the recipient verify than an attacker did not throw away the last ciphertexts?

Cheers,
John

From: Cfrg <cfrg-bounces@irtf.org> on behalf of "rlb@ipv.sx" <rlb@ipv.sx>
Date: Monday, 11 March 2019 at 23:17
To: Christopher Wood <christopherwood07@gmail.com>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Fwd: New Version Notification for draft-barnes-cfrg-hpke-00.txt

Hey all,

Just in time for the I-D deadline, I have submitted a draft-01 of this HPKE draft:

https://tools.ietf.org/html/draft-barnes-cfrg-hpke-01

This version incorporates a bunch of feedback from this thread, in particular, moving from a DH framing to a KEM framing.  It also adds modes that authenticate possession of a pre-shared key or an asymmetric key pair.  It also allows multiple encryptions to be done based on a single KEM operation.

Happy to have more comments on the list here if people have thoughts.  In particular, there's a lot of different modes in here, and it would be helpful to hear which of these people think are useful to keep around.  I've also requested an agenda slot for IETF 104.

Thanks,
--Richard


On Mon, Jan 28, 2019 at 5:40 PM Christopher Wood <christopherwood07@gmail.com<mailto:christopherwood07@gmail.com>> wrote:
On Mon, Jan 28, 2019 at 1:37 PM Ilari Liusvaara
<ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>> wrote:
>
>
> On Mon, Jan 28, 2019 at 09:51:51AM -0800, Christopher Wood wrote:
> > On Mon, Jan 28, 2019 at 7:17 AM Raphael Robert
> > <raphael=40wire.com@dmarc.ietf.org<mailto:40wire.com@dmarc.ietf.org>> wrote:
> > >
> > > Hey Richard,
> > >
> > > The proposal seems rather generic to me and I like the channel
> > > binding to the responder's public key.
> >
> > +1
> >
> > Thanks for posting this draft, Richard! It should suit the ESNI use
> > case quite well. In particular, servers could advertise HPKE
> > ciphersuites and key shares, instead of the TLS ciphersuites and
> > keyshares currently used, and invoke Encrypt() with "esni" or a
> > similar info string for key derivation.
>
> How is the binding to main key exchange done (I just remember there
> were some nontrivial issues there)?
>
> That is, the ESNI ciphertexts must be bound to the client hello those
> are in, as otherwise cutting and pasting breaks security.

The CH would be passed in as additional data, as it is in the current draft..

>
> > With regards to the questions raised in Appendix A, I am in favor of
> > generalizing this to work with any KEM, especially given the rationale
> > Raphael lists below. The streaming variant is tricky, though, as we
> > would ideally not want to turn this into a full protocol. In any case,
> > this is a great -00, and something I think the RG should work on.
>
> Yes, streaming is tricky. In fact, true stream-mode AE (byte
> granularity, reliable in-order) is impossible.
>
> The best approximations are datagram mode AE (datagram granularity,
> not reliable) or sequential packet mode (datagram granularity, reliable
> in-order) AE. To make things worse, there are protocols that need mode
> equivalent to sequential packet mode, and protocols that absolutely
> can not use mode equivalent to sequential packet mode.
>
> > > A few comments:
> > >
> > >  - The points brought up in Appendix A are important. In particular,
> > > I think it would be worthwhile investigating if a general KEM
> > > mechanism wouldn't be the better choice, potentially paving the way
> > > for PQ primitives.
>
> Yes, I think that PQ support is important in any modern protocol (unless
> one takes quantum skeptic view). And there are very few DH-compatible
> PQC primitives, and the ones that exist are umm... exciting and slow.

:-)

> However, I do not think any generic KEM would do, as many of those have
> too high failure rate, and failures leak information about the private
> key (so called reaction attack).
>
> However, there is subclass of KEMs that are IND-CCA secure. Those could
> be used (the cost of IND-CCA is higher runtime and larger messages than
> generic IND-CPA KEMs).

If generalized to work KEMs, could we not restrict the algorithm to
those KEMs we deem appropriate via ciphersuites?

>
>
> Few other comments:
>
> - Decryption references function "Decrypt()", which I do not see
>   defined anywhere. I suppose it should be "SetupR()"?
>
> - I would expect encryption to pack pkE inside ciphertext, as that
>   is per-message and required to decrypt.
>
> - Only one-byte ciphersuite identifier? That seems quite small.

It could probably be expanded to two bytes.

Best,
Chris

>
>
> -Ilari
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org<mailto:Cfrg@irtf.org>
> https://www.irtf.org/mailman/listinfo/cfrg

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email