IETF Logo Mail Archive

Re: [CFRG] Fwd: [Technical Errata Reported] RFC9180 (7790)

Karthik Bhargavan <karthik.bhargavan@gmail.com> Mon, 08 April 2024 10:23 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77460C14F6A9 for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 03:23:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hIlz1kaNrpsn for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 03:23:40 -0700 (PDT)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 582DDC14F6F0 for <cfrg@irtf.org>; Mon, 8 Apr 2024 03:23:40 -0700 (PDT)
Received: by mail-qt1-x82f.google.com with SMTP id d75a77b69052e-43444a599d0so25405751cf.3 for <cfrg@irtf.org>; Mon, 08 Apr 2024 03:23:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712571819; x=1713176619; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8dPzyI4EOH83UBDJu3v/j4i9YXXQnc5wXQqwg/BslII=; b=givkrFn6raT8jBs/hWtMlbDdzp1cgfhasTbDLjRJb1Rvb7DhzTP41IA4N0PGlTEASl 5pDt+LL/kJvgAueyZ3RV07O6CcNM3kwt7h6u2XLE4LWH0DtO7U4xtazKDFKm17+/5t0i l6ubekeKrxbJY2+6FLP9+EnzAEYkVwT/40LgUnDMAl1tzMWAEcktlDAtdBuIEfDmrUiJ 5rV8fmmlHpah3OH9cSKC35R2UQFU2s0nl3t4yajjvobVsJ4oaAVslP3dXLuwfUqTO0rn BhijgSpjA8ZE411kA64yQNyMS3+t+lpUzpr5oLGsPQano9Z4ppZirktZxQMCPb/dEAw8 D2Bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712571819; x=1713176619; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8dPzyI4EOH83UBDJu3v/j4i9YXXQnc5wXQqwg/BslII=; b=RqWdylNoZY9D3UVYSftoMXwHM9iEQlIEDoTRDAb8+QwbY0UtVTktH1kwmPMUj+cvlp dkE1L1zH8CZ8hWpDd1LayhFVu7FGwgAtuL3QXdHJ0fwKZCJ7UwrIir5NPHsIMvBqPWEz +sXsH2o+AmAXQ9WKvq1sYScAlYLj7FmL3+mwFUAQT3qHRZ/C1fZjSXq6KQn7sEIneFuv Tgy2Q6eqtT3oaJtn2Bih408GaGQC+sxZ/zQN6Na/9QuYNTmqNk5J58Y+O41cK7VL53/b B1evwpuJVE15PORoaxp633zP5jiXzLcMpeBbZTp+zuGBHBVHVgP2HmfDDCDXlPOyypF0 cGrA==
X-Forwarded-Encrypted: i=1; AJvYcCXjxDYzB328GVBinuM3B4gfE0aUenJ2ShE0btyE94GYBiJeQyITlCKkNXt2o87jeWbsPseVSMwWISsYEtz0
X-Gm-Message-State: AOJu0YxuAiuDVX/rGLPyxrc6JYEXQjngp8XO3we6GJ8pRm4AnafX/VkD R65cxHd/k0yeVZSLrGuCery+DXnKdmcCkBc3iFSuK7iCZSHdmQAMB3iNMgTWaTWvNYKxJMvipen wkzrKE1Fo7McLfPs/efFCeD0znz8=
X-Google-Smtp-Source: AGHT+IFZ/mbknF57aqZC3lyKpZLNcOBVZ8iFHFP10vDAWLNAKvOamtWbtjouRMsDW3DUSebD6zR7VVLzvQitrIbL/L4=
X-Received: by 2002:a05:622a:548d:b0:434:7189:d688 with SMTP id ep13-20020a05622a548d00b004347189d688mr5991032qtb.30.1712571819066; Mon, 08 Apr 2024 03:23:39 -0700 (PDT)
MIME-Version: 1.0
References: <CA+_8ft66ZM=QND1Qh+OE9fJ6tDufF484cqeUT9NLdzr8gBYwjg@mail.gmail.com> <04C6D6E9-2D50-4289-AF0E-398F95B01723@gmail.com>
In-Reply-To: <04C6D6E9-2D50-4289-AF0E-398F95B01723@gmail.com>
From: Karthik Bhargavan <karthik.bhargavan@gmail.com>
Date: Mon, 08 Apr 2024 12:23:44 +0200
Message-ID: <CA+_8ft7nK9uE4EreZ-TktExxn1mLND8BJ2d68psvuY9rnuRepA@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Cc: Martin Thomson <mt@lowentropy.net>, cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000ed8c5d06159332b2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/30PIjk8299HHx1uuTjJDnnPmtk8>
Subject: Re: [CFRG] Fwd: [Technical Errata Reported] RFC9180 (7790)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 10:23:44 -0000

>
>
> HPKE only defines an interface for encrypting messages to a single
> recipient. Therefore standards like JOSE, which support multiple
> recipients, have to come up with an approach to support that. The obvious
> thing to do, and what is being proposed for JOSE, is to do what the
> existing ECDH-ES (ECIES) modes do: generate a random data encryption key
> (DEK) and use that to encrypt the message using an AEAD. Then run HPKE for
> each recipient to encrypt the DEK. You then concatenate all the wrapped
> DEKs and encapsulated keys with the ciphertext and send it.
>

That is an interesting use-case, but I don't see how you can use HPKE for
this.
The Encap/AuthEncap interface of HPKE does not allow you to encapsulate the
same key for two different recipients.
Indeed, as you note, doing so would be insecure and is forbidden.

One may certainly imagine a useful extension to HPKE that supports
multi-recipient KEM (mKEM) to provide multi-recipient HPKE, but in that
case you will definitely need more protections, either via plaintext
commitment or even stronger authentication properties about the group of
recipients etc. leading all the way to MLS.



>
> To decrypt, each recipient finds their encapsulated key, decapsulates it
> and decrypts the DEK and then uses that to decrypt the rest of the message.
>
> But the lack of Insider Auth security for HPKE makes this completely
> unsafe (when using an authenticated KEM) because when A receives such a
> message from S, she can use the DEK she recovers to create arbitrary forged
> messages to send to B that appear to come from S.
>
> This is why my own draft adding an authenticated version of ECIES to JOSE
> includes a commitment to the plaintext as associated data to the AKEM [1].
> I wrote a more detailed explanation of the problem and solution on my blog
> (after some discussion on this list) [2].
>
> Now, you can (I believe) do a similar solution in HPKE. However, the point
> is that nobody knows they *need* to do this because the HPKE RFC doesn’t
> mention it and only categorises the security weakness in terms of KCI,
> which is irrelevant to this attack. Both attacks are a consequence of a
> lack of Insider Auth security, however, and this lack in HPKE was known
> from the security analysis and should have been communicated.
>
> [1]:
> https://datatracker.ietf.org/doc/html/draft-madden-jose-ecdh-1pu-04#section-2.1
> [2]: https://neilmadden.blog/2021/02/16/when-a-kem-is-not-enough/
>
> — Neil
>

v2.23.0 | Report a Bug | By Email