IETF Logo Mail Archive

Re: [CFRG] HPKE and Key Wrapping

Dan Harkins <dharkins@lounge.org> Tue, 31 May 2022 16:43 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FE8DC157B4C for <cfrg@ietfa.amsl.com>; Tue, 31 May 2022 09:43:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.782
X-Spam-Level:
X-Spam-Status: No, score=-3.782 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.876, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lunHGjk-2xcN for <cfrg@ietfa.amsl.com>; Tue, 31 May 2022 09:43:01 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E8BFC147930 for <cfrg@irtf.org>; Tue, 31 May 2022 09:43:01 -0700 (PDT)
Received: from kitty.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0RCR0VYLCAFPZZ@wwwlocal.goatley.com> for cfrg@irtf.org; Tue, 31 May 2022 11:43:01 -0500 (CDT)
Received: from [15.111.200.42] (kitty.dhcp.bergandi.net [10.0.42.19]) by kitty.bergandi.net (PMDF V6.8 #2433) with ESMTPSA id <0RCR00D92AFOGS@kitty.bergandi.net> for cfrg@irtf.org; Tue, 31 May 2022 09:43:00 -0700 (PDT)
Received: from ext-104-36-248-13.arubanetworks.com ([104.36.248.13] EXTERNAL) (EHLO [15.111.200.42]) with TLS/SSL by kitty.bergandi.net ([10.0.42.19]) (PreciseMail V3.3); Tue, 31 May 2022 09:43:00 -0700
Date: Tue, 31 May 2022 09:43:00 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <C0494995-0D2E-42BE-8D21-4BB23C4E8E19@gmail.com>
To: cfrg@irtf.org
Message-id: <aff51f72-8a3c-3172-fc91-87fcf156b4ac@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_b+GzU+KqJSpcGk+3XP0E8Q)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.8.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=kitty.bergandi.net, send-ip=104.36.248.13)
X-PMAS-External-Auth: ext-104-36-248-13.arubanetworks.com [104.36.248.13] (EHLO [15.111.200.42])
References: <HE1PR0701MB3050AFD941AABAB80D7EC31E891E9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <7c67e7a0-ddaa-4f2e-9a1e-91af4956c0f1@beta.fastmail.com> <4627F814-4AE0-4E13-ADA3-2C30AF258385@vigilsec.com> <YkWDnvnHyJOUu3ol@LK-Perkele-VII2.locald> <C0494995-0D2E-42BE-8D21-4BB23C4E8E19@gmail.com>
X-PMAS-Software: PreciseMail V3.3 [220518a] (kitty.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3H_NzU0HEqzewetj-peKj68vLuI>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2022 16:43:05 -0000

   Hi,

   I'd like to resurrect this thread. There seemed to be some support for
adding an MRAE cipher to HPKE for key wrapping and also some support for
AES-SIV being the cipher to add do to its advantages over other key wrapping
schemes-- it accepts any length input without required padding out to some
particular block size, and it accepts associated data.

   At the last IETF I asked for a consensus call on 
draft-harkins-cfrg-dnhpke,
which proposes adding AES-SIV to the HKDF AEAD registry. If we advanced that
draft we'd have the permanent and readily available specification that is
required. Can we do that? Then all we'd need is the designated expert
to review and approve.

   I guess alternatively we could point to RFC 5297 as the permanent and
readily available specification. Then all we'd need is a designated expert.
Still, I'd like to see if there's support to advance my draft.

   regards,

   Dan.

On 3/31/22 4:50 AM, Neil Madden wrote:
>
>> On 31 Mar 2022, at 11:34, Ilari Liusvaara <ilariliusvaara@welho.com> 
>> wrote:
>>
>> On Wed, Mar 30, 2022 at 04:15:44PM -0400, Russ Housley wrote:
>>> Martin:
>>>>
>>>> On Tue, Mar 29, 2022, at 20:05, John Mattsson wrote:
>>>>> Would it make sense to standardize AES-KWP for HPKE or do CFRG believe
>>>>> that AES-SIV is the future of key wrapping? Irrespectively I think the
>>>>> CFRF should produce a good recommendation on how to use HPKE for key
>>>>> wrapping.
>>>>
>>>> What is wrong with the existing HPKE cipher suites for protecting
>>>> keying materials?  That is, aside from not carrying a NIST
>>>> approval stamp.
>>>
>>> If you try to apply HPKE to the COSE or JOSE structures, it just does
>>> not quite fit.  However, by using HPKE to deliver a key-encryption key
>>> (KEK) to the recipient, the structures fit.  So, it would be really
>>> nice to use a Key-Wrap algorithm in HPKE to encrypt the KEK.
>>
>> Not sure about JOSE, but in COSE, the structures do fit even for direct
>> encryption. COSE-HPKE does not use receipients itself, so it can go into
>> cose_encrypt0, resulting in direct encryption.
>
> I’m not sure if this point is directly related to what is being 
> proposed here, but I think it is worth mentioning:
>
> JOSE and COSE allow sending the same message to multiple recipients 
> using key-wrapping. In the case of an authenticated KEM (AKEM), this 
> usage undermines the authenticity guarantees due to the lack of 
> Insider-Auth security (as per section 5.4 of 
> https://eprint.iacr.org/2020/1499.pdf) in HPKE AKEM. In short, any 
> recipient of the original message can simply take the unwrapped 
> content encryption key and use it to produce a new message that 
> appears to come from the original sender.
>
> This is why 
> https://datatracker.ietf.org/doc/html/draft-madden-jose-ecdh-1pu-04 requires 
> a compactly-committing AEAD for symmetric content encryption (DEM) and 
> includes the AEAD tag in the KEM KDF computation to ensure the KEM 
> encapsulation for each recipient is bound to the whole message. This 
> current design was arrived at after previous discussion on the CFRG 
> list 
> (https://mailarchive.ietf.org/arch/msg/cfrg/iNoSj9g2cQ0JvDbHs4I70bfhrRc/) 
> and some offline discussions.
>
> (An alternative approach is to include the AEAD tag in associated data 
> of the key-wrapping process, which is another advantage of SIV-AES 
> over AES-KW - the latter not supporting associated data).
>
> Kind regards,
>
> Neil
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

v2.23.0 | Report a Bug | By Email