IETF Logo Mail Archive

Re: [CFRG] HPKE and Key Wrapping

Dan Harkins <dharkins@lounge.org> Tue, 29 March 2022 15:29 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 553483A1A39 for <cfrg@ietfa.amsl.com>; Tue, 29 Mar 2022 08:29:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s-Q_I1MUy8hJ for <cfrg@ietfa.amsl.com>; Tue, 29 Mar 2022 08:29:10 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1FD23A1A6D for <cfrg@irtf.org>; Tue, 29 Mar 2022 08:29:06 -0700 (PDT)
Received: from kitty.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0R9I0R1QRJ0HEG@wwwlocal.goatley.com> for cfrg@irtf.org; Tue, 29 Mar 2022 10:29:05 -0500 (CDT)
Received: from [10.74.74.210] (kitty.dhcp.bergandi.net [10.0.42.19]) by kitty.bergandi.net (PMDF V6.8 #2433) with ESMTPSA id <0R9I00JD7J0GL6@kitty.bergandi.net> for cfrg@irtf.org; Tue, 29 Mar 2022 08:29:05 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO [10.74.74.210]) with TLS/SSL by kitty.bergandi.net ([10.0.42.19]) (PreciseMail V3.3); Tue, 29 Mar 2022 08:29:05 -0700
Date: Tue, 29 Mar 2022 08:29:03 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <HE1PR0701MB3050AFD941AABAB80D7EC31E891E9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, IRTF CFRG <cfrg@irtf.org>
Message-id: <35bac2f1-b647-4802-def8-9fee5d49d75e@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_sKZi6rYqBBBLyby8yrBC5Q)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=kitty.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO [10.74.74.210])
References: <HE1PR0701MB3050AFD941AABAB80D7EC31E891E9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
X-PMAS-Software: PreciseMail V3.3 [220325] (kitty.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6yk-dXfD8DpgLrSmWeJPenVoERU>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2022 15:29:15 -0000

   Hi John,

   There is a very nice critique of AES-KW (which is also defined in the 
X9.102
draft as well as the RFCs you mention) in Appendix A of the Rogaway and 
Shrimpton
paper that defined SIV. To sum:

     "[O]ur conclusion is that none of the X9.102 algorithms are mature. 
Most
      severely, none has been proven secure—and, prior to this paper, there
      was not even a clear target for a security proof. Each scheme has 
multiple
      problems from among the following: a restricted message space; an 
inability
      to handle an associated header; a restricted header space; ciphertext
      lengths that grow with the header length (even though the header 
is only
      authenticated); a large number of blockcipher calls; mysterious 
aspects of
      the construction (eg, the byte-reversals or xoring-in counters); 
and use
      of cryptographic primitives beyond a blockcipher. For a modern 
encryption
      scheme one might reasonably hope for a formally defined and 
provably achieved
      security goal, an aesthetic construction coming out of an 
enunciated paradigm,
      message headers being supported and the message space and header 
space being
      large and natural sets, message expansion of some fixed value, one 
or two
      blockcipher calls per block, and further efficiency 
characteristics (like
      being able to cheaply handle static headers)."

It's also worth noting that AES-KW suffers from the same issue that was 
brought
up when I mentioned using AES-SIV in HPKE: it is stateless and 
deterministic and
therefore it is not really possible to achieve indistinguishability of 
ciphertexts
under an adaptive chosen ciphertext attack, which is what HPKE is 
supposed to
provide.

   You're right that AES-SIV is not approved by NIST. I discussed this 
with NIST
a decade ago and there is an effective catch-22 in which NIST doesn't 
want to
spend cycles analyzing and approving a cipher mode that is not specified 
in any
standards and standards bodies are loath to specify cipher modes that 
have not
been NIST approved. AES-SIV was formally submitted to NIST but no action has
been taken, yet I persist (in trying to get NIST to approve AES-SIV).

   So while I think that AES-SIV is an improvement over AES-KW for the 
purposes
of key wrapping (it's faster, and it's provably secure) if you want to 
use HPKE
for key wrapping you don't even need a key wrapping cipher mode, just do 
AES-GCM
in the "one shot" HPKE variant. Wouldn't that work?

   regards,

   Dan.

On 3/29/22 2:05 AM, John Mattsson wrote:
>
> Hi,
>
> Dan Harkins draft and presentation made me think about HPKE and key 
> wrapping.
>
> https://datatracker.ietf.org/doc/html/draft-harkins-cfrg-dnhpke-01
>
> AES-SIV could be used for this, but the algorithms currently approved 
> by NIST for key wrapping are AES-KW and AES-KWP.
>
> https://datatracker.ietf.org/doc/html/rfc3394
>
> https://datatracker.ietf.org/doc/html/rfc5649
>
> https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
>
> For asymmetric key wrapping. AES-KWP is often used with RSA-OAEP 
> (which NIST calls KTS-OAEP: Key-Transport Using RSA-OAEP in SP 800-56Br2).
>
> https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf
>
> https://cloud.google.com/kms/docs/key-wrapping
>
> https://microsoft.github.io/CCF/release/1.x/js/ccf-app/interfaces/global.rsaoaepaeskwpparams.html
>
> I think HPKE is the future of asymmetric encryption including 
> asymmetric key wrapping.
>
> Would it make sense to standardize AES-KWP for HPKE or do CFRG believe 
> that AES-SIV is the future of key wrapping? Irrespectively I think the 
> CFRF should produce a good recommendation on how to use HPKE for key 
> wrapping.
>
> Cheers,
>
> John
>
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

v2.23.0 | Report a Bug | By Email