Re: [CFRG] HPKE and Key Wrapping
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Tue, 31 May 2022 16:51 UTC
Return-Path: <prvs=41503b8df1=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DF44C157B4B for <cfrg@ietfa.amsl.com>; Tue, 31 May 2022 09:51:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTWr_SX56vi8 for <cfrg@ietfa.amsl.com>; Tue, 31 May 2022 09:51:25 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2126AC147930 for <cfrg@irtf.org>; Tue, 31 May 2022 09:51:24 -0700 (PDT)
Received: from LLEX2019-2.mitll.ad.local (llex2019-2.llan.ll.mit.edu [172.25.4.124]) by MX2.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 24VGpMNu175229 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 31 May 2022 12:51:22 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=uLWOXKIUpL1VUThnOWzNRyej8hPCNHWJWHWtDp9wPf+KgYB2OlkFiUkJiLO9waREeRAQTLgjG9zH7dZawwz8wD2xzdt5xT54vIl8VD7RkiT1SQrB11JVYM7uyNxqLPiIPD73HUMPotbdKFDsWAkv9wDi0d40ndXCJHR3I4SDebL+/gKXFCX0ab5GXuLXFIxren3XTCPMPS78aoFm6N8NSdA7Jkh0p8EC/jTLslhnteYCHlOh80OLdKqf3UXnUg77t4STz0IBbekt5YUnF0JWNH1HW4PdCmB7WzmiVIJc9KWvd7vRp9MFGlG21yb1vs8kt9U2mVGnjC/9QTHLz2NUmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cZHZdvvOO6CPIsdDtRuhjL2rQInMR3O+uPcMlGn6GY4=; b=akbETU5j99vBQfa28OxVwcR8Kg922iqdQoIyWF6nUnU9yV3pmkHKCBXrohsAUpU7iwFyD4Xqt8Rgt0yTlgSXetjPeJAhWoQjwFxhJXjdJGx0+my+3GcEmS2V9xR8MHvVJ1K0AOVS1y3HlwNUwX+ObOLm35gviCiatQQ5ROqjZ2pEkoi5DBKwMD+m1R1kagnCDP4isvkg4KmxX3GwQUt5aBF6+RfX0VajcZuoJ33k76/MYKVZo/q/t3Ek4G/Nm5ioyRiDcqTO0pwLQlQTnujyGcNkIC0BAjM2yBkJMQiSLyYvvJNUSUSJxImmue0Khgsy3YlDLVD3/5jNJQ/edxz7Zg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Dan Harkins <dharkins@lounge.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] HPKE and Key Wrapping
Thread-Index: AQHYQ0u7KP9IsmRXD0Kbvf1+Gh7oQ6zXFHKAgAFK1QCAAO/TAIAAFUoAgGAv/gD//79EAA==
Date: Tue, 31 May 2022 16:51:19 +0000
Message-ID: <BE3C3092-9C44-442F-AFC8-2415B9182894@ll.mit.edu>
References: <HE1PR0701MB3050AFD941AABAB80D7EC31E891E9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <7c67e7a0-ddaa-4f2e-9a1e-91af4956c0f1@beta.fastmail.com> <4627F814-4AE0-4E13-ADA3-2C30AF258385@vigilsec.com> <YkWDnvnHyJOUu3ol@LK-Perkele-VII2.locald> <C0494995-0D2E-42BE-8D21-4BB23C4E8E19@gmail.com> <aff51f72-8a3c-3172-fc91-87fcf156b4ac@lounge.org>
In-Reply-To: <aff51f72-8a3c-3172-fc91-87fcf156b4ac@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.61.22050700
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 58f12242-32b3-4b4f-3166-08da4325c932
x-ms-traffictypediagnostic: BN0P110MB1418:EE_
x-microsoft-antispam-prvs: <BN0P110MB14187B6E84F7F4268785877B90DC9@BN0P110MB1418.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fJG9HBEQMU8U7ht3j7WAi3Z/pgXDyx8xJYyU3FlbDFLHA/67cDXaetJLOz7tfUYwh+B1CMJ+9jY770kLW1fwaTl2F6NjbEhKEN6umXcoxGNuro4HH5JILpSywXzOwSndariexqPf9MD0b/5d7Tby+4QzuKThEvF1lqXP6TS62BOJF/DpBNCqH5QVH2y1xDot31hMjP+YYELc0ClftxsrK7HtFVceSXjNuIWDd1Y5QEwcsahIcc4AiWgFxiI+yNu7HtsZAwcGGOP9JNqhE1CgL4IP3MAzO83fBEGcR0l55ig3lC2AcfPiSCQIw7jL6P27HTp3HfDxy0KslTh1zuGwxi5qTuTaq+Ui8rkOjUE9LAFLixcADg6KVTAiaJg4CO9V4no1g2PHdS/9cGvvEc7f2SNBX5r6gS8lJWf2Qal0c3AGOh5/uRICzpTJKWZVpEAJvKt8tCxGeJ8BFi4zBZw/2I680WeD3sylRaI33u8YkMSP41y+BtIacdf9vweyL2d9l8pwGjyeCuMjcoCJQdL8aoNDe/QUiAH/YZQJS7ZlypvSgXeZwmPXbANtrd8yWNB3ksMnH615TwUP+mqZlrKfjXDUvsGKUP2cYTFQnlVsZsTfSi7oPQleTbjMLH3M0Euq505LdWDTnzikB30/m65uf5lW5IFYP5Uy8v48HxUAqRWNImKCBELb1jQaJRSKUEiUVUXGIm+H/t9IQE2ZcJJDslGg1vFM9bF1b8mt8mLA2Ss=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(122000001)(38100700002)(2906002)(166002)(8676002)(38070700005)(99936003)(8936002)(66556008)(86362001)(66946007)(5660300002)(64756008)(66446008)(66476007)(316002)(76116006)(83380400001)(71200400001)(6512007)(26005)(2616005)(6506007)(186003)(53546011)(110136005)(508600001)(6486002)(966005)(75432002)(33656002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: my3wwy5t9UA2lO88i2lYRt71lT2U9T3/J/2aho/G4+KySzP+ONNGoXIgSnYd0s4KkV0k/c13xtJVNajuboejk21fd6R+YRXEtpGKbujsRDjOwd5QsrYARmXBvWl+T3jUMZ8C9v8AR1XC9i2LXkPwD/ClWBo3zfg2iKEKTnldCvAna0U7MTGZM0FYe429HzLxgPz3MQNBt2ZMNADLZMgxTl8RbWgmCnaplY0epvkmF6oZaTK/LuuCKtbeW/1wAKO9lAqgK52B9YfUN88AVc7gV3jTsYJTVjhCpFuw1lLA0OfLhjqrb3LaeYA7uBxJQLil/hLizA3ui28BW2AK282CEyEjk+blFyHc9xtFizoVoIyVqJlOxenQpridUgu8BZmBGhxKu9KP+cZ7+Rla0Kv9AcvMkjzwwGWBBYyAt4RWTz0=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3736846279_3893632441"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 58f12242-32b3-4b4f-3166-08da4325c932
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 May 2022 16:51:19.4551 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1418
X-Proofpoint-ORIG-GUID: pXWLPin5nuwsUZ0B19KM4-e2pAghif18
X-Proofpoint-GUID: pXWLPin5nuwsUZ0B19KM4-e2pAghif18
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.874 definitions=2022-05-31_07:2022-05-30, 2022-05-31 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 bulkscore=0 mlxscore=0 phishscore=0 mlxlogscore=999 adultscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2205310079
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/C--KSsq-t0fyFMS7X8uFFo3PgCw>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2022 16:51:29 -0000
I support advancement of this draft, as I think that standardizing a SIV mode is necessary for cryptographic protocols. Having said that, I prefer the way AES-GCM-SIV deals with keys to what you’re doing, but that’s secondary. Thanks! -- V/R, Uri There are two ways to design a system. One is to make it so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies. - C. A. R. Hoare From: CFRG <cfrg-bounces@irtf.org> on behalf of Dan Harkins <dharkins@lounge.org> Date: Tuesday, May 31, 2022 at 12:43 To: CFRG <cfrg@irtf.org> Subject: Re: [CFRG] HPKE and Key Wrapping Hi, I'd like to resurrect this thread. There seemed to be some support for adding an MRAE cipher to HPKE for key wrapping and also some support for AES-SIV being the cipher to add do to its advantages over other key wrapping schemes-- it accepts any length input without required padding out to some particular block size, and it accepts associated data. At the last IETF I asked for a consensus call on draft-harkins-cfrg-dnhpke, which proposes adding AES-SIV to the HKDF AEAD registry. If we advanced that draft we'd have the permanent and readily available specification that is required. Can we do that? Then all we'd need is the designated expert to review and approve. I guess alternatively we could point to RFC 5297 as the permanent and readily available specification. Then all we'd need is a designated expert. Still, I'd like to see if there's support to advance my draft. regards, Dan. On 3/31/22 4:50 AM, Neil Madden wrote: On 31 Mar 2022, at 11:34, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: On Wed, Mar 30, 2022 at 04:15:44PM -0400, Russ Housley wrote: Martin: On Tue, Mar 29, 2022, at 20:05, John Mattsson wrote: Would it make sense to standardize AES-KWP for HPKE or do CFRG believe that AES-SIV is the future of key wrapping? Irrespectively I think the CFRF should produce a good recommendation on how to use HPKE for key wrapping. What is wrong with the existing HPKE cipher suites for protecting keying materials? That is, aside from not carrying a NIST approval stamp. If you try to apply HPKE to the COSE or JOSE structures, it just does not quite fit. However, by using HPKE to deliver a key-encryption key (KEK) to the recipient, the structures fit. So, it would be really nice to use a Key-Wrap algorithm in HPKE to encrypt the KEK. Not sure about JOSE, but in COSE, the structures do fit even for direct encryption. COSE-HPKE does not use receipients itself, so it can go into cose_encrypt0, resulting in direct encryption. I’m not sure if this point is directly related to what is being proposed here, but I think it is worth mentioning: JOSE and COSE allow sending the same message to multiple recipients using key-wrapping. In the case of an authenticated KEM (AKEM), this usage undermines the authenticity guarantees due to the lack of Insider-Auth security (as per section 5.4 of https://eprint.iacr.org/2020/1499.pdf) in HPKE AKEM. In short, any recipient of the original message can simply take the unwrapped content encryption key and use it to produce a new message that appears to come from the original sender. This is why https://datatracker.ietf.org/doc/html/draft-madden-jose-ecdh-1pu-04 requires a compactly-committing AEAD for symmetric content encryption (DEM) and includes the AEAD tag in the KEM KDF computation to ensure the KEM encapsulation for each recipient is bound to the whole message. This current design was arrived at after previous discussion on the CFRG list (https://mailarchive.ietf.org/arch/msg/cfrg/iNoSj9g2cQ0JvDbHs4I70bfhrRc/) and some offline discussions. (An alternative approach is to include the AEAD tag in associated data of the key-wrapping process, which is another advantage of SIV-AES over AES-KW - the latter not supporting associated data). Kind regards, Neil _______________________________________________ CFRG mailing list CFRG@irtf.org https://www.irtf.org/mailman/listinfo/cfrg -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius
- [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Taylor R Campbell
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Christopher Wood
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Richard Barnes
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Neil Madden
- Re: [CFRG] HPKE and Key Wrapping Kampanakis, Panos
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Shay Gueron
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins