IETF Logo Mail Archive

Re: [CFRG] HPKE and Key Wrapping

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Tue, 31 May 2022 16:51 UTC

Return-Path: <prvs=41503b8df1=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DF44C157B4B for <cfrg@ietfa.amsl.com>; Tue, 31 May 2022 09:51:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTWr_SX56vi8 for <cfrg@ietfa.amsl.com>; Tue, 31 May 2022 09:51:25 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2126AC147930 for <cfrg@irtf.org>; Tue, 31 May 2022 09:51:24 -0700 (PDT)
Received: from LLEX2019-2.mitll.ad.local (llex2019-2.llan.ll.mit.edu [172.25.4.124]) by MX2.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 24VGpMNu175229 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 31 May 2022 12:51:22 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=uLWOXKIUpL1VUThnOWzNRyej8hPCNHWJWHWtDp9wPf+KgYB2OlkFiUkJiLO9waREeRAQTLgjG9zH7dZawwz8wD2xzdt5xT54vIl8VD7RkiT1SQrB11JVYM7uyNxqLPiIPD73HUMPotbdKFDsWAkv9wDi0d40ndXCJHR3I4SDebL+/gKXFCX0ab5GXuLXFIxren3XTCPMPS78aoFm6N8NSdA7Jkh0p8EC/jTLslhnteYCHlOh80OLdKqf3UXnUg77t4STz0IBbekt5YUnF0JWNH1HW4PdCmB7WzmiVIJc9KWvd7vRp9MFGlG21yb1vs8kt9U2mVGnjC/9QTHLz2NUmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cZHZdvvOO6CPIsdDtRuhjL2rQInMR3O+uPcMlGn6GY4=; b=akbETU5j99vBQfa28OxVwcR8Kg922iqdQoIyWF6nUnU9yV3pmkHKCBXrohsAUpU7iwFyD4Xqt8Rgt0yTlgSXetjPeJAhWoQjwFxhJXjdJGx0+my+3GcEmS2V9xR8MHvVJ1K0AOVS1y3HlwNUwX+ObOLm35gviCiatQQ5ROqjZ2pEkoi5DBKwMD+m1R1kagnCDP4isvkg4KmxX3GwQUt5aBF6+RfX0VajcZuoJ33k76/MYKVZo/q/t3Ek4G/Nm5ioyRiDcqTO0pwLQlQTnujyGcNkIC0BAjM2yBkJMQiSLyYvvJNUSUSJxImmue0Khgsy3YlDLVD3/5jNJQ/edxz7Zg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Dan Harkins <dharkins@lounge.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] HPKE and Key Wrapping
Thread-Index: AQHYQ0u7KP9IsmRXD0Kbvf1+Gh7oQ6zXFHKAgAFK1QCAAO/TAIAAFUoAgGAv/gD//79EAA==
Date: Tue, 31 May 2022 16:51:19 +0000
Message-ID: <BE3C3092-9C44-442F-AFC8-2415B9182894@ll.mit.edu>
References: <HE1PR0701MB3050AFD941AABAB80D7EC31E891E9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <7c67e7a0-ddaa-4f2e-9a1e-91af4956c0f1@beta.fastmail.com> <4627F814-4AE0-4E13-ADA3-2C30AF258385@vigilsec.com> <YkWDnvnHyJOUu3ol@LK-Perkele-VII2.locald> <C0494995-0D2E-42BE-8D21-4BB23C4E8E19@gmail.com> <aff51f72-8a3c-3172-fc91-87fcf156b4ac@lounge.org>
In-Reply-To: <aff51f72-8a3c-3172-fc91-87fcf156b4ac@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.61.22050700
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 58f12242-32b3-4b4f-3166-08da4325c932
x-ms-traffictypediagnostic: BN0P110MB1418:EE_
x-microsoft-antispam-prvs: <BN0P110MB14187B6E84F7F4268785877B90DC9@BN0P110MB1418.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fJG9HBEQMU8U7ht3j7WAi3Z/pgXDyx8xJYyU3FlbDFLHA/67cDXaetJLOz7tfUYwh+B1CMJ+9jY770kLW1fwaTl2F6NjbEhKEN6umXcoxGNuro4HH5JILpSywXzOwSndariexqPf9MD0b/5d7Tby+4QzuKThEvF1lqXP6TS62BOJF/DpBNCqH5QVH2y1xDot31hMjP+YYELc0ClftxsrK7HtFVceSXjNuIWDd1Y5QEwcsahIcc4AiWgFxiI+yNu7HtsZAwcGGOP9JNqhE1CgL4IP3MAzO83fBEGcR0l55ig3lC2AcfPiSCQIw7jL6P27HTp3HfDxy0KslTh1zuGwxi5qTuTaq+Ui8rkOjUE9LAFLixcADg6KVTAiaJg4CO9V4no1g2PHdS/9cGvvEc7f2SNBX5r6gS8lJWf2Qal0c3AGOh5/uRICzpTJKWZVpEAJvKt8tCxGeJ8BFi4zBZw/2I680WeD3sylRaI33u8YkMSP41y+BtIacdf9vweyL2d9l8pwGjyeCuMjcoCJQdL8aoNDe/QUiAH/YZQJS7ZlypvSgXeZwmPXbANtrd8yWNB3ksMnH615TwUP+mqZlrKfjXDUvsGKUP2cYTFQnlVsZsTfSi7oPQleTbjMLH3M0Euq505LdWDTnzikB30/m65uf5lW5IFYP5Uy8v48HxUAqRWNImKCBELb1jQaJRSKUEiUVUXGIm+H/t9IQE2ZcJJDslGg1vFM9bF1b8mt8mLA2Ss=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(122000001)(38100700002)(2906002)(166002)(8676002)(38070700005)(99936003)(8936002)(66556008)(86362001)(66946007)(5660300002)(64756008)(66446008)(66476007)(316002)(76116006)(83380400001)(71200400001)(6512007)(26005)(2616005)(6506007)(186003)(53546011)(110136005)(508600001)(6486002)(966005)(75432002)(33656002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: my3wwy5t9UA2lO88i2lYRt71lT2U9T3/J/2aho/G4+KySzP+ONNGoXIgSnYd0s4KkV0k/c13xtJVNajuboejk21fd6R+YRXEtpGKbujsRDjOwd5QsrYARmXBvWl+T3jUMZ8C9v8AR1XC9i2LXkPwD/ClWBo3zfg2iKEKTnldCvAna0U7MTGZM0FYe429HzLxgPz3MQNBt2ZMNADLZMgxTl8RbWgmCnaplY0epvkmF6oZaTK/LuuCKtbeW/1wAKO9lAqgK52B9YfUN88AVc7gV3jTsYJTVjhCpFuw1lLA0OfLhjqrb3LaeYA7uBxJQLil/hLizA3ui28BW2AK282CEyEjk+blFyHc9xtFizoVoIyVqJlOxenQpridUgu8BZmBGhxKu9KP+cZ7+Rla0Kv9AcvMkjzwwGWBBYyAt4RWTz0=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3736846279_3893632441"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 58f12242-32b3-4b4f-3166-08da4325c932
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 May 2022 16:51:19.4551 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1418
X-Proofpoint-ORIG-GUID: pXWLPin5nuwsUZ0B19KM4-e2pAghif18
X-Proofpoint-GUID: pXWLPin5nuwsUZ0B19KM4-e2pAghif18
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.874 definitions=2022-05-31_07:2022-05-30, 2022-05-31 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 bulkscore=0 mlxscore=0 phishscore=0 mlxlogscore=999 adultscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2205310079
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/C--KSsq-t0fyFMS7X8uFFo3PgCw>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2022 16:51:29 -0000

I support advancement of this draft, as I think that standardizing a SIV mode is necessary for cryptographic protocols.

 

Having said that, I prefer the way AES-GCM-SIV deals with keys to what you’re doing, but that’s secondary.

 

Thanks!

--

V/R,

Uri

 

There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                                                                     -  C. A. R. Hoare

 

 

From: CFRG <cfrg-bounces@irtf.org> on behalf of Dan Harkins <dharkins@lounge.org>
Date: Tuesday, May 31, 2022 at 12:43
To: CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] HPKE and Key Wrapping

 


  Hi,

  I'd like to resurrect this thread. There seemed to be some support for
adding an MRAE cipher to HPKE for key wrapping and also some support for
AES-SIV being the cipher to add do to its advantages over other key wrapping
schemes-- it accepts any length input without required padding out to some
particular block size, and it accepts associated data. 

  At the last IETF I asked for a consensus call on draft-harkins-cfrg-dnhpke,
which proposes adding AES-SIV to the HKDF AEAD registry. If we advanced that
draft we'd have the permanent and readily available specification that is
required. Can we do that? Then all we'd need is the designated expert
to review and approve.

  I guess alternatively we could point to RFC 5297 as the permanent and
readily available specification. Then all we'd need is a designated expert.
Still, I'd like to see if there's support to advance my draft.

  regards,

  Dan.

On 3/31/22 4:50 AM, Neil Madden wrote:

 

On 31 Mar 2022, at 11:34, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:

 

On Wed, Mar 30, 2022 at 04:15:44PM -0400, Russ Housley wrote:


Martin:



On Tue, Mar 29, 2022, at 20:05, John Mattsson wrote:


Would it make sense to standardize AES-KWP for HPKE or do CFRG believe 
that AES-SIV is the future of key wrapping? Irrespectively I think the 
CFRF should produce a good recommendation on how to use HPKE for key 
wrapping.


What is wrong with the existing HPKE cipher suites for protecting
keying materials?  That is, aside from not carrying a NIST
approval stamp.


If you try to apply HPKE to the COSE or JOSE structures, it just does
not quite fit.  However, by using HPKE to deliver a key-encryption key
(KEK) to the recipient, the structures fit.  So, it would be really
nice to use a Key-Wrap algorithm in HPKE to encrypt the KEK.


Not sure about JOSE, but in COSE, the structures do fit even for direct
encryption. COSE-HPKE does not use receipients itself, so it can go into
cose_encrypt0, resulting in direct encryption.

 

I’m not sure if this point is directly related to what is being proposed here, but I think it is worth mentioning:

 

JOSE and COSE allow sending the same message to multiple recipients using key-wrapping. In the case of an authenticated KEM (AKEM), this usage undermines the authenticity guarantees due to the lack of Insider-Auth security (as per section 5.4 of https://eprint.iacr.org/2020/1499.pdf) in HPKE AKEM. In short, any recipient of the original message can simply take the unwrapped content encryption key and use it to produce a new message that appears to come from the original sender.

 

This is why https://datatracker.ietf.org/doc/html/draft-madden-jose-ecdh-1pu-04 requires a compactly-committing AEAD for symmetric content encryption (DEM) and includes the AEAD tag in the KEM KDF computation to ensure the KEM encapsulation for each recipient is bound to the whole message. This current design was arrived at after previous discussion on the CFRG list (https://mailarchive.ietf.org/arch/msg/cfrg/iNoSj9g2cQ0JvDbHs4I70bfhrRc/) and some offline discussions.

 

(An alternative approach is to include the AEAD tag in associated data of the key-wrapping process, which is another advantage of SIV-AES over AES-KW - the latter not supporting associated data).

 

Kind regards,

 

Neil



_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg


-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

v2.23.0 | Report a Bug | By Email