IETF Logo Mail Archive

Re: [CFRG] Fwd: [Technical Errata Reported] RFC9180 (7790)

Neil Madden <neil.e.madden@gmail.com> Wed, 03 April 2024 12:13 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BD35C151701 for <cfrg@ietfa.amsl.com>; Wed, 3 Apr 2024 05:13:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afsATVn5tRYy for <cfrg@ietfa.amsl.com>; Wed, 3 Apr 2024 05:13:35 -0700 (PDT)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69DA2C14F6A2 for <cfrg@irtf.org>; Wed, 3 Apr 2024 05:13:35 -0700 (PDT)
Received: by mail-wm1-x334.google.com with SMTP id 5b1f17b1804b1-4157ff92828so3424965e9.0 for <cfrg@irtf.org>; Wed, 03 Apr 2024 05:13:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712146413; x=1712751213; darn=irtf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=xmY7sJQLerN0ptWlJov4GJTovMECItefwNMH5nR5/8k=; b=e8erF7k+G9Cl4ivLXp9k4b1jvNjrqIQbKD8YFK40K54uyrPmvVx4rF739TfV2ko2eW y1MnPW3k5Bs5WUEgSitRvbPdqFOCjLlNwhxbEnEFHrrZQfsoz4JE7jWwrTVoqFjEj/+o PnBHDwR1GnwMsMlYUzg4q+NNxBeFXUdz/M1nHWcLZ3aIOejc2LRHJKBY9yAbeWOjsKuC eInXJbcTGTdl7QDE6ymS/xw4Usw79UrN5twdTikGBNZezcobKWLmRIv2vqPq8Z9h99ay 9A84vdHp8AwzsxjCh2YB4La3OQ9dTIocghFY3obfZPvbBr3z002yKOAAVyJ6vKHLekmp +8yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712146413; x=1712751213; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xmY7sJQLerN0ptWlJov4GJTovMECItefwNMH5nR5/8k=; b=muYLhi/3GFnUMKCgybSBZmYc/BcZ2o0dAUHD4CQMAdsPX9vgFvzvD3xBrBZdw9ejQm OR6fSCIFA0DNXspqZj4+iJ5Uc7zdyP6akdH3Nmx4eHO4i6CMp1uPfxCrj+WRiDBEcUeb G1utBop8osA4J4p9XG76bRwHdQUlZ+wWQsqq4U/w9hKMR4VhCCl3HdXz1BqGnfEaV/9z EM8AGVUMkZu3xQ8KgswLZ4wf/tr3+5JNwT0x8GUiK7zDo75rz4HLe8gI0GJ01qJd7lBR oE5svcA+PJB+/E3HL1P/QKbg2yhfVjMnjgQUFe76wK3UXNFxb8lh77UPkN/xnkQpZLqP 5NDA==
X-Gm-Message-State: AOJu0Ywvzvs/CzJWaQ02nM/cjbx/aNiebi4y+q1Ozw4GOgKFsmj4OLX8 gOOXU5qv9xC8MPvwPq+U6wbr33cNcKsc8LgHWQf2Pos9bc0XhujVdg2tXfu1
X-Google-Smtp-Source: AGHT+IGxtKMIh9iTCtG8NRo7fcBdZ6Ko7nVuBRz5qnaFztfiFb5b4i8QuwVMB1oho1NA1xCNAWKa/g==
X-Received: by 2002:a05:600c:3c9d:b0:415:5152:565a with SMTP id bg29-20020a05600c3c9d00b004155152565amr9986046wmb.3.1712146412509; Wed, 03 Apr 2024 05:13:32 -0700 (PDT)
Received: from smtpclient.apple (130.249.143.150.dyn.plus.net. [150.143.249.130]) by smtp.gmail.com with ESMTPSA id c2-20020a05600c0a4200b0041563096e15sm10938274wmq.5.2024.04.03.05.13.31 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 Apr 2024 05:13:31 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Date: Wed, 03 Apr 2024 13:13:20 +0100
Message-Id: <00773A27-1CE2-4A08-961F-C25D4C2FEA35@gmail.com>
References: <31cdc56a-db7e-4f06-9ac5-818aaa5fd9ea@betaapp.fastmail.com>
Cc: cfrg@irtf.org
In-Reply-To: <31cdc56a-db7e-4f06-9ac5-818aaa5fd9ea@betaapp.fastmail.com>
To: Martin Thomson <mt@lowentropy.net>
X-Mailer: iPhone Mail (21D61)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/C9R68FREAFjcwYKpiOBdtPMVyrg>
Subject: Re: [CFRG] Fwd: [Technical Errata Reported] RFC9180 (7790)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2024 12:13:39 -0000

On 3 Apr 2024, at 00:13, Martin Thomson <mt@lowentropy.net> wrote:
> 
> 
>> 
>> From my perspective, this erratum at least is not really errata-worthy.  It's great feedback on the document, but not strictly an error that needs correction. Oversights, omissions, and lost opportunities are to be expected.

Are you quoting someone here, or is this your opinion? My own opinion (as the erratum reporter) is that RFC 9180 seriously misrepresents the security analysis it is supposed to be based on. At least in a JOSE context, that misrepresentation could lead to serious security vulnerabilities. 

For example, suppose you use HPKE AKEM with JOSE to encrypt an OAuth access token to be consumed by two APIs: A and B (each with their own public keys). The lack of Insider Auth security means that when A receives an access token from a legitimate client, they can use it to create arbitrary forged access tokens to send to B.

This serious issue is not mentioned at all in RFC1980, but *is* clearly discussed in the linked security analysis. The RFC instead states (erroneously) that HPKE “fulfils these notions”. IMO it should never have been published with such a glaring mistake. 

— Neil

> 
> The correct disposition for this sort of thing is "Hold for Document Update".
> 
>> On Wed, Apr 3, 2024, at 07:46, Neil Madden wrote:
>> Anyone know what’s going on with errata for HPKE? I reported this one
>> in January and not heard anything about it. There appears to be 3
>> errata on RFC 9180 that are in “reported” state, 2 of which date back
>> to 2022. Is anyone looking at them?
>> 
>> Regards,
>> 
>> Neil
>> 
>> Begin forwarded message:
>> 
>>> *From:* RFC Errata System <rfc-editor@rfc-editor.org>
>>> *Date:* 30 January 2024 at 10:24:00 GMT
>>> *To:* rlb@ipv.sx, karthikeyan.bhargavan@inria.fr, ietf@benjaminlipp.de, caw@heapingbits.net, irsg@irtf.org
>>> *Cc:* neil.e.madden@gmail.com, rfc-editor@rfc-editor.org
>>> *Subject:* *[Technical Errata Reported] RFC9180 (7790)*
>>> 
>>> The following errata report has been submitted for RFC9180,
>>> "Hybrid Public Key Encryption".
>>> 
>>> --------------------------------------
>>> You may review the report below and at:
>>> https://www.rfc-editor.org/errata/eid7790
>>> 
>>> --------------------------------------
>>> Type: Technical
>>> Reported by: Neil Madden <neil.e.madden@gmail.com>
>>> 
>>> Section: 9.1.2
>>> 
>>> Original Text
>>> -------------
>>>  A detailed computational analysis of HPKE's Auth mode single-shot
>>>  encryption API has been done in [ABHKLR20].  The paper defines
>>>  security notions for authenticated KEMs and for authenticated public
>>>  key encryption, using the outsider and insider security terminology
>>>  known from signcryption [SigncryptionDZ10].  The analysis proves that
>>>  DHKEM's AuthEncap()/AuthDecap() interface fulfills these notions for
>>>  all Diffie-Hellman groups specified in this document.
>>> 
>>> 
>>> Corrected Text
>>> --------------
>>>  A detailed computational analysis of HPKE's Auth mode single-shot
>>>  encryption API has been done in [ABHKLR20].  The paper defines
>>>  security notions for authenticated KEMs and for authenticated public
>>>  key encryption, using the outsider and insider security terminology
>>>  known from signcryption [SigncryptionDZ10].  The analysis proves that
>>>  DHKEM's AuthEncap()/AuthDecap() interface fulfills the notions of
>>>  Outsider-CCA, Insider-CCA, and Outsider-Auth for all Diffie-Hellman
>>>  groups specified in this document. It does not fulfill the notion of
>>>  Insider-Auth defined in the paper.
>>> 
>>> Notes
>>> -----
>>> The referenced paper defines four notions of security, Outsider-CCA, Insider-CCA, Outsider-Auth, and Insider-Auth. It proves that HPKE meets the first three, but, contrary to the current text of the RFC, it proves that it does *not* meet Insider-Auth security and that this is infeasible for HPKE. This is an important negative security result that should have been highlighted in the RFC.
>>> 
>>> Instructions:
>>> -------------
>>> This erratum is currently posted as "Reported". (If it is spam, it
>>> will be removed shortly by the RFC Production Center.) Please
>>> use "Reply All" to discuss whether it should be verified or
>>> rejected. When a decision is reached, the verifying party  
>>> will log in to change the status and edit the report, if necessary.
>>> 
>>> --------------------------------------
>>> RFC9180 (draft-irtf-cfrg-hpke-12)
>>> --------------------------------------
>>> Title               : Hybrid Public Key Encryption
>>> Publication Date    : February 2022
>>> Author(s)           : R. Barnes, K. Bhargavan, B. Lipp, C. Wood
>>> Category            : INFORMATIONAL
>>> Source              : Crypto Forum Research Group
>>> Area                : N/A
>>> Stream              : IRTF
>>> Verifying Party     : IRSG
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://mailman.irtf.org/mailman/listinfo/cfrg
> 
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://mailman.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email