[Cfrg] comments on draft-irtf-cfrg-hpke
"Riad S. Wahby" <rsw@cs.stanford.edu> Tue, 02 June 2020 20:08 UTC
Return-Path: <rswatjfet.org@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 505453A0878 for <cfrg@ietfa.amsl.com>; Tue, 2 Jun 2020 13:08:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YrAhGBsVR7eZ for <cfrg@ietfa.amsl.com>; Tue, 2 Jun 2020 13:08:25 -0700 (PDT)
Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36D483A0D83 for <cfrg@irtf.org>; Tue, 2 Jun 2020 13:08:25 -0700 (PDT)
Received: by mail-pg1-f181.google.com with SMTP id o6so57356pgh.2 for <cfrg@irtf.org>; Tue, 02 Jun 2020 13:08:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition; bh=O9AhAKEy2qquXZkydCZKpiOrgGMh5VxlYgr3uGHvbxY=; b=JAygNNPUQsB/J6ji5mtwlkhU/bnLyUc6pe7da3p3sbrFfyf9/ND9xe93uembohLC+e RLLbDSk1DZgPvh0bWm6ZjJc2OHiLLmRa/vNRNVGc7VfZ7MwchI2STNpkMgxqVgiJSQr4 ZDYgZbDgvIyf5OMvBu0O1OOU5dSLeFNYfNJjsL4M4JpDRIXI65wtbK7+OgBlkz7N41MP FyGpzNRgC2Q8qJBrJYa4iPyt8DJ/lwud8bmh9RBSBtbgvwJhIaXrgsqrm0ZSXsnD4hli /LAND3Ku1V1nirQ26paBfneghb6C8LFwD76fkC22Lo/WK7B5nL7FOnw0R3469QaNMa5S uuRQ==
X-Gm-Message-State: AOAM530qFLKIxIP4H+Kffd/Eu9scNYyHoLbnEV+ihTKgRSdBEFMXsgHw RV/slHM+mMXddRYv/QxZTLcRsihp
X-Google-Smtp-Source: ABdhPJxpK9/D9f2IIUQbkni/qBtDFkHdkFc3L/xlvf9c5VjwkIdrtR6ydYUu6S9M1VQIu6/HiADcZw==
X-Received: by 2002:a17:90a:4805:: with SMTP id a5mr1083665pjh.22.1591128504221; Tue, 02 Jun 2020 13:08:24 -0700 (PDT)
Received: from localhost (graviton.stanford.edu. [171.67.76.22]) by smtp.gmail.com with ESMTPSA id 140sm1146pfy.95.2020.06.02.13.08.21 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 02 Jun 2020 13:08:23 -0700 (PDT)
Date: Tue, 02 Jun 2020 13:08:21 -0700
From: "Riad S. Wahby" <rsw@cs.stanford.edu>
To: cfrg@irtf.org, draft-irtf-cfrg-hpke@ietf.org
Message-ID: <20200602200821.zqtk5w5stw4c6lrs@muon>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/D4W8F8QNLp9OcQS_o9Vbuh37z80>
Subject: [Cfrg] comments on draft-irtf-cfrg-hpke
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2020 20:08:26 -0000
Hello HPKE authors, This is a great document, and I am looking forward to its publication. I've attached a few small comments and suggestions below my signature. Thanks for the hard work! and please let me know if any of my feedback is unclear. Best regards and stay safe, -=rsw (Note: these comments pertain to the version on GitHub with commit ID d1e58f3d89c3790fef15c756c6279d0811c6f7ab.) - Section 3: encode_big_endian seems to be the same as I2OSP from RFC8017. Would it make sense to reference the existing primitive instead, or at least to note that the two are identical? - Section 4: the definitions of AuthEncap and AuthDecap contain words to the effect, 'the KEM shared secret key is known only to the holder of the private key "skS".' It would be more accurate to say , 'the KEM shared secret key was generated by the holder of the private key "skS"'. - Section 4 and 4.1: it's not totally obvious to me that this is necessary, but might it make sense to note that Unmarshal can fail? - Section 4.1: this may be paranoia, but it would be slightly nicer to include the DH group name in the label arguments of LabeledExtract and LabeledExpand to ensure that invocations from different DHKEM instantiations are orthogonal. - Section 5.1.3: it would be nice to include a reference or citation for unknown key share attacks. - Section 5.2: is there a reason to put the word "amortize" in quotes? - Section 7.1.2: it might be worth mentioning here that [keyagreement] also includes checking that the public key is not the identity point. - Section 7.1.2: is there a reason to recommend either checking for a nonzero scalar or checking for a non-identity DH output? Checking the latter covers the former and also covers the check from my prior comment. Moreover, it is not clear to me that checking the scalar is useful for the recipient, since this is essentially just checking that their long-term secret is nonzero. - Section 8.1: the sentence "In particular, the KDFs and DH groups..." might want to clarify that this statement is true only when these primitives are used as specified. The concern is that HKDF is only indifferentiable under some restrictions on salt length (for reasons noted in Section 8.3). - Section 8.4: it is not quite true that using a PSK longer than Nh bytes has no effect on security, since in practice there is no guarantee that each byte of PSK contributes 8 bits of entropy. Making this distinction seems worthwhile, lest people decide to use only Nh bytes with lots of structure (e.g., ASCII text). (I am aware that the next paragraph discusses low-entropy passwords, but I am talking about an intermediate regime. For example, consider the case of a diceware passphrase: each word contributes only 10--15 bits of entropy, but is ~6 bytes long. Using 12 words is certainly better than using 6, even though 6 words already has length greater than Nh for SHA-256.) - Section 8.4: would it make sense to point to PBKDF / bcrypt / scrypt here? Or is the idea to discourage use of low-entropy passwords entirely? (But one might worry that folks will use low-entropy passwords anyway...)
- [Cfrg] comments on draft-irtf-cfrg-hpke Riad S. Wahby
- Re: [Cfrg] comments on draft-irtf-cfrg-hpke Christopher Wood