IETF Logo Mail Archive

Re: [CFRG] HPKE and Key Wrapping

John Mattsson <john.mattsson@ericsson.com> Wed, 30 March 2022 08:51 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76ABD3A160D for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 01:51:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SbGsQUfYrmma for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 01:51:50 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-ve1eur03on060e.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe09::60e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D510E3A15FD for <cfrg@irtf.org>; Wed, 30 Mar 2022 01:51:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SRZMTcSFiFZiNJ17TsCAGhfxjrsPt17L6iCXH2bP4xw3cc5Xiy1zLW449X6vfq+jYqBCXVC2+QJuwqPUwK3HNIednX6WSm3AlX3AgvgZmuwRReXVNzVkA1pHwvjNwiK7VAjt950dDgKSJFNBFN/0vZnL2gmUxK/93GJtjD/x1LNh6MUuDaNpOfTL5R6E9o1RDGxbVqWvwVH9tTUo5WBXhH77PsHPxq9onAuvonSqMqvzTRKaAHP6CbaSm7p36MDcWs4qcmYIy2p3Bm0PHJU/f/tUfnhXtxiYFuHW8ARr4X55BbAioeNODpfu0XsFXMkt2NNFakQl16B2vdXAiZsA1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7m837bwblPODwguDXGN8O8EMwA6eqceMdscktY9q8xM=; b=clvKu97xW0SF6b1BjYGxdyPLZkoHeiTviQdfgVo20rASulXAUsZbCkjtwvqejdlBHnT/3haJyD2EEsK4DKLXK4AYjnfDTEL/ZWmGQWsX01xLibrsoXVKxOR4i9eUbaQjZat/AG/k6gyazoI0OkaKsye9qpLGoc8Ag4P9qmtaF3b2SNkBcPTetpFdlH6LDr3nVCMPYvpGkuWRvvNfh+eET4wf+yYHR/hO7O5mXRTJlDRHGVWiVnBMqPmhEASk/NEUeJjgmnGE4aoCK83ep2yjstqrXQ62LnPX3IHn7dt+RVi/3PKULQ4VuiDn1P9Ft3mstsHUQh7pnGMvNZzypdIYog==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7m837bwblPODwguDXGN8O8EMwA6eqceMdscktY9q8xM=; b=BQMhruNi4wTwUyG4QA91qbCD4Im9QqWFpvIjrySDO94mLOkVce/0T5XyOv7A4vn1ls+Vo/MpQ6F3lVeGdLSj1t62n0Sl/XoOE4aLF4R6MTNYw/cpJ8ITX4/CdVLhXqcN64nKyTCGZHQBDKvq6HC2EFKdhu1CbhdMEY9LLCYiY28=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by VI1PR07MB3392.eurprd07.prod.outlook.com (2603:10a6:802:1c::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.10; Wed, 30 Mar 2022 08:51:44 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b462:480e:b937:c62c]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b462:480e:b937:c62c%7]) with mapi id 15.20.5123.019; Wed, 30 Mar 2022 08:51:44 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Dan Harkins <dharkins@lounge.org>, IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] HPKE and Key Wrapping
Thread-Index: AQHYQ0u7KP9IsmRXD0Kbvf1+Gh7oQ6zWfNmAgAEP3oM=
Date: Wed, 30 Mar 2022 08:51:44 +0000
Message-ID: <HE1PR0701MB30505DA9DCB9626D0EAFE56E891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <HE1PR0701MB3050AFD941AABAB80D7EC31E891E9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <35bac2f1-b647-4802-def8-9fee5d49d75e@lounge.org>
In-Reply-To: <35bac2f1-b647-4802-def8-9fee5d49d75e@lounge.org>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 992319db-06b1-4296-a9d1-08da122a847c
x-ms-traffictypediagnostic: VI1PR07MB3392:EE_
x-microsoft-antispam-prvs: <VI1PR07MB33921F8CC5185C28D7B20C1A891F9@VI1PR07MB3392.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: f4GpN5IntDA455uORkMEflGeAweCJeQ9ckdzhwCJMrLkh2qO2ro3HCmfS2SeQ7TOZnmjN/f3njhPgN/Hsu/6IkB1EA6nKgo6CTsKQqdK98y/4J8E8Hi6oYlWYYoyuEKD5mpxAKdez1f+8bS/FrDD3hoFQdcshZDUTbEcyqzc4hKxp4zvs/5g5d+hyB33cAp+UdZbk6+H6IhG7Lh1No7rjDnMmzSsJA6AYRNok8zJGgQ4RSb58Pqedz+gk7RHie3N+m2qjY0h7euMEblHyfBaWoe3aZBvoIGy6rUofnDIumNUh9JuJjOJerEvICOrxYoM+kmaI6ZEIqBT1iXhDq1FmJarDW/G5uuJGoWDyfkFFfR5eS3s9CSKn5pIgaB3lb/f20jIMrE+tgq4On4NkuYwPV58wrTBVS+PVktfMYx85l049YBsS/py+XecqhGqji6w6aGtJiP3zC9c25cNt0Fytox57qW76CEN/gDydeahqkHitCcf5NazjdqhhsbSS0yERNGqL2bK4GNk8XiHde9eBFLPcwPTEnT2eWGjO6bvBez1vI5GCgIVFy6auvt9L8PAIWGr8wmIhKK0RZJtrXXhPQac5RXucAUvhSdrobL+rZsx9ul1AoOIgOheAyL+xi3jrOFkDmhNAOvKju01y1EfAClfqQHSEZ553/IIWIDbRsl7Xp5fyrqRM75SaPOMPE9KQ3anV/SgRXXIw87ZJn+GKbNHM//x/PYdddKTSHSpQHMb5fRbkHnXj+b3MmocouZ2jIAhWlq+IUkStFtW7l2LPSbeQ8ExHlVVyZEqiizIx7HXOPuhN4Su66QelfCBnI/GsjAIsMncoNFfSCom02mqPA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(508600001)(21615005)(966005)(166002)(38100700002)(45080400002)(55016003)(33656002)(83380400001)(71200400001)(110136005)(66556008)(8676002)(316002)(26005)(38070700005)(2906002)(44832011)(66476007)(66946007)(186003)(76116006)(66446008)(9686003)(8936002)(53546011)(7696005)(122000001)(6506007)(5660300002)(91956017)(82960400001)(52536014)(86362001)(64756008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DT7xz+hYASZQIFg+/3cQ2oC6PcSa9KQn9+oHNtSMJ6FXvQMalRmC7C9reeQB/ZIupOjGqkuycNCSMCfIS4/XLOJnD7f7HmBS1H0OdebGDbAd6G1dUBLvEDMbhr1etnn8/U4v5G/TC6SeV4m69lPayF+sc5Y1KuXI/h9B0jmj/We9Eo+U+ItsndRtTfte6ogyjDTBG16ZRe+3oZLgMK9fHbjEF74oRArdjN4C8w8stKsN/l2dMdpraMd8fuVH1CU48Dq6RH14FeHk5zTNM8KnKM15Yrg24IwsEJ30jQI1GbhGKATH02VCSd0UOp9RjXEpWM6an+/l1/TS2zi+JH9CMjAGsmKXt7+9UO6FsSSJeSFydzZzVxx2/zt3rPjWOEfTm5KAixPAgIAFwyaRVwZHtLLp1qYJGwG0h9OO8sGc4w2CSBeSs+NNa3y3Vdg0NpcNYWiaTMXB1SgfK1fQnhEiEFbnqFWQ2+8uTmGULc57Pp5GDC9s7XQFY9ALruIszPL95yn985EDlJmne7hezbKR4ilbICy0b+DFcNrBD3/U/s6bhOOc9b/AihUbNLvoTw+FDoxYINdzbvdc33rtQXL8Lstk3aPwVDUse5Nq3knuTNMrg8jQ+AQrD6Wk8CrWNv6x8AMQu5dLOmiA/CqXHHzIr0U/NcJCPsDubFTMLkAG3QBZX27YrccJKhcmll3OXZqZClJ6yPK7dJnfWY/OBFtTOPYcI8xop2+AHwwvG1p7IeeyU2/oX/MtD7mC2u7ZM8R7fYKE/SpZ9WmK4vLAJ9z5p2wHn9qYlNsUNafRo9yoDdtx3dYZWMmQpy41MtwDPdlgRWd/tVfwAiDSxg7e2jZSMhWErma1H3Cws5ZrL2QFWLRHX0yDx94fHhPuR00Ywnf9rmmbQZBV5z338yXK1kOsLeyhiKKVLOv3jeQ9Qv2Tb+DDYZQhVX8lP6+IMg1RslZnTtVR1nBBdNvDJYG2zcYwBs1txqO0R0ktJQ/0Sbn3qi2RmAeGZSvSGTlugyIrC6t87gSuWE/1DFjQVusfUfNr11BwAYNLqpjMg453zqm5qn0bjzlCn48XrHZpgFdBNHrvZb6mAIgtw2ruO+qp2XuA4opu+q4NdvouHPH2/UaLVIrmPm4taB8pwaNJaUPBDfTIOVdXCwNEXFmuALvmTjVRouwZxNoDViIgSMSy02KtKwFZQpkFDjswC1C+ST6AgYLtKpyWL9gEpsjIbiHdeyFje6eJr6LDf2nUUvcd8RO9xEizPT6qVhlfypmxN9qRXnlwuOPrTxXZr2cuQzB2vGOUYUFI7e3pHNT1kLAEDQQ8dPZNkvWzUxJRAsxBkV4gmy45w4uctvMDe/byrKB5BtvqKFYO8UZWUQ2iYDdPeFRNQ2+WHUi5xYHzr2DFSBdHCAZLnSP/mz/e03s52bQDyGugFjBK8sF6hi417r9KdvCBnUHxRVPMRhfrLRaJuDrIzyKSZuZpfxc62PTH2f6zNXIeAcSYwVTVUYEgLkt1sL8CcLvWS/cL/uEpUjJmY/RpCJj/mpkn2DjK6PzaC+HE5J1NINFjzsBbcDP8IiSzq57qJbVj2PewhjXWxpwn4MD6jBv1ErpFBwhhLCf4VFF0Mc7FG2qqn0gYlP8Xhxps04bNbkuMmHZXVdhFbWuDNAX8AunBqSHTc8UOHAp4iHTtjk+r6MAP+zCPagkqBxJmzqznWWlXAaGU0HuC4umtuPKhDQ3cyJMtxp2xW+g4ZsuKO41EHeAMI27Fe7bYIh/83ULc0me2g7uteDIHLqII1R2aWdNn
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB30505DA9DCB9626D0EAFE56E891F9HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 992319db-06b1-4296-a9d1-08da122a847c
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2022 08:51:44.6566 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ENbaAz64BpgZ5NN4Z/Q7AQ6meu85rKu1A2D2o0Uqj/6bf9d47yBV+wv74RcIiVo8O4OOrlnNJO5L2gvpgI7BxgkAJ72YPofB2YBzH2xf8AQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB3392
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ID0JuUDIg7np4CxMZLq-7Zuaj40>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 08:51:56 -0000

Thanks Dan,

AES-SIV seems preferable to AES-KWP for symmetric key wrapping, but I understand NISTs reluctance to change unless some weakness is found in KWP. I am fine with algorithms published in RFCs, but not algorithms published behind paywalls such as X9.102.

How does AES-SIV (RFC 5297) compare with AES-GCM-SIV (RFC 8452)? Do we need both algorithms in the future? Does AES-GCM-SIV with a fixed nonce provide the same properties as nonce-less AES-SIV or is there a difference? Your current draft only specifies a nonce-less AEAD, but I would not be surprised if somebody in the future wants to also add a nonce misuse-resistant AEAD to HPKE. Feels like it would be good with some CFRG discussion on this, so we add the right AEADs to HPKE. I don't have enough knowledge of these two SIV algorithms to have an opinion at this point in time.

>if you want to use HPKE for key wrapping you don't even need a key wrapping
>cipher mode, just do AES-GCM in the "one shot" HPKE variant. Wouldn't that work?

Stated goals for key wrapping has been to try to avoid external state and reliance on RNGs. Single-shot HPKE (with AES-GCM) seems similar to using AES-GCM with a random nonce for key wrap. The difference is which layer a trusted RNG is needed. When using single-shot HPKE (with AES-GCM), an RNG controlling attacker that has knowledge of one of the keys can compromise all other keys. I would be much more comfortable with using a nonce-less or nonce misuse-resistant mode like AES-KWP, AES-SIV, or AES-GCM-SIV when using HPKE for key wrapping.

Cheers,
John

From: Dan Harkins <dharkins@lounge.org>
Date: Tuesday, 29 March 2022 at 17:29
To: John Mattsson <john.mattsson@ericsson.com>, IRTF CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] HPKE and Key Wrapping

  Hi John,

  There is a very nice critique of AES-KW (which is also defined in the X9.102
draft as well as the RFCs you mention) in Appendix A of the Rogaway and Shrimpton
paper that defined SIV. To sum:

    "[O]ur conclusion is that none of the X9.102 algorithms are mature. Most
     severely, none has been proven secure—and, prior to this paper, there
     was not even a clear target for a security proof. Each scheme has multiple
     problems from among the following: a restricted message space; an inability
     to handle an associated header; a restricted header space; ciphertext
     lengths that grow with the header length (even though the header is only
     authenticated); a large number of blockcipher calls; mysterious aspects of
     the construction (eg, the byte-reversals or xoring-in counters); and use
     of cryptographic primitives beyond a blockcipher. For a modern encryption
     scheme one might reasonably hope for a formally defined and provably achieved
     security goal, an aesthetic construction coming out of an enunciated paradigm,
     message headers being supported and the message space and header space being
     large and natural sets, message expansion of some fixed value, one or two
     blockcipher calls per block, and further efficiency characteristics (like
     being able to cheaply handle static headers)."

It's also worth noting that AES-KW suffers from the same issue that was brought
up when I mentioned using AES-SIV in HPKE: it is stateless and deterministic and
therefore it is not really possible to achieve indistinguishability of ciphertexts
under an adaptive chosen ciphertext attack, which is what HPKE is supposed to
provide.

  You're right that AES-SIV is not approved by NIST. I discussed this with NIST
a decade ago and there is an effective catch-22 in which NIST doesn't want to
spend cycles analyzing and approving a cipher mode that is not specified in any
standards and standards bodies are loath to specify cipher modes that have not
been NIST approved. AES-SIV was formally submitted to NIST but no action has
been taken, yet I persist (in trying to get NIST to approve AES-SIV).

  So while I think that AES-SIV is an improvement over AES-KW for the purposes
of key wrapping (it's faster, and it's provably secure) if you want to use HPKE
for key wrapping you don't even need a key wrapping cipher mode, just do AES-GCM
in the "one shot" HPKE variant. Wouldn't that work?

  regards,

  Dan.
On 3/29/22 2:05 AM, John Mattsson wrote:
Hi,

Dan Harkins draft and presentation made me think about HPKE and key wrapping.
https://datatracker.ietf.org/doc/html/draft-harkins-cfrg-dnhpke-01

AES-SIV could be used for this, but the algorithms currently approved by NIST for key wrapping are AES-KW and AES-KWP.

https://datatracker.ietf.org/doc/html/rfc3394
https://datatracker.ietf.org/doc/html/rfc5649
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf

For asymmetric key wrapping. AES-KWP is often used with RSA-OAEP (which NIST calls KTS-OAEP: Key-Transport Using RSA-OAEP in SP 800-56Br2).

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf
https://cloud.google.com/kms/docs/key-wrapping<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-106ef86c5fe35cef&q=1&e=62784b61-59e7-42e7-a0f2-18e13e958a75&u=https%3A%2F%2Fcloud.google.com%2Fkms%2Fdocs%2Fkey-wrapping>
https://microsoft.github.io/CCF/release/1.x/js/ccf-app/interfaces/global.rsaoaepaeskwpparams.html

I think HPKE is the future of asymmetric encryption including asymmetric key wrapping.

Would it make sense to standardize AES-KWP for HPKE or do CFRG believe that AES-SIV is the future of key wrapping? Irrespectively I think the CFRF should produce a good recommendation on how to use HPKE for key wrapping.

Cheers,
John



_______________________________________________

CFRG mailing list

CFRG@irtf.org<mailto:CFRG@irtf.org>

https://www.irtf.org/mailman/listinfo/cfrg<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-40f7d10cf9eb7c69&q=1&e=62784b61-59e7-42e7-a0f2-18e13e958a75&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg>



--

"The object of life is not to be on the side of the majority, but to

escape finding oneself in the ranks of the insane." -- Marcus Aurelius

v2.23.0 | Report a Bug | By Email