IETF Logo Mail Archive

Re: [CFRG] HPKE and Key Wrapping

Neil Madden <neil.e.madden@gmail.com> Thu, 31 March 2022 11:50 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97AAC3A122F for <cfrg@ietfa.amsl.com>; Thu, 31 Mar 2022 04:50:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8IObVdL0SUCs for <cfrg@ietfa.amsl.com>; Thu, 31 Mar 2022 04:50:22 -0700 (PDT)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 596A13A11F6 for <cfrg@irtf.org>; Thu, 31 Mar 2022 04:50:22 -0700 (PDT)
Received: by mail-wm1-x333.google.com with SMTP id l7-20020a05600c1d0700b0038c99618859so1578703wms.2 for <cfrg@irtf.org>; Thu, 31 Mar 2022 04:50:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=fnn6e4UmsrszOxmBBKL/eceHg/ZqRB8psArnnUgU/KY=; b=FMZ/c7JKCQYetIwX6u0as8rxyIdQTLupTik1BzrZPDGbnb+jEq5+Kn3HIwC79AHuBi OGBzFVtI4qrvDQcchuvGwlSwqZouUPH9R3o3FXSHLoJnux0vC2zG9NTVpDyqpGRYQ8QH k0DWCVjVvc9r3YndDIhbIYN0q00CQvNHsQIjNN7N8aU8Bs6esOnQIkqH/m7t0U2gvXAH uGXnANEEBLtvASEmHqLt3wylaMeHly+nZtWuPPYzA1qisuLkl7WXhTR7rm56Uz1FK3p5 BLLT+pGkm5dFYvYH1mds6PcfixpukEy9QPMmLI9Y2VCx2t3FfBYIqqBNMVvq3PwiicjN 9HTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=fnn6e4UmsrszOxmBBKL/eceHg/ZqRB8psArnnUgU/KY=; b=Iq/A4aNI/MuEm1Glh4LJktpXnn2lRzicpHONM2ow//69yfWsBUUJSwP4SsQCHyjp3f XYU+tf7vDqCM6obK/b+k5NnwRADjOUDz7u6Hlu0p1EetqwqsopB7+TTDC1No1UatZZfe ynjWOtcopqj01PaQ6e8DeSDWyu78QAK2+x5+W7COFt7OeNiuC2djh/VUO6u1t9rjYg5G plnICTWckALuIzUkd/4DURv70O8kIUMKe5nKyyHLLV6LKMO7oAQ3BXXvOtnWNBTkphnF j15ZH5/pb4PRw2EU2rarGNDo1Smkwi4xNRViyPLgAeb1YkZVvdJ9wMdnjwW2R77qsXxe v7dA==
X-Gm-Message-State: AOAM533p4THbRLUpxWy4OYtzXUyZOO5VVCsx3i/fElqMnQG4pFnichMx S5/FmrL18fk/Vt+yFtspg/8=
X-Google-Smtp-Source: ABdhPJwsDRtHkVtHKelXa645T41rGWPozfGyFWDgA1B9SRGsPHpC4Kv4ZSmL9JLkLkeGB1Xni2zUWw==
X-Received: by 2002:a05:600c:4ed2:b0:38c:93ad:4825 with SMTP id g18-20020a05600c4ed200b0038c93ad4825mr4349528wmq.181.1648727420232; Thu, 31 Mar 2022 04:50:20 -0700 (PDT)
Received: from smtpclient.apple (78-33-22-162.static.enta.net. [78.33.22.162]) by smtp.gmail.com with ESMTPSA id t9-20020a05600c198900b0038cb8b38f9fsm7390871wmq.21.2022.03.31.04.50.19 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 31 Mar 2022 04:50:19 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
Message-Id: <C0494995-0D2E-42BE-8D21-4BB23C4E8E19@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F1C44F28-C827-4734-9CAC-C4CFD8C28228"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Thu, 31 Mar 2022 12:50:18 +0100
In-Reply-To: <YkWDnvnHyJOUu3ol@LK-Perkele-VII2.locald>
Cc: IRTF CFRG <cfrg@irtf.org>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
References: <HE1PR0701MB3050AFD941AABAB80D7EC31E891E9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <7c67e7a0-ddaa-4f2e-9a1e-91af4956c0f1@beta.fastmail.com> <4627F814-4AE0-4E13-ADA3-2C30AF258385@vigilsec.com> <YkWDnvnHyJOUu3ol@LK-Perkele-VII2.locald>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/IzrRbYygKszSO4zOigi4Dtxdsqw>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2022 11:50:28 -0000

> On 31 Mar 2022, at 11:34, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> 
> On Wed, Mar 30, 2022 at 04:15:44PM -0400, Russ Housley wrote:
>> Martin:
>>> 
>>> On Tue, Mar 29, 2022, at 20:05, John Mattsson wrote:
>>>> Would it make sense to standardize AES-KWP for HPKE or do CFRG believe 
>>>> that AES-SIV is the future of key wrapping? Irrespectively I think the 
>>>> CFRF should produce a good recommendation on how to use HPKE for key 
>>>> wrapping.
>>> 
>>> What is wrong with the existing HPKE cipher suites for protecting
>>> keying materials?  That is, aside from not carrying a NIST
>>> approval stamp.
>> 
>> If you try to apply HPKE to the COSE or JOSE structures, it just does
>> not quite fit.  However, by using HPKE to deliver a key-encryption key
>> (KEK) to the recipient, the structures fit.  So, it would be really
>> nice to use a Key-Wrap algorithm in HPKE to encrypt the KEK.
> 
> Not sure about JOSE, but in COSE, the structures do fit even for direct
> encryption. COSE-HPKE does not use receipients itself, so it can go into
> cose_encrypt0, resulting in direct encryption.

I’m not sure if this point is directly related to what is being proposed here, but I think it is worth mentioning:

JOSE and COSE allow sending the same message to multiple recipients using key-wrapping. In the case of an authenticated KEM (AKEM), this usage undermines the authenticity guarantees due to the lack of Insider-Auth security (as per section 5.4 of https://eprint.iacr.org/2020/1499.pdf <https://eprint.iacr.org/2020/1499.pdf>) in HPKE AKEM. In short, any recipient of the original message can simply take the unwrapped content encryption key and use it to produce a new message that appears to come from the original sender.

This is why https://datatracker.ietf.org/doc/html/draft-madden-jose-ecdh-1pu-04 <https://datatracker.ietf.org/doc/html/draft-madden-jose-ecdh-1pu-04> requires a compactly-committing AEAD for symmetric content encryption (DEM) and includes the AEAD tag in the KEM KDF computation to ensure the KEM encapsulation for each recipient is bound to the whole message. This current design was arrived at after previous discussion on the CFRG list (https://mailarchive.ietf.org/arch/msg/cfrg/iNoSj9g2cQ0JvDbHs4I70bfhrRc/ <https://mailarchive.ietf.org/arch/msg/cfrg/iNoSj9g2cQ0JvDbHs4I70bfhrRc/>) and some offline discussions.

(An alternative approach is to include the AEAD tag in associated data of the key-wrapping process, which is another advantage of SIV-AES over AES-KW - the latter not supporting associated data).

Kind regards,

Neil

v2.23.0 | Report a Bug | By Email