Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)
Neil Madden <neil.e.madden@gmail.com> Mon, 08 April 2024 10:28 UTC
Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BF69C14F686 for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 03:28:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1z4L2EyyttgK for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 03:27:57 -0700 (PDT)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1898FC14F6A9 for <cfrg@irtf.org>; Mon, 8 Apr 2024 03:27:52 -0700 (PDT)
Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-34592409c8bso79798f8f.0 for <cfrg@irtf.org>; Mon, 08 Apr 2024 03:27:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712572069; x=1713176869; darn=irtf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=yk0CkyrocuD8fCnKktfWQoYjXgt3BYsmIUKDAbdSiUk=; b=lvfMmEg8JRfaIdazazlzR7nIQW7HFNTKcXOvgksZDKcEYVOqZCoOH85IMCKL7SRiOU X0eFdmqyjy5fcF/uBnDPuI0RpvHDaUaBmpfxl2dndcFLfwK7WeKgEueNGFx1g8v/s1NK 7LLCN3eSANX6g8NIBwT+x0QOvGNUq0BYuA/+M09BDUHdKgPOc/403tf1MDOWpAXQXJ1i omNrrezS6qwT4G7xTifEDCsfS26bhg5rA2dELBL5tyMYwZZ7VOfaVJ/l4VZTmojEZokB heiIrFfNPykGfWwiK5PyDNXyu5V1DMJTwNFwJ655Jt0IO/DNiDUDDrz0Df/SgFkBoGWJ Fa7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712572069; x=1713176869; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=yk0CkyrocuD8fCnKktfWQoYjXgt3BYsmIUKDAbdSiUk=; b=b8HoVq8W9Jg+XK/EN6sxq4JUk/JkNxl8sBkqZnvi3hqS69mEjGdveIFHVzmeZqRSIK diNhgswys0FkyiSoYXSD03g8EWT6CU5dCWsViLAhZSZZojNusoPRRkN3Z2Ot+u8jvO+h Y0/1kBkjSlR0twXJVDsBF9hDhehMiX5Z007/mdpX8+IKLWudfqOl5QHwgmzym/qdiI1K bWy5vBOrfIKUQr4G7t643rnY9BHfZB2Oj+R160nUQIlp3WYF1VkSPXpztx75WRC6Ytdy S3XDga7SClbYqzMuf+gMXuMl+k3nwVlLPDwPvRgQfPCQZyqG3fnmTZL9tjzVxY8UMVho w9pw==
X-Forwarded-Encrypted: i=1; AJvYcCVgT/eEn0wBiGmUkEihvtt+1HeO2VsdKvf74TNm6DgNiTiyNBxR83RyWXQufqcZ9jkqI10OLyRMcVmarRNe
X-Gm-Message-State: AOJu0YwmqjKu4vSAqoiyKpQ+G3WLuul9Z2w3dQs0LYspUB/OwpuLhCna T/WwgJAL1mkCwBZsB/e3QYNRUQqZD7po0Xqi85jPOdEVwxm0D4I9
X-Google-Smtp-Source: AGHT+IEy9JOqY8w63MamjP3ztV/4sBiM/FLhzbNkoUAVg5E0v6u4iEvjCxzkjx6XqMy/VBb5TiuCPA==
X-Received: by 2002:adf:fa08:0:b0:343:b9e4:c98e with SMTP id m8-20020adffa08000000b00343b9e4c98emr6018388wrr.2.1712572069065; Mon, 08 Apr 2024 03:27:49 -0700 (PDT)
Received: from smtpclient.apple (243.211.93.209.dyn.plus.net. [209.93.211.243]) by smtp.gmail.com with ESMTPSA id m6-20020adff386000000b00343300a4eb8sm8604941wro.49.2024.04.08.03.27.48 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Apr 2024 03:27:48 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
Message-Id: <A0304BB8-34F5-456B-89E8-7A2278AF63B7@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9B0DB5E7-03EF-4D37-A9D1-031D1796BAB3"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\))
Date: Mon, 08 Apr 2024 11:27:47 +0100
In-Reply-To: <CA+_8ft7nK9uE4EreZ-TktExxn1mLND8BJ2d68psvuY9rnuRepA@mail.gmail.com>
Cc: Martin Thomson <mt@lowentropy.net>, CFRG <cfrg@irtf.org>
To: Karthik Bhargavan <karthik.bhargavan@gmail.com>
References: <CA+_8ft66ZM=QND1Qh+OE9fJ6tDufF484cqeUT9NLdzr8gBYwjg@mail.gmail.com> <04C6D6E9-2D50-4289-AF0E-398F95B01723@gmail.com> <CA+_8ft7nK9uE4EreZ-TktExxn1mLND8BJ2d68psvuY9rnuRepA@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/K2woVdC4YboseoIGy_1L5jXxeQc>
Subject: Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 10:28:01 -0000
> On 8 Apr 2024, at 11:23, Karthik Bhargavan <karthik.bhargavan@gmail.com> wrote: > > > HPKE only defines an interface for encrypting messages to a single recipient. Therefore standards like JOSE, which support multiple recipients, have to come up with an approach to support that. The obvious thing to do, and what is being proposed for JOSE, is to do what the existing ECDH-ES (ECIES) modes do: generate a random data encryption key (DEK) and use that to encrypt the message using an AEAD. Then run HPKE for each recipient to encrypt the DEK. You then concatenate all the wrapped DEKs and encapsulated keys with the ciphertext and send it. > > That is an interesting use-case, but I don't see how you can use HPKE for this. > The Encap/AuthEncap interface of HPKE does not allow you to encapsulate the same key for two different recipients. > Indeed, as you note, doing so would be insecure and is forbidden. Can you please point to the text in the RFC that says this is forbidden? From HPKE's point of view there are two entirely separate HPKE instances that happen to be encrypting the same plaintext (the DEK). I don't see any text that forbids this or warns of any dangers at all, hence this erratum report. -- Neil
- [CFRG] Fwd: [Technical Errata Reported] RFC9180 (… Neil Madden
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Martin Thomson
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Neil Madden
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Martin Thomson
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Benjamin Lipp
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Karthik Bhargavan
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Colin Perkins
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Neil Madden
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Karthik Bhargavan
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Neil Madden
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Dennis Jackson
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Neil Madden
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Thad Thompson
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Neil Madden
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Dennis Jackson
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Neil Madden
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Eric Rescorla
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Dennis Jackson
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Neil Madden