IETF Logo Mail Archive

Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt

Richard Barnes <rlb@ipv.sx> Mon, 02 October 2023 12:53 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DC30C1527AE for <cfrg@ietfa.amsl.com>; Mon, 2 Oct 2023 05:53:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n-YEPQLPQ_Ow for <cfrg@ietfa.amsl.com>; Mon, 2 Oct 2023 05:53:01 -0700 (PDT)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5368C1527A0 for <cfrg@irtf.org>; Mon, 2 Oct 2023 05:53:01 -0700 (PDT)
Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-9ad8d47ef2fso2248829966b.1 for <cfrg@irtf.org>; Mon, 02 Oct 2023 05:53:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1696251180; x=1696855980; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6+pJdKcDG0N+3ndgeV8TH3DACt6TJJpJ1PQevM6mJug=; b=PIWHMtSuISLK5AcCC5Qs2t8cRVlUd676iDNNXllJqwREKi/yO/K4xXXxjOEMzJEeNZ EGQgYCJJG5+Rj2EeTg7pV8Z7ocHIBJJPOLXp+7lDlmHOp/rq4iIsWlrfeP4sUPR6AkhM o6a8p48/c5ihFeCWQn4F/xx0A3UrIY6hWR27vsm9v5ScdVbMXXtWSmFJbyYRgFGT9a4G BPXL/088YgzXQ8PPFWmY45I5dn4viUHid26zKJ1zEePtM4fsIsnfIMZX7yA20LavJJ0+ scCN/yKLnQacZjIveu/YMqUN/tVHsLaE1HXZpLuKg847JQ9muEva/q13NvCRIQNv/sOJ eE/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696251180; x=1696855980; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6+pJdKcDG0N+3ndgeV8TH3DACt6TJJpJ1PQevM6mJug=; b=FQ9uecI4QiH0goAZP1qRreNRRS+t2BlulxKEu7wftD9s8q6gc2Z3ULM4f4N/TnS196 UnSxYxFmzGe23AvULsxqOAXzNVN2eaXgRetsoLpkhWDV65P8lznjcoYEOrDnDDNjFppP fH5bQIxjbqEss8UXgTyDm+Tph+JpqZIqZhP+Wqq/8kvC9X+mORa8g+Zl1YqecHv9FdtN iZQ42A46SBr760+/caPJ49cZMJwuw76XrcACy3z67jtCS0GUaLzXbfmZpTrGHB/oPn39 VF/Zk6i/egM2ndXCuhcBjtLcOAeDlYQQ79coBBw2OYqd9PPYivOp0zXetkLkNV1dsNHk RwYA==
X-Gm-Message-State: AOJu0YwRBFrZ9Z52oR8ayx1r3JZ+7omgPvNLliP9vlEkDzGxzLWYLvkx yv5/+TPoc2cLqlvtA5AZK9az510TraqaPj0W5KEOIH5xu/bvKCUziqk=
X-Google-Smtp-Source: AGHT+IFlnDOIpyBeFhVqvkD5IVXFq4G4Yk+aP0C0OkH23faYacdVG+OhSYZtfgp2TzCBcjDSBAFOZj8JxidWGQ1cfn4=
X-Received: by 2002:a17:907:2e01:b0:9ae:6389:911 with SMTP id ig1-20020a1709072e0100b009ae63890911mr10166086ejc.31.1696251179784; Mon, 02 Oct 2023 05:52:59 -0700 (PDT)
MIME-Version: 1.0
References: <169592647633.22478.7564567661859429538@ietfa.amsl.com> <105f3992-d271-d3fd-e3eb-23751f763e15@lounge.org> <CABcZeBNG9TTMK7AP8+ecWjzD+k5w6YBOdM0QuePMdc+PD5QXog@mail.gmail.com> <09ef9418-0c6c-3771-a82a-900c8143afc4@lounge.org> <CABcZeBP1+4Tof9K0Zf7mjmHAhqHAs2nqoNSiHhPS9scZJ-E8Hw@mail.gmail.com>
In-Reply-To: <CABcZeBP1+4Tof9K0Zf7mjmHAhqHAs2nqoNSiHhPS9scZJ-E8Hw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 02 Oct 2023 08:52:48 -0400
Message-ID: <CAL02cgRUTNMf6vt1ppwQbO=UqXMY3ujfgsws8J7NnxfU-ZT8TQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Dan Harkins <dharkins@lounge.org>, cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000056df80606bb4170"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/LMMgjNNiL8fKFK5KF0IamqHNfSo>
Subject: Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Oct 2023 12:53:05 -0000

EKR - I think the point is less procedural / adversarial than you're
thinking.  The point of this thread is more seeking feedback for the
experts on how to interpret the text in RFC 9180.

My interpretation of the question here is:
- HPKE has been proven IND-CCA2 secure if the KEM and AEAD are IND-CCA2
secure
- RFC 9180 makes no claims about the security of the construction if the
AEAD is *not* IND-CCA2 secure
- The request here is to register an AEAD algorithm that is affirmatively
*not* IND-CCA2 secure (can't be, not even claimed to be)

So the question for the RG is -- Are folks OK with values being registered
that do not meet the security requirements in the RFC?  Or does
Specification Required truly mean that anything that is written down is
OK?  Note that the expansive interpretation here would allow obviously
insecure things, e.g., null ciphers or ROT13.  (Not saying this request is
so obviously insecure, but it doesn't meet the RFC's security bar, and we
should create a new, undocumented bar, so we're left with no bar.)

My personal analysis is that the expansive interpretation is risky,
especially if we broaden the lens to CFRG more broadly.  In recent years,
there has been a positive trend toward making crypto tools harder to misuse
-- nonce-reuse-resistant AEAD, more rigid elliptic curves, etc.  In
algorithm-agile schemes like HPKE, allowing algorithms that are not safe in
context goes against this trend.  You wouldn't be able to have confidence
your PKE is secure just because you're using HPKE with a registered
algorithm, you would have to do a bunch of secondary research to verify
that the algorithm is good.  This degrades the value of all the good
vetting that CFRG does, because the consumer is left with uncertainty as to
whether a given construction is safe.  My evaluation in this case is to
avoid heading down this particular slippery slope.

Nonetheless, if there's consensus in the RG on this point, we experts might
reconsider our evaluation.  Not looking for an adjudication / overrule,
just advice.

--Richard

On Sun, Oct 1, 2023 at 6:56 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Sun, Oct 1, 2023 at 3:46 PM Dan Harkins <dharkins@lounge.org> wrote:
>
>>
>>   Hi Eric,
>>
>> On 10/1/23 2:15 PM, Eric Rescorla wrote:
>>
>> On Fri, Sep 29, 2023 at 12:02 PM Dan Harkins <dharkins@lounge.org> wrote:
>>
>>>
>>>    Hello,
>>>
>>>    First of all, there's a new version of draft-irtf-cfrg-dnhpke out.
>>> Please take a look.
>>>
>>>    At IETF 116 I was told I could get IANA assigned values without
>>> the draft becoming an RFC so I applied. I got KEM assignments for
>>> compressed output but the experts are refusing to approve assignment
>>> for DAE support because it's not IND-CCA2.
>>>
>>>    So let me digress briefly....
>>>
>>>    In [1], I noted that this requirement that "all AEADs must be
>>> IND-CCA2 secure" appeared in -10 of the HPKE I-D without any real
>>> discussion (it wasn't in -09 and there was no discussion on the
>>> list) and that I was concerned that they were closing the door on
>>> my proposal. But I was told in [2] by an author of HPKE, and the
>>> guy who did the security analysis, that the door wasn't closed and
>>> that adding new DAE ciphers which were not IND-CCA2 did not affect
>>> the existing ciphers which were. There was even a pull request for
>>> HPKE to clarify (see [3]) which I was under the impression allowed
>>> for addition of new ciphers which were not IND-CCA2 since they were
>>> not diluting existing security guarantees.
>>>
>>>    But now I'm being told by the experts that there is an absolute
>>> prohibition on using HPKE with a cipher which is not IND-CCA2. I
>>> believe that is incorrect and certainly that was not part of the
>>> RGLC approval of the HPKE I-D.
>>>
>>>    I would like to hear what other people think and would like the
>>> experts to be overruled and to approve assignment of the DAE ciphers
>>> defined in draft-irtf-cfrg-dnhpke-02.
>>>
>>
>> Without taking a position on the merits of this issue, it's not clear to
>> me that CFRG can in fact overrule the experts. Here is what RFC 8126 says
>> about appeals of registration decisions (
>> https://datatracker.ietf.org/doc/html/rfc8126#section-10):
>>
>>    Appeals of protocol parameter registration decisions can be made
>>    using the normal IETF appeals process as described in [RFC2026],
>>    Section 6.5 <https://datatracker.ietf.org/doc/html/rfc2026#section-6.5>.  That is, an initial appeal should be directed to the
>>    IESG, followed (if necessary) by an appeal to the IAB.
>>
>>
>> That does seem a bit odd for a registry created by an IRTF document, but nevertheless, I think the process would require you to take it to the IESG.
>>
>>
>>   My point is that the experts are wrong in their interpretation of what
>> RFC 9180
>> says. There was discussion on the list about forbidding determinstic AE
>> cipher
>> modes and one of the editors (who I believe is also the guy who did the
>> security
>> analysis) said they weren't prohibited. The editors even agreed to a pull
>> request
>> to clarify this. It was certainly presented as "door not closed" when
>> discussed in
>> RGLC, yet when RFC 9180 comes out the experts say "door is closed". So I
>> believe they are enforcing a rule that the RG was told was not there
>> prior to
>> publication. If the RG agrees then I do not think this prohibition exists
>> and
>> the experts are mistaken in their reading of the RFC.
>>
>
> Hi Dan,
>
> I understand the point you're making, though, as I said, I haven't really
> formed
> an opinion about the merits of your argument.
>
> My only point here is that I don't believe there is any process by which
> the
> RG tells the Experts that they are reading the document wrong, other than
> to publish an RFC (e.g., further clarifying, or perhaps just registering
> the
> code point. So, even if everyone in the RG other than the experts were to
> disagree with the experts, that would just be advisory and not binding.
>
> To be clear, I think this is a bug in 8126 and there needs to be some
> IRTF-specific text, but presumably that's not going to happen today.
>
> -Ekr
>
>
>
>>   I do appreciate you pointing out the appeals process though. It may
>> come
>> to that.
>>
>>   regards,
>>
>>   Dan.
>>
>> -Ekr
>>
>>
>>
>>>    thanks and regards,
>>>
>>>    Dan.
>>>
>>> [1]
>>> https://mailarchive.ietf.org/arch/msg/cfrg/dAhw4TluqDfzKvtatqXvXbW0GVY/
>>> [2]
>>> https://mailarchive.ietf.org/arch/msg/cfrg/MOMY2a3srTUpgW2F_76kySv5IKw/
>>> [3] https://github.com/cfrg/draft-irtf-cfrg-hpke/pull/233
>>>
>>> On 9/28/23 11:41 AM, internet-drafts@ietf.org wrote:
>>> > Internet-Draft draft-irtf-cfrg-dnhpke-02.txt is now available. It is a
>>> work
>>> > item of the Crypto Forum (CFRG) RG of the IRTF.
>>> >
>>> >     Title:   Deterministic Nonce-less Hybrid Public Key Encryption
>>> >     Author:  Dan Harkins
>>> >     Name:    draft-irtf-cfrg-dnhpke-02.txt
>>> >     Pages:   38
>>> >     Dates:   2023-09-28
>>> >
>>> > Abstract:
>>> >
>>> >     This document describes enhancements to the Hybrid Public Key
>>> >     Encryption standard published by CFRG.  These include use of
>>> "compact
>>> >     representation" of relevant public keys, support for key-wrapping,
>>> >     and two ways to address the use of HPKE on lossy networks: a
>>> >     determinstic, nonce-less AEAD scheme, and use of a rolling sequence
>>> >     number with existing AEAD schemes.
>>> >
>>> > The IETF datatracker status page for this Internet-Draft is:
>>> > https://datatracker.ietf.org/doc/draft-irtf-cfrg-dnhpke/
>>> >
>>> > There is also an HTMLized version available at:
>>> > https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-dnhpke-02
>>> >
>>> > A diff from the previous version is available at:
>>> > https://author-tools.ietf.org/iddiff?url2=draft-irtf-cfrg-dnhpke-02
>>> >
>>> > Internet-Drafts are also available by rsync at:
>>> > rsync.ietf.org::internet-drafts
>>> >
>>> >
>>> > _______________________________________________
>>> > CFRG mailing list
>>> > CFRG@irtf.org
>>> > https://www.irtf.org/mailman/listinfo/cfrg
>>>
>>> --
>>> "The object of life is not to be on the side of the majority, but to
>>> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>>>
>>> _______________________________________________
>>> CFRG mailing list
>>> CFRG@irtf.org
>>> https://www.irtf.org/mailman/listinfo/cfrg
>>>
>>
>> --
>> "The object of life is not to be on the side of the majority, but to
>> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>>
>> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email