IETF Logo Mail Archive

Re: [Cfrg] Fwd: New Version Notification for draft-barnes-cfrg-hpke-00.txt

Richard Barnes <rlb@ipv.sx> Tue, 12 March 2019 18:53 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68C2E13131A for <cfrg@ietfa.amsl.com>; Tue, 12 Mar 2019 11:53:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ra52YaBXD1XZ for <cfrg@ietfa.amsl.com>; Tue, 12 Mar 2019 11:53:14 -0700 (PDT)
Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A29E91312F1 for <cfrg@irtf.org>; Tue, 12 Mar 2019 11:53:14 -0700 (PDT)
Received: by mail-oi1-x229.google.com with SMTP id a15so2866767oid.5 for <cfrg@irtf.org>; Tue, 12 Mar 2019 11:53:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=F5o/l34uqfSMK46QfxmwnhTxl0fbegb40nYNA38wp4E=; b=BQ8odRCeC3cNTZU/bYs2ihPAwbilQdQMYZd0xwpZ8ypfLsZiME3GGUx25Q9XEZqAam bm+T9prnXKz1QTGkRFKu/3PAJK+OEso73N1Zk+6lAxQmQAkTWN4RNll8WM2mdKbDVl0l z/BdG3A5jfizugg1x563d5trCEq4XbvK0wsVq668FjqDiTegzqXXPGursoqUMl6KwFyI uzKJ3lR/vdNOm5EqS/MKKCpNnzfsYTUgWulo4HCcrZgAPLtOvni8e2CSE++ypuTZJw3T I+iFGcaGkEDT5VI95nJLID6YxqJE3ueOQ1TzK4PoZkE6ylYs7rXfrBggxgz0XdTEUCJc tmeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=F5o/l34uqfSMK46QfxmwnhTxl0fbegb40nYNA38wp4E=; b=MPVV3uVeyxcpDuUbRUt26T/0W8sK7IF80OOqgL1sLXYeQAdJgrV8xZtrTtTevRuoOX H8IIyoFMKkzfuR5YjfHZ+TsgeSuAbsiDEpZj6+8hnBZfMWbC5hss2+Cx+AoqIvp5wEpo fIQhMxHhfp1GzmBvmV719S/aSr8An+oCJye82eomRgHFjVQtkIeVuBd248pZKhOOf7Pz 9TSa6XZCbOEo4VSaktNLwnAWE+1V7AIWRYfGgIJvOOcJXBsSgSbu7t+OrPoqI0knSCJf SnOtTsv3jU0TKwWZHAasrORWxcR/+uf2fuYBirM4EIcfGYDQ0Hdpi6RUNn0A3CvT9B+R a9Rg==
X-Gm-Message-State: APjAAAW47iE4gRrWwcLCOGWpOt5qI5e95nMR4/KANsT8nJ9dA4G87yV1 huzDUdzb2vc5oEmhGNYKKimGCST6IcIX3LVmOZ+74Q==
X-Google-Smtp-Source: APXvYqyPKa97LYls1RT64OrOH69GJygaWP1BRlqchFU27Y1FjImoVDlgM7LM56RegOvdfXj8UWFrrnYFoM6lTQ2VZKM=
X-Received: by 2002:aca:b8d5:: with SMTP id i204mr2555637oif.169.1552416793756; Tue, 12 Mar 2019 11:53:13 -0700 (PDT)
MIME-Version: 1.0
References: <4989B595-D57C-4D40-8B68-AB0AF8804AD3@wire.com> <CAO8oSX=KeW_yc8w4v+0E7GGZ1Hp0JNL8x3C5b-Jq=0YKv8XoDQ@mail.gmail.com> <20190128213642.GA2741@LK-Perkele-VII> <CAO8oSXkqYw09w8VT1RoiAo+73V3LCp0osCBFLVheDtt=sA0rYw@mail.gmail.com> <CAL02cgSQxh+LvoqCEZmYBa2rRDwudGCxTP1fS55-gm+noWS5LA@mail.gmail.com> <3F8C5972-5576-425F-A88B-6AB3D269082C@ericsson.com>
In-Reply-To: <3F8C5972-5576-425F-A88B-6AB3D269082C@ericsson.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 12 Mar 2019 14:52:43 -0400
Message-ID: <CAL02cgSn4eN6e3+qiDh0GncA5ECxkdD_MR5P-i8nfdiTqcONgw@mail.gmail.com>
To: John Mattsson <john.mattsson@ericsson.com>
Cc: Christopher Wood <christopherwood07@gmail.com>, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000891bce0583ea33af"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/NIUM6Is9i-kbt2WVId_xk0BwSXk>
Subject: Re: [Cfrg] Fwd: New Version Notification for draft-barnes-cfrg-hpke-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2019 18:53:23 -0000

Hi John,

Thanks for the comments.  A couple of replies inline.

On Tue, Mar 12, 2019 at 1:49 PM John Mattsson <john.mattsson@ericsson.com>
wrote:

> Hi,
>
>
>
> This is just what I was looking for a few years ago when we convinced 3GPP
> to encrypt IMSIs in 5G with a ECIES. I think the move to a more general
> framework supporting future PQC KEMs is a good choice. A document like this
> could be very useful.
>
>
>
> - "This type of public key encryption has many applications in practice,
>
>    for example, in PGP [RFC6637] and in the developing Messaging Layer
>
>    Security protocol [I-D.ietf-mls-protocol]."
>
>
>
>    You could add ESNI and 3GPP TS 33.501
> https://www.3gpp.org/DynaReport/33501.htm
>

Thanks, I've added this in my local copy.


- "Lack of a single standard"
>
>
>
>    Defining yet another standard will for sure not help :) but the other
> standards have several problems:
>
>
>
>    - most of them are behind paywalls
>
>    - they are showing their age (old algorithms: SHA-1, no AEAD, no HKDF,
> and design choices that feel dated)
>
>    - some of them do not seem to be updated anymore
>
>    - some of them are not really directly implementable and are more a
> framework that another SDO can use to build an HPKE
>
>    - some of them do not have test vectors.
>
>    - some are not IND-CCA2
>
>
>
>   I think these are problems worth solving.
>

Obviously, I agree, but thanks for a good list of reasons.  I've updated my
local copy with a version of this.



> - I think it would be good to explain the externally visible API in some
> early section.
>
>
>
> - I am not convinced the sequence number based encryption is needed. What
> would the use cases be?
>

I initially had the same reaction, but I'm told that it is common in
practice for folks to use the NaCl box API in this way, i.e., to transmit
an initial crypto context, which is then used for several encryptions.  For
example, that lets you do an ECIES-like operation for content whose length
you don't know at the start.



> If you have two-way communication, you should use a protocol that gives
> PFS.
>

This doesn't presume two-way comms, just that the two parties have some way
to ensure the ordering of the ciphertexts.


I might miss something in the notation, but how does the recipient verify
> than an attacker did not throw away the last ciphertexts?
>

Nothing assures this right now.  Might be a good feature to add.

--Richard



> Cheers,
>
> John
>
>
>
> *From: *Cfrg <cfrg-bounces@irtf.org> on behalf of "rlb@ipv.sx" <rlb@ipv.sx
> >
> *Date: *Monday, 11 March 2019 at 23:17
> *To: *Christopher Wood <christopherwood07@gmail.com>
> *Cc: *CFRG <cfrg@irtf.org>
> *Subject: *Re: [Cfrg] Fwd: New Version Notification for
> draft-barnes-cfrg-hpke-00.txt
>
>
>
> Hey all,
>
>
>
> Just in time for the I-D deadline, I have submitted a draft-01 of this
> HPKE draft:
>
>
>
> https://tools.ietf.org/html/draft-barnes-cfrg-hpke-01
>
>
>
> This version incorporates a bunch of feedback from this thread, in
> particular, moving from a DH framing to a KEM framing.  It also adds modes
> that authenticate possession of a pre-shared key or an asymmetric key
> pair.  It also allows multiple encryptions to be done based on a single KEM
> operation.
>
>
>
> Happy to have more comments on the list here if people have thoughts.  In
> particular, there's a lot of different modes in here, and it would be
> helpful to hear which of these people think are useful to keep around.
> I've also requested an agenda slot for IETF 104.
>
>
>
> Thanks,
>
> --Richard
>
>
>
>
>
> On Mon, Jan 28, 2019 at 5:40 PM Christopher Wood <
> christopherwood07@gmail.com> wrote:
>
> On Mon, Jan 28, 2019 at 1:37 PM Ilari Liusvaara
> <ilariliusvaara@welho.com> wrote:
> >
> >
> > On Mon, Jan 28, 2019 at 09:51:51AM -0800, Christopher Wood wrote:
> > > On Mon, Jan 28, 2019 at 7:17 AM Raphael Robert
> > > <raphael=40wire.com@dmarc.ietf.org> wrote:
> > > >
> > > > Hey Richard,
> > > >
> > > > The proposal seems rather generic to me and I like the channel
> > > > binding to the responder's public key.
> > >
> > > +1
> > >
> > > Thanks for posting this draft, Richard! It should suit the ESNI use
> > > case quite well. In particular, servers could advertise HPKE
> > > ciphersuites and key shares, instead of the TLS ciphersuites and
> > > keyshares currently used, and invoke Encrypt() with "esni" or a
> > > similar info string for key derivation.
> >
> > How is the binding to main key exchange done (I just remember there
> > were some nontrivial issues there)?
> >
> > That is, the ESNI ciphertexts must be bound to the client hello those
> > are in, as otherwise cutting and pasting breaks security.
>
> The CH would be passed in as additional data, as it is in the current
> draft..
>
> >
> > > With regards to the questions raised in Appendix A, I am in favor of
> > > generalizing this to work with any KEM, especially given the rationale
> > > Raphael lists below. The streaming variant is tricky, though, as we
> > > would ideally not want to turn this into a full protocol. In any case,
> > > this is a great -00, and something I think the RG should work on.
> >
> > Yes, streaming is tricky. In fact, true stream-mode AE (byte
> > granularity, reliable in-order) is impossible.
> >
> > The best approximations are datagram mode AE (datagram granularity,
> > not reliable) or sequential packet mode (datagram granularity, reliable
> > in-order) AE. To make things worse, there are protocols that need mode
> > equivalent to sequential packet mode, and protocols that absolutely
> > can not use mode equivalent to sequential packet mode.
> >
> > > > A few comments:
> > > >
> > > >  - The points brought up in Appendix A are important. In particular,
> > > > I think it would be worthwhile investigating if a general KEM
> > > > mechanism wouldn't be the better choice, potentially paving the way
> > > > for PQ primitives.
> >
> > Yes, I think that PQ support is important in any modern protocol (unless
> > one takes quantum skeptic view). And there are very few DH-compatible
> > PQC primitives, and the ones that exist are umm... exciting and slow.
>
> :-)
>
> > However, I do not think any generic KEM would do, as many of those have
> > too high failure rate, and failures leak information about the private
> > key (so called reaction attack).
> >
> > However, there is subclass of KEMs that are IND-CCA secure. Those could
> > be used (the cost of IND-CCA is higher runtime and larger messages than
> > generic IND-CPA KEMs).
>
> If generalized to work KEMs, could we not restrict the algorithm to
> those KEMs we deem appropriate via ciphersuites?
>
> >
> >
> > Few other comments:
> >
> > - Decryption references function "Decrypt()", which I do not see
> >   defined anywhere. I suppose it should be "SetupR()"?
> >
> > - I would expect encryption to pack pkE inside ciphertext, as that
> >   is per-message and required to decrypt.
> >
> > - Only one-byte ciphersuite identifier? That seems quite small.
>
> It could probably be expanded to two bytes.
>
> Best,
> Chris
>
> >
> >
> > -Ilari
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>
>

v2.23.0 | Report a Bug | By Email