IETF Logo Mail Archive

[Cfrg] Review of draft-irtf-cfrg-hpke-02

John Mattsson <john.mattsson@ericsson.com> Fri, 22 November 2019 19:22 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F6DB12090A for <cfrg@ietfa.amsl.com>; Fri, 22 Nov 2019 11:22:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OuqpthuUpAzi for <cfrg@ietfa.amsl.com>; Fri, 22 Nov 2019 11:22:35 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70080.outbound.protection.outlook.com [40.107.7.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAEFE120856 for <cfrg@irtf.org>; Fri, 22 Nov 2019 11:22:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=maVAkt+YerA3LfiFUT+gZRYhUzEJEAIUgoa/NoqwOadcMPe0L6PDYZ4KRHdKguntHhtAePfmPKnozu+QNjtwlSBs6nFMZlGuhwqF4sgNAWXKA1uuUhKDNbWRUC4sZfFCMEWQbxvQ3Gwxj1UL/rNwbAO9pbfoB2jTlTntWGRWVzYNaSy6t9QjgcLF0AA9hzvYm2fvGfOBT/Zul8u0NBjpSmLuD8zRzGyh7e+QEhTl3d4TUx4Y/IM+Ic843F+OeSHi81s9LJps3mnTstkoh2jKV49ugAw0B8XyXRqCjHpbEJ6yDttesvtF3/HmcE/tY3MPfU5db4XhwvKOxj8tO30Ccg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NNuAOmRCmnIDf8VLVhUJHZVxXriLlm8fEsdr8PeNe3g=; b=iCLjaeMf0Jg2a57lU5UP5bSuQZp0YwX84PUc7DjBkKhgH0QH+lxE1qWXCv1K84+1SJs9AZvnIBva+XFDbuY00VTr4gdLNW00vyjI4lND9RiQ9oST75i7+PQLJWPxa1kHUJS83luiFyXg0SIToS/QTz2K+Gdbn42AoNvZ/aK0d+4GUwqDEgmwjvP4YJN9PYVHdqq1Vr/RYSFtHlG5q2SBmmkt8E00l6e21WeiPdCyzIaTTzXb+xPh33e4VpmW4nzILcTHMK9iet28M2RIcXV9XACS9pPUMm211TBVb+cC9XIC0QtKRAGRQKnMmBQehAWMJGBaERGq6Wx0smm08xi85Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NNuAOmRCmnIDf8VLVhUJHZVxXriLlm8fEsdr8PeNe3g=; b=Wv/R2soi12xZHlMJSO+GKCncg7mgCNbx7AfSLtoheiA8ciqUc/OkaAqqhjZEUDakKHNsUqeKH8yUr2GD/BPyPipv9k+nMEjPHkELdQP4ITTvIXfiP/DI88R4nYbMp2gqrdgkFbEGGZILpZiM1ZAAcZ8/zlFNmFchmvNtDuJkGc0=
Received: from VI1PR07MB4175.eurprd07.prod.outlook.com (20.176.3.159) by VI1PR07MB6303.eurprd07.prod.outlook.com (10.186.163.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.10; Fri, 22 Nov 2019 19:22:31 +0000
Received: from VI1PR07MB4175.eurprd07.prod.outlook.com ([fe80::8dc8:fd7c:5a88:b5d5]) by VI1PR07MB4175.eurprd07.prod.outlook.com ([fe80::8dc8:fd7c:5a88:b5d5%7]) with mapi id 15.20.2474.019; Fri, 22 Nov 2019 19:22:31 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Review of draft-irtf-cfrg-hpke-02
Thread-Index: AQHVoWovvjC2kBV93EaWilFvXeoI4w==
Date: Fri, 22 Nov 2019 19:22:31 +0000
Message-ID: <F881AD3B-6D69-46F7-BB96-0AADD3E10CA6@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [61.8.238.244]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 67f85431-1ef0-48d2-7750-08d76f815220
x-ms-traffictypediagnostic: VI1PR07MB6303:
x-microsoft-antispam-prvs: <VI1PR07MB6303FB929F904DAB9485ED3089490@VI1PR07MB6303.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02296943FF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(376002)(39860400002)(136003)(346002)(396003)(199004)(189003)(3846002)(6116002)(256004)(14444005)(58126008)(66066001)(6916009)(36756003)(102836004)(186003)(8936002)(478600001)(86362001)(64756008)(7736002)(14454004)(66476007)(5660300002)(2906002)(2351001)(91956017)(6506007)(305945005)(76116006)(66556008)(66446008)(66946007)(6486002)(2616005)(99286004)(44832011)(71200400001)(71190400001)(26005)(6512007)(1730700003)(25786009)(2501003)(81166006)(316002)(8676002)(5640700003)(81156014)(33656002)(6436002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB6303; H:VI1PR07MB4175.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: VnfWXtNe8P8Wy2IOXT87HshCYA+qI+ffUqYbWGb3vEVz2g7NXqIC1m37i+GL5iK+Lai0GAx5AMD22tiemLPoSixUthzO//uTHFtw9Xi6SVpmrLdIMa5hDF0DmACrSLVYeqnwA3oj0BWTLBytvvz+Us0CC/IukBK45xe3iqYmyxFepUQfgfkp6b6RUJ8LWQCteSQgECqhvP1Oktw2WwyzFvFFF+kOwRksx3AeflEpvNOo+GoH1frgg2ZYm2QGrJjHQgjtergS67hwpV9FX76ns2WHsthsGQgXEXnEG4jjoPuNmrj2/XeGCIXwjbHvy78OVmmOAW1BygG5agT184Zt2K2zuYfGE8Ko5snuI9cZ744tr5+ZA+u/bDAv4hXl9B+i9ap8GYIIu+vHaCzL9gMvKpMMXJ6/r6Tk69S7qVVEPjwQUOWzx0++I6PCHRGZdfsc
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <BA48F3343E20F249AFA44FE8F09A58AE@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 67f85431-1ef0-48d2-7750-08d76f815220
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Nov 2019 19:22:31.4528 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: msFCwzchqv8m7b29Yj58JXuCyQdP1F9KixOzxaB6keBuVJlCdVpH328v7omBIlSFMo5FIxtQRiltVMIIE6ST2HQhDJiW2QAzqCMADVGD+yk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB6303
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/NYGZgGIOiGDvoTa52lfezxDh0fw>
Subject: [Cfrg] Review of draft-irtf-cfrg-hpke-02
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 19:22:37 -0000

This is a well-written and useful draft.

- ”This scheme provides authenticated public key encryption”

   Should mention the unauthenticated mode as well.

- I think it might be useful to add a sentence on ECIES and PSEC in the introduction to help so people searching for “ECIES” will find the draft.

- “Encrypted messages convey a single ciphertext and authentication tag alongside a short public key”

   This made me think the tag was sent a separate field. I suggest changing it to a sentence saying that the ciphertext includes an authentication tag (but some AEAD would not even have a clearly defined tag such as wide PRP ones like XCB.)

   Also, the sentence does not seem to cover the mode that encrypts several plaintexts with the same ephemeral key. I assume the initiator can send several ciphertect with the encapsulation ot ciphertexts without the encapsulation like in the following sequence:

   -> enc, ct1, ct2
   -> ct3

- “mode_auth”, “mode_psk”, “mode_psk_auth”

   The term “auth” is not optimal as psk also provides authentication. Maybe it could it be changes to something related to asymmetric, public-key, or KEM.

- I am missing a Security considerations. I think there are several things that could be mentioned:

  -- How does an application supporting several algorithms protect against downgrade?

  -- Should the receiver do replay protection?

  -- Shortly mention that the construction in the draft protects against attack on earlier ECIES standards such as the Benign malleability and the XOR malleability.

  -- Stating that the protocol does not provide PFS and give some consideration on when that would be ok instead of setting up a TLS connection.

  -- privacy considerations

- “For the NIST curves P-256 and P-521, the Marshal function of the DH
   scheme produces the normal (non-compressed) representation of the
   public key, according to [SECG].”

   Why suddenly referring to SECG?

- Single-Shot APIs

   Should mention that this is stateless.

- The document has very detailed descriptions of the parts KEM, KDF, AEAD, but I miss a short overview section describing which fields the initiator is supposed to send to the receiver and what the initiator and receiver need to agree on out of band. Are any information like pskID and sequence number supposed to be sent on the wire?

- I would like to see P-384 and SHA-384. The US CNSA suite, TLS, and 3GPP are all using these together with AES-256. I would also like to see KMAC.

Cheers,
John

v2.23.0 | Report a Bug | By Email