IETF Logo Mail Archive

Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)

Dennis Jackson <ietf@dennis-jackson.uk> Mon, 08 April 2024 17:10 UTC

Return-Path: <ietf@dennis-jackson.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67ABDC151545 for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 10:10:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Level:
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dennis-jackson.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JzRSYrgsYVnu for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 10:10:26 -0700 (PDT)
Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [IPv6:2001:67c:2050:0:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D9C6C15107A for <cfrg@irtf.org>; Mon, 8 Apr 2024 10:10:25 -0700 (PDT)
Received: from smtp102.mailbox.org (smtp102.mailbox.org [IPv6:2001:67c:2050:b231:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4VCwZh2pcYz9sZh for <cfrg@irtf.org>; Mon, 8 Apr 2024 19:10:20 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dennis-jackson.uk; s=MBO0001; t=1712596220; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=8dFAY+HnNW3OKC22w6c38OOMgpygc46D4/NTN0KCTb8=; b=LRk49LIgTvihEwQ9g2xJMODanLoeLgvW1t7yJ3/O5QY0RiKOA1xQj5OfiYT3VOodeNExjd nhJwK1BOPlKev9OagWXiu3GurPdlVyTUdZOGp+DVDY3BMl9JG5xH97lESWQSf/5K4sD4L2 RF7biFci+CeeIz99QRe/NmihhpB1VodKws4Nc21SUtcdudhhNXH6p/rtWCWTtRrj0CXMVd cAZuaPm6lJiIfXnzgEQb10HfVWw0B0MjQnJka5XljBUquBuWhqW5btKaoPuEfoHvCVm7a1 IBxwAKPO4k7pL0/blZP2oRMmod/XkWj6BUhv9rAYxaFoBfzUyp0q9KU2ZQFULQ==
Content-Type: multipart/alternative; boundary="------------7Pm8YiSr5J8Ej5h2ZY7z0INU"
Message-ID: <73d28971-0470-4339-9ae8-f2d07f2303ae@dennis-jackson.uk>
Date: Mon, 08 Apr 2024 18:10:19 +0100
MIME-Version: 1.0
To: cfrg@irtf.org
References: <CA+_8ft66ZM=QND1Qh+OE9fJ6tDufF484cqeUT9NLdzr8gBYwjg@mail.gmail.com> <04C6D6E9-2D50-4289-AF0E-398F95B01723@gmail.com> <CA+_8ft7nK9uE4EreZ-TktExxn1mLND8BJ2d68psvuY9rnuRepA@mail.gmail.com> <A0304BB8-34F5-456B-89E8-7A2278AF63B7@gmail.com>
Content-Language: en-US
From: Dennis Jackson <ietf@dennis-jackson.uk>
In-Reply-To: <A0304BB8-34F5-456B-89E8-7A2278AF63B7@gmail.com>
X-Rspamd-Queue-Id: 4VCwZh2pcYz9sZh
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/NmDYBw-N_4gMra1V4D3OEbhJBaA>
Subject: Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 17:10:31 -0000

Hi Neil,

On 08/04/2024 11:27, Neil Madden wrote:

>     HPKE only defines an interface for encrypting messages to a single
>     recipient. Therefore standards like JOSE, which support multiple
>     recipients, have to come up with an approach to support that. The
>     obvious thing to do, and what is being proposed for JOSE, is to do
>     what the existing ECDH-ES (ECIES) modes do: generate a random data
>     encryption key (DEK) and use that to encrypt the message using an
>     AEAD. Then run HPKE for each recipient to encrypt the DEK. You
>     then concatenate all the wrapped DEKs and encapsulated keys with
>     the ciphertext and send it.
>
>
> Can you please point to the text in the RFC that says this is 
> forbidden? From HPKE's point of view there are two entirely separate 
> HPKE instances that happen to be encrypting the same plaintext (the 
> DEK). I don't see any text that forbids this or warns of any dangers 
> at all, hence this erratum report.

HPKE doesn't support multiple receivers so HPKE's security analysis 
doesn't say anything about what happens if you try to build such 
functionality yourself.

All the HPKE RFC says is that each recipient can be assured of the 
sender of the DEK and its authenticity. Claims about ciphertexts 
encrypted with that DEK are completely outside the scope of HPKE.

I'm not sure what a warning could look like except a very generic 
warning that the security of a primitive does not imply the security of 
any primitive or protocol that builds on it. Admittedly, this is might 
be worth stapling to the front of every CFRG draft.

On the upside, if the folks in JOSE (or other WG) want a version of HPKE 
for multiple recipients with authenticity guarantees, that seems like 
good motivation for a new 'mHPKE' CFRG draft.

Best,
Dennis

>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://mailman.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email