Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 03 October 2023 13:37 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE0BAC151993 for <cfrg@ietfa.amsl.com>; Tue, 3 Oct 2023 06:37:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bt7toaTi4ImZ for <cfrg@ietfa.amsl.com>; Tue, 3 Oct 2023 06:37:03 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4b.welho.com [83.102.41.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48B63C15198C for <cfrg@irtf.org>; Tue, 3 Oct 2023 06:37:02 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id D8CD36CBEB for <cfrg@irtf.org>; Tue, 3 Oct 2023 16:36:59 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id MQAgOkt6h5mN for <cfrg@irtf.org>; Tue, 3 Oct 2023 16:36:59 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id A7F9772 for <cfrg@irtf.org>; Tue, 3 Oct 2023 16:36:58 +0300 (EEST)
Date: Tue, 03 Oct 2023 16:36:58 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cfrg@irtf.org
Message-ID: <ZRwY-tB57z30ivp4@LK-Perkele-VII2.locald>
References: <169592647633.22478.7564567661859429538@ietfa.amsl.com> <105f3992-d271-d3fd-e3eb-23751f763e15@lounge.org> <CABcZeBNG9TTMK7AP8+ecWjzD+k5w6YBOdM0QuePMdc+PD5QXog@mail.gmail.com> <09ef9418-0c6c-3771-a82a-900c8143afc4@lounge.org> <CABcZeBP1+4Tof9K0Zf7mjmHAhqHAs2nqoNSiHhPS9scZJ-E8Hw@mail.gmail.com> <CAL02cgRUTNMf6vt1ppwQbO=UqXMY3ujfgsws8J7NnxfU-ZT8TQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAL02cgRUTNMf6vt1ppwQbO=UqXMY3ujfgsws8J7NnxfU-ZT8TQ@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/PKZRu-VrF8MIwxGbU7gsuT3mjug>
Subject: Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Oct 2023 13:37:05 -0000
On Mon, Oct 02, 2023 at 08:52:48AM -0400, Richard Barnes wrote: > EKR - I think the point is less procedural / adversarial than you're > thinking. The point of this thread is more seeking feedback for the > experts on how to interpret the text in RFC 9180. > > So the question for the RG is -- Are folks OK with values being registered > that do not meet the security requirements in the RFC? Or does > Specification Required truly mean that anything that is written down is > OK? Note that the expansive interpretation here would allow obviously > insecure things, e.g., null ciphers or ROT13. (Not saying this request is > so obviously insecure, but it doesn't meet the RFC's security bar, and we > should create a new, undocumented bar, so we're left with no bar.) > > My personal analysis is that the expansive interpretation is risky, > especially if we broaden the lens to CFRG more broadly. In recent years, > there has been a positive trend toward making crypto tools harder to misuse > -- nonce-reuse-resistant AEAD, more rigid elliptic curves, etc. In > algorithm-agile schemes like HPKE, allowing algorithms that are not safe in > context goes against this trend. You wouldn't be able to have confidence > your PKE is secure just because you're using HPKE with a registered > algorithm, you would have to do a bunch of secondary research to verify > that the algorithm is good. This degrades the value of all the good > vetting that CFRG does, because the consumer is left with uncertainty as to > whether a given construction is safe. My evaluation in this case is to > avoid heading down this particular slippery slope. In my view, there are two distinct kinds of trouble: 1) Algorithms that are just broken and insecure. 2) Algorithms that do not provode expected properties in constructions used. Obiviously, it is not possible to perfectly avoid the first kind, since algorithms can go SIKE (or go bad in less dramatic fashion), but being conservative avoids most of these. The second kind can still be very nasty landmines. There have been many cases of critical security vulnerabilities arising from using algorithms that fail to have expected properties (even if such algorithms are not in any way weak). In general, it is very bad idea to mix algorithms with different properties under a single interface. To archive expected properties for present HPKE interfaces, one needs IND-CCA2 (modulo some unexploitable pathological stuff). I think it is impossible to add support for unreliable multi-message to the present HPKE interfaces without running into trouble of the second kind. Therefore, to add unreliable multi-message, one would need to add new interfaces. And that is much more involved operation than just registering new algorithms. -Ilari
- [CFRG] DAE for HPKE, was Re: I-D Action: draft-ir… Dan Harkins
- [CFRG] I-D Action: draft-irtf-cfrg-dnhpke-02.txt internet-drafts
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Salz, Rich
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Eric Rescorla
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Dan Harkins
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Eric Rescorla
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Richard Barnes
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Mike Ounsworth
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Neil Madden
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Salz, Rich
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Dan Harkins
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Christopher Wood
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Dan Harkins
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Watson Ladd
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Ilari Liusvaara
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Dan Harkins
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Orie Steele
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Ilari Liusvaara
- Re: [CFRG] [EXT] Re: DAE for HPKE, was Re: I-D Ac… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Orie Steele
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Stephen Farrell
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Richard Barnes
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Stephen Farrell
- Re: [CFRG] DAE for HPKE, was Re: I-D Action: draf… Christopher Wood