IETF Logo Mail Archive

Re: [Cfrg] Adoption call for draft-barnes-cfrg-hpke

mcgrew <mcgrew@cisco.com> Tue, 30 April 2019 15:28 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C40E71200A4 for <cfrg@ietfa.amsl.com>; Tue, 30 Apr 2019 08:28:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EbcpGYYVmj2v for <cfrg@ietfa.amsl.com>; Tue, 30 Apr 2019 08:28:03 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59BF012008B for <cfrg@irtf.org>; Tue, 30 Apr 2019 08:28:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7945; q=dns/txt; s=iport; t=1556638083; x=1557847683; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=mxBzASZH1NUKfmEGPY5X87vHdg+mloJNNnAPPEM//BY=; b=YRVjhcYon3cg7UQ4HNicvqyRKK0SQVpQ2arlYRzUR9+2OaHohnhS7i3q 89Ofsw/e1jZtdEp7gD17mAKtxVwmohUaKyRe6vL+gyZKZttP/POJUmkcj lbq75xTKWKjwmfO037KRV0yKdEtmhxY79Ye0TE5wmVlhvG032jjqrlcSA I=;
X-Files: smime.p7s : 3012
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AFAAARaMhc/5pdJa1mGQEBAQEBAQEBAQEBAQcBAQEBAQGBUgMBAQEBAQsBghBpUgIwKAqEBpMjgWglmFAUgWcCCQMBARgLhEoChjEjNQgOAQMBAQQBAQIBAm0cDIVKAQEBAwEBARsGSAMLBQsLCQUKKgICAiUwBgENBRuDBwGBew8PrhmBL4Q2AoEPgyiBNQoGgTIBgUyIOoFDF4E/QIERJwwTgkw+gmEBAQOBJgUBEgGDKTKCJgSKdkCGbpRgCYILgVSBLoIVfowlG4INhjeMa4wOhkOLGIJ2AhEVgVABNmVxcBU7KgGCQT6KVIVbIwEBMZFnDRcHgQQBgSABAQ
X-IronPort-AV: E=Sophos;i="5.60,414,1549929600"; d="p7s'?scan'208";a="266779365"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 30 Apr 2019 15:28:01 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id x3UFS1hk015794 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 30 Apr 2019 15:28:01 GMT
Received: from rtp-mcgrew-nitro2.cisco.com (10.117.145.147) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 30 Apr 2019 10:27:59 -0500
From: mcgrew <mcgrew@cisco.com>
Message-ID: <3228B212-1006-4FAD-9514-D9914806638B@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_9CCA081B-7946-4611-B109-9946F68D2A7A"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Date: Tue, 30 Apr 2019 11:27:43 -0400
In-Reply-To: <C7DA46E8-EBE9-4F4F-A621-23A089C59598@inf.ethz.ch>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
To: Paterson Kenneth <kenny.paterson@inf.ethz.ch>, "Richard Barnes (richbarn)" <richbarn@cisco.com>
References: <C7DA46E8-EBE9-4F4F-A621-23A089C59598@inf.ethz.ch>
X-Mailer: Apple Mail (2.3445.104.8)
X-Originating-IP: [10.117.145.147]
X-ClientProxiedBy: xch-rcd-001.cisco.com (173.37.102.11) To XCH-ALN-004.cisco.com (173.36.7.14)
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/SNPqHMEblcCFv4FdzEi2eYWD8pE>
Subject: Re: [Cfrg] Adoption call for draft-barnes-cfrg-hpke
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2019 15:28:06 -0000

Hi Kenny and Richard, 

I support the adoption of draft-barnes-cfrg-hpke, and I have some comments below.

I like the goal of an RFC that provides a self-contained normative description of "hybrid public key encryption."  

It should be an explicit goal that an implementation can conform to this RFC and also conform to [keyagreement], for the NIST approved algorithms, because NIST validation is important in the industry.  I suggest adding a subsection somewhere that details how this conformance is possible.    Please note that I’m not asking that every possible option/ciphersuite in this document be in the NIST-approved category; rather, I’m asking that for the NIST-approved algorithms, the details such as key generation, domain parameters, and symmetric key derivation don’t have any incompatibilities.

I suggest changing the name from hybrid public key encryption to something from the existing literature.   According to Boyd and Mathuria, for instance, this is a key transport scheme, and the term “hybrid” has a different meaning.   Something like "Key Transport for AEAD Using Discrete Log Cryptography” seems accurate, since this draft only covers DL, there is no need to have a name that would be generic to RSA and McEliece.   “Asymmetric Key Transport for AEAD” would be appropriate if there is a need to be more generic.  

The phrase "Hybrid public-key encryption (HPKE) is a substantially more efficient solution than traditional public key encryption techniques such as those based on RSA or ElGamal” is confusing, because combined asymmetric/symmetric crypto systems have been the preferred solution since Kohnfelder’s 1978 thesis.   Someone without domain expertise might mistakenly think that this draft is claiming to be an improvement over current public key algorithms.   I suggest motivating this draft with something like “While there are well accepted standards for public key encryption [RFC7748][keyagreement], in several scenarios these techniques must be combined with symmetric authenticated encryption."

There should be some discussion about replay attacks and their prevention.  

If there is not a strong mechanism protecting against replays, would it make sense to use an AEAD that is robust against nonce misuse, like GCM-SIV?  

"A given context SHOULD be used either only for encryption or only for decryption.”   Why not a MUST?  

It seems that there is no citation given for P-256 and P-521.  

A nit: KEM is used before it is defined.

thanks

David


> On Apr 26, 2019, at 4:09 AM, Paterson Kenneth <kenny.paterson@inf.ethz.ch> wrote:
> 
> Dear CFRG,
> 
> (This is the first of two adoption calls today.)
> 
> This email starts a 2-week adoption call for:
> 
> https://tools.ietf.org/html/draft-barnes-cfrg-hpke-01
> 
> Hybrid Public Key Encryption
> 
> Please give your views on whether this document should be adopted as a CFRG draft, and if so, whether you'd be willing to help work on it/review it.
> 
> Thanks,
> 
> Kenny (for the chairs)
> 
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email