IETF Logo Mail Archive

Re: [Cfrg] Adoption call for draft-barnes-cfrg-hpke

Dan Brown <danibrown@blackberry.com> Fri, 26 April 2019 16:57 UTC

Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECCBC12021F for <cfrg@ietfa.amsl.com>; Fri, 26 Apr 2019 09:57:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zLBMtlqNJxjU for <cfrg@ietfa.amsl.com>; Fri, 26 Apr 2019 09:57:33 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E24D41201D6 for <cfrg@irtf.org>; Fri, 26 Apr 2019 09:57:31 -0700 (PDT)
Received: from xct106cnc.rim.net ([10.65.161.206]) by mhs211cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 26 Apr 2019 12:57:24 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT106CNC.rim.net ([fe80::d824:6c98:60dc:3918%16]) with mapi id 14.03.0415.000; Fri, 26 Apr 2019 12:57:24 -0400
From: Dan Brown <danibrown@blackberry.com>
To: Paterson Kenneth <kenny.paterson@inf.ethz.ch>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Adoption call for draft-barnes-cfrg-hpke
Thread-Index: AQHU/AdYoCx6qRbbHkW7ypFcKyh/6qZOk6gw
Date: Fri, 26 Apr 2019 16:57:23 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF501DCE015@XMB116CNC.rim.net>
References: <C7DA46E8-EBE9-4F4F-A621-23A089C59598@inf.ethz.ch>
In-Reply-To: <C7DA46E8-EBE9-4F4F-A621-23A089C59598@inf.ethz.ch>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0038_01D4FC2F.96DE23B0"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/TFY4DpEfNcdTu18e8xkK8gJWy4U>
Subject: Re: [Cfrg] Adoption call for draft-barnes-cfrg-hpke
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2019 16:57:36 -0000

> -----Original Message (abbreviated) -----
> From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Paterson Kenneth
> Sent: Friday, April 26, 2019 4:09 AM
> This email starts a 2-week adoption call for:
> 
> Hybrid Public Key Encryption
> 
> Please give your views on whether this document should be adopted as a
CFRG
> draft, and if so, whether you'd be willing to help work on it/review it.

I think it item should be adopted, with changes, though I'm not sure how
much I will be able to work on it or review it.

Minor comments:

The word "hybrid" now has 3 distinct meanings in crypto, two of them nearly
opposite.  The older meaning refers a system, with security relying on both
components of the hybrid, i.e. weakest link.   This is what HPKE means: both
ECDH and AES-GCM must be secure, for example.   A newer, nearly opposite,
meaning is defense-in-depth, redundancy, strongest-link, etc., for example
ECC+PQC.   (A third meaning refers to a type of security proof.)  Based on
its title, this document could be expected to be a how-to on combining
ECC+PQC+RSA+...  (Arguably, the older meaning of "hybrid" should have
precedence, and the newer meaning is infringing, etc.)  I recommend changing
"hybrid" to something else, but suffer from writer's block for an
alternative (sorry).

A well-known downside of ECIES (and any PKE) is the lack of forward secrecy
(on the recipient side).  In the olden times of ECC versus RSA, a real risk
was somebody drop-in replacing RSA by ECIES, even when some type of
forward-secure ECDH was possible.  The famous example TLS 1.3 of requiring
(EC)DHE should now minimize this risk. Nonetheless, a PKE document is better
if it (somehow?) recommends the reader to use forward security if possible.
(Maybe current draft does this well enough already.)

Perhaps differences in HPKE from ECIES standards (i.e. algorithm, security,
efficiency) - especially if those ECIES standards were implemented - should
be documented (in an tedious appendix or table)?  Also what about a
comparison to other types of ECPKE: Cramer--Shoup encryption, NaCL's
crypto_box, even ECC-in-CMS EnvelopedData, etc?

An updated link of SEC1 v2 for is http://www.secg.org/sec1-v2.pdf  (Sorry
that PDF metadata title is version 1.9.) The ECIES in SEC1 v2 is rather
outdated in its symmetric component (i.e. AEAD part).  It uses a menu of
KDF, XOR/AES/DES CTR/CBC, HMAC/CMAC, and then some concatenation of 2 extra
info inputs.  (Perhaps, one day a new version SEC1 will correct/modernize
this, though CFRG may not care.)  

The ANSI X9.63-2011 standard used the extended KDF output as XOR key stream,
and then an "Approved MAC", which allows HMAC, but also allows updates via
other X9 documents, mainly the registry, (pointing to NIST MACs). 

There was an aim that the intersection of the ECIES versions defined IEEE
1363a, SEC1 and X9.63 was non-empty.  Not sure if HPKE wants to aim for
similar backwards interop.

v2.23.0 | Report a Bug | By Email