Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02
John Mattsson <john.mattsson@ericsson.com> Wed, 18 December 2019 13:24 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D2C012003E for <cfrg@ietfa.amsl.com>; Wed, 18 Dec 2019 05:24:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0imp2L7ClF9s for <cfrg@ietfa.amsl.com>; Wed, 18 Dec 2019 05:24:40 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00054.outbound.protection.outlook.com [40.107.0.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46BF3120122 for <cfrg@irtf.org>; Wed, 18 Dec 2019 05:24:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dpMG4SArhE/Czb//KxUqeuaWj8ZU9/yq1KU+K4/itnfif83qp29MpChCJFFbGDqhuDDy1U5PCIYPYsvdUv12IME3YJv1PlCCtk3LWvQjSEC5SHsha0decKnPf/3vZIchqZmd52lXlD5MYvH6KmfCCX2aPHZ/wS3mQSfwEyzt67oy3IR49gZiu2NBiDQUAAtTmeaWucPoUSSU0YjIZcYQHte+jDgpgWwocYK4DrSad171tEgfH06YSJFmpxpZrnDBCg8nvZgSHZYNAmww3Y0i5gy+7BUBqUjwvzYcxm3F3jOzTDvsW72+kTWj7IR0znd74qhk8QBjqmZ08SxwNRnfVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fI9M2AyzY9o7C6gwRoHjwhdGr891b7y+EUT0RsnNBp4=; b=ne020bI77cjub8I/yajUqixd/WVNb+k1ZqgGB1z2OcjUFRhJQ+Zlyhdurd/ylHSZzUjPDy+J1K+9ffOZa5pr/qW7uBF8hvq7Y9DbG5SnAomkCjXT0JsPxEbG64esHaklO0TQ63tbm3S9ngX1WfNddbxVuZSzL6KjJMg2+Bu0eHvCaHTApe9JD5zlM8Oq1dyFd3KCa3JAOGTUBewXjHEF2pBnw8ffQxKuCIQT86y/Ain5ZOrxR4fvMzOoAQ9JOVWfrp+SkjE1anaV3+JNIBKTU5cISuj8IBm8BmCNoS84KCpCjaxRipVunvcqZrAkzDXPuW33gTR3AYYQwPaSOEi2Rg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fI9M2AyzY9o7C6gwRoHjwhdGr891b7y+EUT0RsnNBp4=; b=GHKbOLzvKPAOyYT6QyoSpB/zBDAxQ543lag3Nzy9B7BOYsFDENUNMxvlfnujCYGRlorlWeu5WPrLZQOGFrUli0G7zgcX2Qp/Os0/vmYFOZmeAL+sY0so/CS++7uqDD3QoXPuF61MracmqRCfXUOUcQ98/5pJX2IrCTvXEGKjjeo=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.165.153) by HE1PR07MB3340.eurprd07.prod.outlook.com (10.170.245.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2559.12; Wed, 18 Dec 2019 13:24:37 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::1986:9afa:b0a0:5636]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::1986:9afa:b0a0:5636%7]) with mapi id 15.20.2559.012; Wed, 18 Dec 2019 13:24:37 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "rlb@ipv.sx" <rlb@ipv.sx>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Review of draft-irtf-cfrg-hpke-02
Thread-Index: AQHVtaZ+ubaWbeS2ekONZfcHJDIjkw==
Date: Wed, 18 Dec 2019 13:24:37 +0000
Message-ID: <F8BB57F1-4490-4FE4-B935-EF1D3C028D81@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f2b16260-d0c6-471b-3203-08d783bda17f
x-ms-traffictypediagnostic: HE1PR07MB3340:
x-microsoft-antispam-prvs: <HE1PR07MB3340372D8D6FCAD1A658A3B589530@HE1PR07MB3340.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0255DF69B9
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(346002)(39860400002)(136003)(396003)(376002)(199004)(189003)(478600001)(66476007)(66556008)(36756003)(86362001)(6512007)(2906002)(66446008)(2616005)(71200400001)(5660300002)(66946007)(33656002)(8936002)(81166006)(26005)(6506007)(6916009)(81156014)(4326008)(64756008)(186003)(6486002)(44832011)(91956017)(8676002)(76116006)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3340; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jlN4iPoTKDEOvirvucKhNzBlMfZeO11GpzQujcPvYKC53ea0daOAnDFe6hSyKoFXSaEBnJYNxPY3ffa2vDi05hN0TBKkcADFIbw4TqpLohvUulqf/t7thfWtWv5B4LLhE2jU7JQdaYf3oho7m3/qXQqDMKUbRx3Isy8sg3Ol5de8qeFYQgs2758cBw3sTpetYEbiDApzCjpYWAOvuxrrC9Dyoi6gKE8fAxaFC9y+YTVNWiErsafBPoTcgWSVNeNvNei12O1UrTrz6fhvfq+T2I5/Jo8gg/saAFDsZz/cF+iUY6jxdCk0URHoZ4eVwN03YxAK+YOj9P9ourNxnOh1Y0DJzSgbaIEqDiCY2jmQDuGU5T3bRG4V/TXjAJEAR0JPJipc3JpkRhRfbsWcJtdgH7YAcVgXAWzzg838271RbiXAVwHevqsk0TtFLnpXw3/R
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <4FC507B64FA2064FBC5FE61BE57FDD42@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f2b16260-d0c6-471b-3203-08d783bda17f
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Dec 2019 13:24:37.6210 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Xxr4+lyXI39TJk476Q8fBjUBVecXVaiu6ePZlfrrInnV10AWFm8U5JMsvPxn9wIB5L4R4n8iVKNn1EQsptGbC7nBr5/0So+ZYm1Jv2eiutw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3340
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/YPSExsYliT-_TC1UWp9HxlEvFEE>
Subject: Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2019 13:24:43 -0000
Hi Richard, The PR looks good. Some responses below. Cheers, John On Sat, Nov 27, 2019 Richard Barnes <rlb@ipv.sx> wrote: >> - I am missing a Security considerations. I think there are several things >> that could be mentioned: >> >> -- How does an application supporting several algorithms protect against >> downgrade? >> >> -- Should the receiver do replay protection? >> >> -- Shortly mention that the construction in the draft protects against >> attack on earlier ECIES standards such as the Benign malleability and the >> XOR malleability. >> > >Sorry, I'm not familiar with these notions. Maybe you could propose some >text? Sure, I’ll make a pull request with a suggestion. >> -- Stating that the protocol does not provide PFS and give some >> consideration on when that would be ok instead of setting up a TLS >> connection. >> >> -- privacy considerations >> > >We discuss some privacy considerations in the "Metadata Protection" >section. Did you have others in mind? This was more security considerations than privacy. I’ll can try to make a pull request with a suggestion. >> - “For the NIST curves P-256 and P-521, the Marshal function of the DH >> scheme produces the normal (non-compressed) representation of the >> public key, according to [SECG].” >> >> Why suddenly referring to SECG? >> > >I understood that was the normal reference for point formats. Do you have >another preference? Maybe I just misread something the first time, the reference seems fine. But why force everybody to use the non-compressed representation? In many wireless use cases (even 5G) you would not want to waste bytes to send the y-coordinate. In HPKE, my understanding is that not even the sign bit is needed as the x-coordinate of DH(skR, pkE) does not depend on the y-coordinate of pkE.
- [Cfrg] Review of draft-irtf-cfrg-hpke-02 John Mattsson
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 Richard Barnes
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 Stephen Farrell
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 Salz, Rich
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 John Mattsson
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 Stephen Farrell
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 John Mattsson
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 Ilari Liusvaara
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 Stephen Farrell
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 Stephen Farrell