Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)
Dennis Jackson <ietf@dennis-jackson.uk> Mon, 08 April 2024 19:21 UTC
Return-Path: <ietf@dennis-jackson.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 945DFC15107A for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 12:21:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dennis-jackson.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0UGzlJMdOy4R for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 12:21:11 -0700 (PDT)
Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [80.241.56.172]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FAA8C14F6E2 for <cfrg@irtf.org>; Mon, 8 Apr 2024 12:21:09 -0700 (PDT)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4VCzTW5gLMz9sgw for <cfrg@irtf.org>; Mon, 8 Apr 2024 21:21:03 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dennis-jackson.uk; s=MBO0001; t=1712604063; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=oje2XyORfOliPR+s1gPwMsH/Wm1QrLSFb29IZQcxS/4=; b=e8QV6nrl1L0IJQjMZmjnHvJhT+AX6PycrHmY7N5ZrwdYoeyRoaUNjFkgfNnaH76IWLY3V1 AUabREp9vXVn2+6vJh0u3f4sqgtjUwVlvocy9vXDWerwlOZmQBJ3E17WOiHckbdeKtZG8w 2Djipu930+DITDxOK/Twl7c741Ad5gNvQhoPbGf3CzPu76ekszTE5Nd/W7f1U7jyFzvtkK OTVf+d4mP5OhAQj3DG440FQl5Ewba+3m1gkRRjV4/wdTU0U2xFDaEXsESqiTq4KWK16A85 ZrsbAKXsv+DiGR5y2kjDFrEA4ecEvQ7bp2k925Ab/4/v4JNMJNhLg/MvB+Vagg==
Content-Type: multipart/alternative; boundary="------------wRGFU6IJKP6V6J1uR4vbRMCq"
Message-ID: <f19fed7a-8feb-4fa1-a390-b256d7994da0@dennis-jackson.uk>
Date: Mon, 08 Apr 2024 20:21:03 +0100
MIME-Version: 1.0
To: cfrg@irtf.org
References: <73d28971-0470-4339-9ae8-f2d07f2303ae@dennis-jackson.uk> <6B2EF6E4-91E0-4F26-9623-A722BAAEDF3B@gmail.com> <789eeffd-c021-480c-81b0-6b424aac4b11@app.fastmail.com> <1C2E29BB-63A5-4190-A3DB-6274FFC76427@gmail.com>
Content-Language: en-GB
From: Dennis Jackson <ietf@dennis-jackson.uk>
In-Reply-To: <1C2E29BB-63A5-4190-A3DB-6274FFC76427@gmail.com>
X-Rspamd-Queue-Id: 4VCzTW5gLMz9sgw
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/_mKOfVfn6h-NLmZmu_c1fZTdLIM>
Subject: Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 19:21:16 -0000
On 08/04/2024 19:48, Neil Madden wrote: > I feel that people are getting a bit side-tracked here. Neither the > HPKE RFC nor the erratum report mention either JOSE or multiple > recipients. I bought that up in reply to another message as an example > of *an* issue that can occur due to lack of Insider-Auth security. That's fair, but I do think its material in assessing the importance of the errata. FWIW, it's not the case that 2-party insider-auth implies multiparty insider auth - so its pretty irrelevant here. > The issue under discussion is whether the RFC 9180 fairly > characterises the security analysis that it cites. The RFC says HPKE > "fulfills these notions", whereas the paper it cites says the > following (section 5.1): > > [...] > > Thus, HPKE does *not* fulfil this notion of security and shouldn't > imply that it does. That's it. That's the erratum. Send tweet. That's a fairly ungenerous reading of the RFC and the paper. On the paper's side, they write: > We do not define an insider security notion because Insider-Auth > security is infeasible both for the APKE construction used in HPKE > (see Section 5.4), and the instantiation of AKEM proposed in HPKE (see > end of Section 6.1). On the RFC side, it does not actually claim any specific properties except those defined in the paper, so thus far these are compatible. More significantly and immediately prior to the paragraph you're concerned about, the RFC details the attack on insider security presented in the paper at length (9.1.1). I'd also point out that insider security is not an especially well defined term, with nearly every paper using a different formulation in terms of 2 vs multiparty, malicious vs compromised key registration, which parties can be compromised, etc... To quote from SigncryptionDZ10: > The signcryption literature is currently confused as to which of these > models best represents multi-user insider confidentiality I agree the RFC could be better phrased, but do not think anyone could read the RFC and conclude that HPKE was proven to achieve Insider Security - let alone establish the type of Insider Security being discussed. Further, the paper lays out a clear attack on KCI in accessible language which is the material consequence of the lack of insider security anyway. Best, Dennis > > -- Neil > >> On 8 Apr 2024, at 19:11, Thad Thompson <thad@litepipe.com> wrote: >> >> Hey Neil, >> For what it's worth, as an Internet rando (non-cryptographer) >> implementing a scheme very similar to the one you're suggesting, my >> understanding from the RFC was that the target security property of >> KEM authentication rather explicitly only covers two parties: >> >> > 5.1.3. Authentication Using an Asymmetric Key >> > >> > This variant extends the base mechanism by allowing the recipient to >> > authenticate that the sender possessed a given KEM private key. This >> > is because AuthDecap(enc, skR, pkS) produces the correct KEM shared >> > secret only if the encapsulated value enc was produced by >> > AuthEncap(pkR, skS), where skS is the private key corresponding to >> > pkS. In other words, at most two entities (precisely two, in the >> > case of DHKEM) could have produced this secret, so if the recipient >> > is at most one, then the sender is the other with overwhelming >> > probability. >> >> Am I not understanding that correctly? I assume that limitation is >> part of the reason MLS relies on asymmetric signatures for >> authentication. >> >> However, I would agree that the limitations of KEM based >> authentication feel maybe a bit out of place. Besides the fact that >> it only proves authentication in a two-participant system, it also >> becomes fiddly when moving to PQ KEMs. You either wind up with a >> halfway 'quantum safe key exchange but NOT quantum safe >> authentication' scheme like Signal's PQXDH, or it is dropped >> entirely, like in X-Wing. In any case, it seems like the >> authenticated KEM modes in HPKE take up a large space in the standard >> for what turns out to be rather limited functionality with caveats. I >> wonder if HPKE 2.0 would include such modes at all? >> >> Cheers! >> - Thad > > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://mailman.irtf.org/mailman/listinfo/cfrg
- [CFRG] Fwd: [Technical Errata Reported] RFC9180 (… Neil Madden
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Martin Thomson
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Neil Madden
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Martin Thomson
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Benjamin Lipp
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Karthik Bhargavan
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Colin Perkins
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Neil Madden
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Karthik Bhargavan
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Neil Madden
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Dennis Jackson
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Neil Madden
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Thad Thompson
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Neil Madden
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Dennis Jackson
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Neil Madden
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Eric Rescorla
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Dennis Jackson
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Neil Madden