Re: [Cfrg] comments on draft-irtf-cfrg-hpke
Christopher Wood <caw@heapingbits.net> Wed, 03 June 2020 20:43 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2AA83A0F4D for <cfrg@ietfa.amsl.com>; Wed, 3 Jun 2020 13:43:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=T4efBIkg; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=BVD0t7Ow
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08xkuRttuBbm for <cfrg@ietfa.amsl.com>; Wed, 3 Jun 2020 13:43:22 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C5343A0F57 for <cfrg@irtf.org>; Wed, 3 Jun 2020 13:43:22 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 4235C5C00A9; Wed, 3 Jun 2020 16:43:21 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Wed, 03 Jun 2020 16:43:21 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=D58L9P/fadUehxtoGxAnyU3eDHJMxX7 0421HHwC+88o=; b=T4efBIkgOQnUqA7doqxu2pOuV1nw4qBYmB/XE4Wr+RC9Hdq PEkSxArSlRKoJSkST6mwpqwWTBc3ZmGglET8dy0hCg9uXfilXavrxOjVf5slrz53 BaJm6snO65khQWdQygw0pt1FL16CQ9+lR8O0EG0/ZBEw8kt7ktOmAeh06zejrk/Q WxcgCTt6qiKQ/2sgGc/Rgbzyfue2Oa45OyMQ/E3zo7r8k4t69B+6K6dKFNLAxBaj fSxjwjPh+xpL6txamMJnQP8EQiKFKvp2Ag0A9szdTbZanW5Af6xsEO1dAlu/gmb3 84yCz88gL7+JK55DZvW7UXtrI0hZmJz1otf3xjA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=D58L9P /fadUehxtoGxAnyU3eDHJMxX70421HHwC+88o=; b=BVD0t7OwCLPvhyEG43mven bxO599y+SwZOVytHFxqSLEbGESfZn3SJinvFCAh5sF97zgHwNlkNhWSWQA/JFDuH HQHdXYoq4tXfM9sFLzNBhu5/dtmX0THR3z79DZTxl+JEaDQKrUg7IdH9eadKoGkV OhxfEvY9HIkhOrxOZNlNsyNr66p2XStny0pO4Qi3pFIebTRoT01/1AEOCSI6WNWb qc5plGhn9XdXeUUKFFRxykhzwUdKo3BIjCR/6XaY2GPH8ISbyX/Gs8rtXVnIwLxH OTSM7Lgk6kecHex96ayCaHyN2zDaVTK2yYyfC53AO3CahMEYCXE3hR8wpB84ttyg ==
X-ME-Sender: <xms:aAvYXlzaGQSdYkGV12xHcvJDE2tyC29LEboj0jqIKTBhZtFR1Qob_w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudefledguddvjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesth dtredtreertdenucfhrhhomhepfdevhhhrihhsthhophhhvghrucghohhougdfuceotggr fieshhgvrghpihhnghgsihhtshdrnhgvtheqnecuggftrfgrthhtvghrnhepveekgedtgf dtjefhteeifeejhfdtgfdufedufeeljeeuvdejtdfhvefgvefgvedtnecuffhomhgrihhn pehgihhthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh grihhlfhhrohhmpegtrgifsehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:aAvYXlS99lVMu1HG57UxdH_C4MRC0P2pG1L3nACzuysOz2E-_WOBow> <xmx:aAvYXvVs-KB2KKKS89zyn3Ah598K7vjCbd0B199fDIVQrvV8OgfSjg> <xmx:aAvYXnjuaei3QVD8O5wjFiEYatsRC8rE69pYJsoRwWRj8irvBzt4vA> <xmx:aQvYXq_GTU134Re-txrnmaqFVxi6IQzoew3GTkHBRstprBg_sax59w>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 730113C00A1; Wed, 3 Jun 2020 16:43:20 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-519-g0f677ba-fm-20200601.001-g0f677ba6
Mime-Version: 1.0
Message-Id: <e3cf80dd-1c4a-465b-bb74-033ca415582d@www.fastmail.com>
In-Reply-To: <20200602200821.zqtk5w5stw4c6lrs@muon>
References: <20200602200821.zqtk5w5stw4c6lrs@muon>
Date: Wed, 03 Jun 2020 13:42:35 -0700
From: Christopher Wood <caw@heapingbits.net>
To: "Riad S. Wahby" <rsw@cs.stanford.edu>, cfrg@irtf.org, draft-irtf-cfrg-hpke@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/aBCpPsRKJ4Nr1Gg01_LWuJ3pX7k>
Subject: Re: [Cfrg] comments on draft-irtf-cfrg-hpke
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2020 20:43:24 -0000
Hi Riad, Thanks for the feedback! Please see inline below for followup comments. On Tue, Jun 2, 2020, at 1:08 PM, Riad S. Wahby wrote: > > - Section 3: encode_big_endian seems to be the same as I2OSP from RFC8017. > Would it make sense to reference the existing primitive instead, or at > least to note that the two are identical? Good point. We should probably use I2OSP, as that's what other CFRG documents use: https://github.com/cfrg/draft-irtf-cfrg-hpke/issues/104 > - Section 4: the definitions of AuthEncap and AuthDecap contain words to the > effect, 'the KEM shared secret key is known only to the holder of the > private key "skS".' It would be more accurate to say , 'the KEM shared > secret key was generated by the holder of the private key "skS"'. That's a fine clarification: https://github.com/cfrg/draft-irtf-cfrg-hpke/issues/105 > - Section 4 and 4.1: it's not totally obvious to me that this is necessary, > but might it make sense to note that Unmarshal can fail? Yes, definitely, that's a great observation: https://github.com/cfrg/draft-irtf-cfrg-hpke/issues/106 > - Section 4.1: this may be paranoia, but it would be slightly nicer to include > the DH group name in the label arguments of LabeledExtract and LabeledExpand > to ensure that invocations from different DHKEM instantiations are orthogonal. That seems reasonable to me. We went through a couple iterations on domain separation, and it would be a shame to have this lingering: https://github.com/cfrg/draft-irtf-cfrg-hpke/issues/108 > - Section 5.1.3: it would be nice to include a reference or citation for > unknown key share attacks. I concur. I'll fold it in an issue addressing editorial changes: https://github.com/cfrg/draft-irtf-cfrg-hpke/issues/107 > - Section 5.2: is there a reason to put the word "amortize" in quotes? > > - Section 7.1.2: it might be worth mentioning here that [keyagreement] also > includes checking that the public key is not the identity point. Agreed. I'll fold these into #107. > - Section 7.1.2: is there a reason to recommend either checking for a nonzero > scalar or checking for a non-identity DH output? Checking the latter covers > the former and also covers the check from my prior comment. Moreover, it is > not clear to me that checking the scalar is useful for the recipient, since > this is essentially just checking that their long-term secret is nonzero. We could certainly clarify what's required here. This check was meant to be before senders and receivers invoke the DH() function. It could be easier to just check the output. I'll address this in #107. > - Section 8.1: the sentence "In particular, the KDFs and DH groups..." might > want to clarify that this statement is true only when these primitives are > used as specified. The concern is that HKDF is only indifferentiable under > some restrictions on salt length (for reasons noted in Section 8.3). Agreed. I'll fold this into #107 as well. > - Section 8.4: it is not quite true that using a PSK longer than Nh bytes > has no effect on security, since in practice there is no guarantee that > each byte of PSK contributes 8 bits of entropy. Making this distinction > seems worthwhile, lest people decide to use only Nh bytes with lots of > structure (e.g., ASCII text). > > (I am aware that the next paragraph discusses low-entropy passwords, > but I am talking about an intermediate regime. For example, consider > the case of a diceware passphrase: each word contributes only 10--15 > bits of entropy, but is ~6 bytes long. Using 12 words is certainly > better than using 6, even though 6 words already has length greater > than Nh for SHA-256.) Hmm, fair point. We can clarify (in #107). > - Section 8.4: would it make sense to point to PBKDF / bcrypt / scrypt here? > Or is the idea to discourage use of low-entropy passwords entirely? (But > one might worry that folks will use low-entropy passwords anyway...) I don't see why not! I'll add the reference as part of #107. Thanks again for the thoughtful feedback and careful review. I may ask you to review these changes before they land. :-) Best, Chris
- [Cfrg] comments on draft-irtf-cfrg-hpke Riad S. Wahby
- Re: [Cfrg] comments on draft-irtf-cfrg-hpke Christopher Wood