IETF Logo Mail Archive

Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)

Neil Madden <neil.e.madden@gmail.com> Mon, 08 April 2024 18:48 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B993C151545 for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 11:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VodlOpGQvA1o for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 11:48:36 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D4ABC15153F for <cfrg@irtf.org>; Mon, 8 Apr 2024 11:48:36 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id ffacd0b85a97d-343c8d7064aso685344f8f.0 for <cfrg@irtf.org>; Mon, 08 Apr 2024 11:48:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712602115; x=1713206915; darn=irtf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=DFYJOeFSkNMn8L4oYpw5ZGWx8QrtNg7gcrnpMPjIZQY=; b=fGzQ2jqos1UPTr1H9Q3zOMVs8hyUBAsxGOkUuxa46QytyFyXkuqrN+AAs6voR/QOSX HLaBp/2X0l7Tet4UeZlq8xRkactdp2BdbtLzuJt4+ZDHFlbw0swth7/foF9w5Ur4qEgL r5sIbyrorLWP3gMQAUDd6Cc9If7XQCd8Mieyosg5f9xL7q+sZQ88H14rOZxyTtjmdj1Y cbf/u/v/GitbIEzPGaJEQRAP/wQOESjWQddCqW+FsJrgA7f4f1H8vHi4yIrhCoJ48NcK iNaX1Kvyy//X5sE8HjDNnIXKuacGLoTb1B8Q7A8mRw69WiKcj5LwOfzVE8LDZ3/OxK3D /STg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712602115; x=1713206915; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DFYJOeFSkNMn8L4oYpw5ZGWx8QrtNg7gcrnpMPjIZQY=; b=lcOpWWTq+soTYkyWjHZNRouIe66aMrwssjjyxZxqRbNqay/84KdOKzZK89vmLig57S NCm7pXWcZ/PZg4orsxzlIZSwzrBBOFAm+FUnM+YIfuA2fbqO0Zmc+aKbzJ8/GFjHTn9j nxeqjYkGvn4YE8zf/Af+/bUgdizfQjSDT8q2p3d3AoBWQPyPJyrztBqDUNV8CAsl3gvk 6F8EZRFkXeN/xVjgWhBsEG875Lp/H/kGndXTdumlnEpOVP99qNtcXnroBIpmfZ1SvYwj 2FFrj6vSYSQJoa95SgNnYclpcdSTt7TME0mu3whrrbPxAcyRCE58l20uG3XUqwJUN24y pcsg==
X-Forwarded-Encrypted: i=1; AJvYcCV3821Dqs/THmuzcKMOlNXFZO4yjp4q+B7DKlocMBjOkCykwfutyx7P2uV4vmDNekL3Y6fSl+kiQkNCM5iq
X-Gm-Message-State: AOJu0Yxpr719UX89Q5XtoEfgaGro9lEc0O4yuVF//8a2V1n2j17EFCnN WQEKc/TLE6HEsIjW8qc8Rk97jXIlgUOV1Xy/8FaqTcyZw2rtpAqA
X-Google-Smtp-Source: AGHT+IHus09W0icwx2L5sGLx+CR81F0Fe/5+mlrfBFx58FDJZGEF7WXfib83NlElvCmyQFXcy2RqkA==
X-Received: by 2002:adf:fe0b:0:b0:343:b81a:9d9b with SMTP id n11-20020adffe0b000000b00343b81a9d9bmr6833501wrr.7.1712602114426; Mon, 08 Apr 2024 11:48:34 -0700 (PDT)
Received: from smtpclient.apple (243.211.93.209.dyn.plus.net. [209.93.211.243]) by smtp.gmail.com with ESMTPSA id s11-20020a05600c45cb00b004162d06768bsm15014199wmo.21.2024.04.08.11.48.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Apr 2024 11:48:34 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
Message-Id: <1C2E29BB-63A5-4190-A3DB-6274FFC76427@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DD045D39-CE9A-4AEF-85B0-B5335D96994A"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\))
Date: Mon, 08 Apr 2024 19:48:33 +0100
In-Reply-To: <789eeffd-c021-480c-81b0-6b424aac4b11@app.fastmail.com>
Cc: Dennis Jackson <ietf=40dennis-jackson.uk@dmarc.ietf.org>, CFRG <cfrg@irtf.org>
To: Thad Thompson <thad@litepipe.com>
References: <73d28971-0470-4339-9ae8-f2d07f2303ae@dennis-jackson.uk> <6B2EF6E4-91E0-4F26-9623-A722BAAEDF3B@gmail.com> <789eeffd-c021-480c-81b0-6b424aac4b11@app.fastmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/aMAsCapiVreUJxI6q8u15co8jlI>
Subject: Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 18:48:38 -0000

I feel that people are getting a bit side-tracked here. Neither the HPKE RFC nor the erratum report mention either JOSE or multiple recipients. I bought that up in reply to another message as an example of *an* issue that can occur due to lack of Insider-Auth security. The issue under discussion is whether the RFC 9180 fairly characterises the security analysis that it cites. The RFC says HPKE "fulfills these notions", whereas the paper it cites says the following (section 5.1):

"[...] Insider-Auth security in infeasible both for the APKE construction used in HPKE (see section 5.4), and the instantiation of AKEM proposed in HPKE (see end of section 6.1)."

And the following (section 5.4):

"For any AKEM, KS, and AEAD, the construction APKE[AKEM, KS, AEAD given in Listing 8 is not (n,q_e,q_d)-Insider-Auth secure. The inherent reason for this construction to be vulnerable against this attack is that the KEM ciphertext does not depend on the message. Thus, the KEM ciphertext can be reused and the DEM ciphertext can be exchanged by the encryption of any other message."

And section 6.1:

"[T]he DH-AKEM construction does not even achieve KCI security, a relaxation of Insider-Auth security[...]".

Thus, HPKE does *not* fulfil this notion of security and shouldn't imply that it does. That's it. That's the erratum. Send tweet.

-- Neil

> On 8 Apr 2024, at 19:11, Thad Thompson <thad@litepipe.com> wrote:
> 
> Hey Neil,
> For what it's worth, as an Internet rando (non-cryptographer) implementing a scheme very similar to the one you're suggesting, my understanding from the RFC was that the target security property of KEM authentication rather explicitly only covers two parties:
> 
> > 5.1.3.  Authentication Using an Asymmetric Key
> >
> >   This variant extends the base mechanism by allowing the recipient to
> >   authenticate that the sender possessed a given KEM private key.  This
> >   is because AuthDecap(enc, skR, pkS) produces the correct KEM shared
> >   secret only if the encapsulated value enc was produced by
> >   AuthEncap(pkR, skS), where skS is the private key corresponding to
> >   pkS.  In other words, at most two entities (precisely two, in the
> >   case of DHKEM) could have produced this secret, so if the recipient
> >   is at most one, then the sender is the other with overwhelming
> >   probability.
> 
> Am I not understanding that correctly? I assume that limitation is part of the reason MLS relies on asymmetric signatures for authentication.
> 
> However, I would agree that the limitations of KEM based authentication feel maybe a bit out of place. Besides the fact that it only proves authentication in a two-participant system, it also becomes fiddly when moving to PQ KEMs. You either wind up with a halfway 'quantum safe key exchange but NOT quantum safe authentication' scheme like Signal's PQXDH, or it is dropped entirely, like in X-Wing. In any case, it seems like the authenticated KEM modes in HPKE take up a large space in the standard for what turns out to be rather limited functionality with caveats. I wonder if HPKE 2.0 would include such modes at all?
> 
> Cheers!
> - Thad

v2.23.0 | Report a Bug | By Email