IETF Logo Mail Archive

Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)

Neil Madden <neil.e.madden@gmail.com> Thu, 11 April 2024 19:14 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43E94C14F616 for <cfrg@ietfa.amsl.com>; Thu, 11 Apr 2024 12:14:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MSDcY_80Aav7 for <cfrg@ietfa.amsl.com>; Thu, 11 Apr 2024 12:14:14 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B720C14F5F6 for <cfrg@irtf.org>; Thu, 11 Apr 2024 12:14:14 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id ffacd0b85a97d-345606e8ac0so22764f8f.0 for <cfrg@irtf.org>; Thu, 11 Apr 2024 12:14:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712862852; x=1713467652; darn=irtf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=+ibgPWIaZqDRNtTHu2u13Afqdi6HLlDMYwq3v5Y5ObA=; b=ge3vCTk/PkbmCLsV+RmCmSrHTtVraeaLKQoSef2L9zJf+JEDEp9L8mtUESiqAn1j3T FDrvDyeFOZMGV9pHkxjnNaOc7T5zRIBG5glA3iphxgP8/YSNbKJiMT9CwmXjXOOsCyVJ 3b+FsE3XWneeihZ1tAzD+UHtI3lyX9dz2cQfJyB1ccdPka/qbQyp0oma4xnPSqLSqr0i 5QNOPGvwMMraSAGbRTrGknin5j/JI7R6IDQoBaggS6/nHMzaFO+Yo4N1xphqTtSwCQPk 5Znaj4XCb54KpckWsACpddpm1m4HoDOTKhRcas4GnRPcKN3ShUxx4BOyghdJRG42AuYB 61vQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712862852; x=1713467652; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+ibgPWIaZqDRNtTHu2u13Afqdi6HLlDMYwq3v5Y5ObA=; b=UTJpIGH0eFHJS19qcw8Es/JnILrAhh+dXoZ4kwqGNF5ORZGONpDQVNrbsKJyY8No9c Px3kQjFVowCIxIHtfiDMKjTTNP1IcuQOsSZ2suP+MaUos31YU1Jj+ssAS8l6w4zCVu6x +bvpX1TnpBpFYOuA7TFJvOY54IiU60sIzxit47IHa/JsB8TnHF1+yhm3NLzezqWZioOw 3NdfAxeg//Q9eHoJbkvrH5kguWO4u/Rl3I/je6h8GYJ05o7pjQPXcuNpqxYX/soagjBY /P6I9Sx0hAQVSNDKMIKBGMEYDDhDCUVwRQogmxhb3d77a3PnG3bs8DgqLV54QiO8shTa JWOw==
X-Gm-Message-State: AOJu0Yw+/JO1YeS0TRmAx2fBWfUSiuywuY4R+Pv9cOAi7xVd2QuRB3fN fmFnUVgdcyj5zPyYYol9au46Be9SlkKkn+e3Gr4USVfhEcAUcTQUztSXavHM
X-Google-Smtp-Source: AGHT+IHFU6RIUR0mSWMA/3Tc1a9xYRQhVFFgJxNuyeO9v1ahaqDgLsfD5M3VpzBUsPVvXKezgPr0RQ==
X-Received: by 2002:a05:600c:198d:b0:417:4ff3:3876 with SMTP id t13-20020a05600c198d00b004174ff33876mr467771wmq.2.1712862851369; Thu, 11 Apr 2024 12:14:11 -0700 (PDT)
Received: from smtpclient.apple (234.243.159.143.dyn.plus.net. [143.159.243.234]) by smtp.gmail.com with ESMTPSA id k9-20020a05600c1c8900b00416c1e7c9e7sm3220780wms.2.2024.04.11.12.14.10 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Apr 2024 12:14:10 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Message-Id: <CDB35CBB-3CC6-45C9-8D6C-C7E14E9DAF46@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F720F695-E2DE-4C73-8319-CB4A46BAB8D6"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\))
Date: Thu, 11 Apr 2024 20:14:09 +0100
In-Reply-To: <5a7baa04-926a-456e-a043-19c8e728d558@dennis-jackson.uk>
Cc: CFRG <cfrg@irtf.org>
To: Dennis Jackson <ietf=40dennis-jackson.uk@dmarc.ietf.org>
References: <5a7baa04-926a-456e-a043-19c8e728d558@dennis-jackson.uk>
X-Mailer: Apple Mail (2.3696.120.41.1.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/k-MYmpAJzwITbazStLojpUl6vyA>
Subject: Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 19:14:20 -0000

> On 11 Apr 2024, at 16:21, Dennis Jackson <ietf=40dennis-jackson.uk@dmarc.ietf.org> wrote:
> On 08/04/2024 22:40, Neil Madden wrote:
> 
>> Why do you need to "assess the importance" of the erratum? Either it's valid or it's not. 
> If something is imperfectly worded,  it's typically marked "Hold For Document Update". 
> 
According to [1], “Hold for Document Update” means “[t]he erratum is not a necessary update to the RFC”. I would be disappointed in such an outcome. The examples given of that status are basically typos. 

The paragraph I quoted in the erratum is not even the full extent of what is wrong with the way the HPKE RFC cites this work. It goes on:

“ Further, [ABHKLR20 <https://www.rfc-editor.org/rfc/rfc9180.html#ABHKLR20>] proves composition theorems, showing that HPKE's Auth mode fulfills the security notions of authenticated public key encryption for all KDFs and AEAD schemes specified in this document, given any authenticated KEM satisfying the previously defined security notions for authenticated KEMs.”

“ In summary, the analysis in [ABHKLR20 <https://www.rfc-editor.org/rfc/rfc9180.html#ABHKLR20>] proves that the single-shot encryption API of HPKE's Auth mode satisfies the desired message confidentiality and sender authentication properties listed at the beginning of this section”

Those properties are message confidentiality, export key secrecy, and sender authentication. Regarding sender authentication it says:

“ Analysis of the PSK, Auth, and AuthPSK modes defined in this document additionally requires verifying the sender authentication property. […] Generally, the authenticated modes of HPKE can be viewed and analyzed as flavors of signcryption [SigncryptionDZ10 <https://www.rfc-editor.org/rfc/rfc9180.html#SigncryptionDZ10>].”

That Signcryption reference is a book, chapter 2 of which says for Insider Auth security “the attacker is given the private key of the receiver, indicating that […] the signcryption scheme prevents a receiver from forging a signcryption ciphertext that purports to be from the sender.” That book in turn cites the classic paper [2], which says (bottom of page 9):

"Insider-security for authenticity implies non-repudiation "in principle". Namely, non-repudiation is certain at least when the receiver R is willing to reveal its secret key [...]. In contrast, Outsider-security leaves open the possibility that R can generate—using its secret key—valid signcryptions of messages that were not actually sent by S. In such a case, non-repudiation cannot be achieved no matter what R does."

These references quite clearly link the notion of Insider-Auth Security to the notion of non-repudiation, rather than merely to a notion of KCI. I discuss this further in [3].

So the HPKE RFC claims the following things:
That the ABHKLR20 paper “proves that […] HPKE’s Auth mode satisfies the […] sender authentication properties […]”
That that sender authentication property should be analysed under the notions of insider and outsider security from signcryption, which as I've discussed quite clearly includes the notion of Insider-Auth Security beyond KCI.
That ABHKLR20 proves that HPKE satisfies these notions from signcryption, which is at best only 75% true.
I’m sure it wasn’t deliberate, but however it happened, what is in the RFC as it stands is a misrepresentation of what the cited literature says. "Imperfectly worded" seems a pretty big understatement!

[1]: https://www.rfc-editor.org/errata-definitions/ <https://www.rfc-editor.org/errata-definitions/>
[2]: https://eprint.iacr.org/2002/046 <https://eprint.iacr.org/2002/046> 
[3]: https://neilmadden.blog/2021/02/16/when-a-kem-is-not-enough/ <https://neilmadden.blog/2021/02/16/when-a-kem-is-not-enough/> 
> 
>>> FWIW, it's not the case that 2-party insider-auth implies multiparty insider auth - so its pretty irrelevant here. 
>>> 
>> But we are talking about the contrapositive here: lack of 2-party insider-auth implies (obviously) lack of multi-party insider-auth. HPKE has neither.
>> 
>>> More significantly and immediately prior to the paragraph you're concerned about, the RFC details the attack on insider security presented in the paper at length (9.1.1). 
>> 
>> It describes a (related, to be sure) KCI attack. This is not the exact same thing, and it's in a section about KCI. As the paper says, KCI security is a relaxation of Insider-Auth security.
> As you wrote above, we're talking about the contrapositive. If KCI is violated, obviously Insider-Auth is too. 
> 
But KCI isn’t an issue in the attack I outlined. KCI attacks are a relatively small subset of Insider-Auth violations. KCI attacks, by their very name, presume that a key has been compromised. As the HPKE RFC itself says "sender authentication cannot be expected to hold in the Auth mode if the recipient private key skR is compromised". Given that many people assume that private key compromise is "game over anyway", this framing tends to let people think they can safely ignore that. But there are worse dragons than KCI.

>>> I agree the RFC could be better phrased, but do not think anyone could read the RFC and conclude that HPKE was proven to achieve Insider Security - let alone establish the type of Insider Security being discussed. Further, the paper lays out a clear attack on KCI in accessible language which is the material consequence of the lack of insider security anyway. 
>>> 
>> Firstly, KCI is not the only consequence of the lack of Insider-Auth, as discussed. Secondly, what are you trying to argue here? That the erratum is incorrect? That incorrect statements should remain in the RFC because... well, what exactly? Because a different paragraph in a different section almost says the right thing?
> I'm pointing out as imperfect as the sentence is, a reader is going to come away with the correct understanding. Minimally: 
> 
> HPKE is vulnerable to KCI attacks (and if the reader knows what Insider-Auth is, therefore doesn't have Insider-Auth).
But not that non-KCI attacks that violate Insider-Auth might be an issue. And if the reader is not familiar with Insider-Auth, they are certainly not going to be clued in by this RFC. 
> They need to read the referenced paper for the details of exactly what properties HPKE is proven to have, where they will find a clear statement it does not enjoy Insider-Auth.
Which contradicts what the RFC says. Why bother to write a security considerations section at all — just provide a list of references and let readers do the research themselves.
> As I said previously, if folks need a multi-party HPKE, that seems like a good thing for the CFRG to work on. 
> 
Given that HPKE was literally created for MLS (among others)[4], I don’t think it’s insane if people assume HPKE should be safe for multi-user communication.

[4]: https://mailarchive.ietf.org/arch/msg/cfrg/3SXM0I9jVs5i38SyahhMF1Q4fBc/ <https://mailarchive.ietf.org/arch/msg/cfrg/3SXM0I9jVs5i38SyahhMF1Q4fBc/> 

— Neil

v2.23.0 | Report a Bug | By Email