Re: [Cfrg] Adoption call for draft-barnes-cfrg-hpke
Paul Lambert <plambert@usfca.edu> Tue, 30 April 2019 13:19 UTC
Return-Path: <plambert@usfca.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E391120077 for <cfrg@ietfa.amsl.com>; Tue, 30 Apr 2019 06:19:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.237
X-Spam-Level:
X-Spam-Status: No, score=-1.237 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, KHOP_DYNAMIC=1.363, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=usfca-edu.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6zgRUBoaSzpO for <cfrg@ietfa.amsl.com>; Tue, 30 Apr 2019 06:19:06 -0700 (PDT)
Received: from mx0a-00277301.pphosted.com (mx0a-00277301.pphosted.com [148.163.148.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53FFE120006 for <cfrg@irtf.org>; Tue, 30 Apr 2019 06:19:06 -0700 (PDT)
Received: from pps.filterd (m0109194.ppops.net [127.0.0.1]) by mx0a-00277301.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x3UD4rVf025107 for <cfrg@irtf.org>; Tue, 30 Apr 2019 06:19:05 -0700
Received: from mail-pf1-f197.google.com (mail-pf1-f197.google.com [209.85.210.197]) by mx0a-00277301.pphosted.com with ESMTP id 2s6a062ja5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <cfrg@irtf.org>; Tue, 30 Apr 2019 06:19:05 -0700
Received: by mail-pf1-f197.google.com with SMTP id a141so7377190pfa.13 for <cfrg@irtf.org>; Tue, 30 Apr 2019 06:19:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=usfca-edu.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Ew3FvLZy/yi0TQn1EGo2Ex3xj7Pgdze2sz3dSqIrIOs=; b=nJzd0CXzJCNFYJAgxsPm+C0BooFx+sZ4PqDftq5QOP8dIvmSEC1kh+Ou6uo0KVZx9O 4F65j3IicI85D9uPq3QT+Tlx5gnNVJ4B5m6ehz2Vq21XM0ujTj3tsZqBTLPeqTcHM90X oRZYbyWkAI3oDQRRE4fQo5hnR+wbE+TJxIQpMWrGjXmzKQ2MJpZR6zJzoP/HMG+CQIma aJt70PO/iEmpNYe68vQwnsACt+4OEChl5ka5jLx3mRqIm1iMFOM0xnMsMRyDtFFDaFBz RfBduL1FEhA3f2krhf4BTcgdVUkThmWcbGaUzAHQUuRP5CJ6ZC1F99eQeqaPyo6Ed9OA O2pQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Ew3FvLZy/yi0TQn1EGo2Ex3xj7Pgdze2sz3dSqIrIOs=; b=JUYUUTFz6NfR5Lk/tBuLUeZtNSRtTHtfMVp8EK1JfHaJ7ZVUrTOxUHOKnS7HpFMGhY mLY0r9mKJxU/XUbc0wqSUGY9mFl8CV60Pf5uglnIcdObQWGAmJC1C9e/jqwKd8lEW3Tn idyodtmKl1v2+GBjcXHMTvVVOBKO9I74H1vF6apMMdPoIkO2H+gnSqeRB1JrT9FtAzZV dk5Rf5kN4ow6kFGUEWgmipUolz0xXUlrhjV9NlRwIP+WuK3Auu03Adi60ZrhHNNVo4+9 6YLTbxAQvUoDs9gwOBe42JP5lZ0PlCuTRNK9AONcr5rRcHgkDmEi7WSyqNeNMJzG3v5U p37w==
X-Gm-Message-State: APjAAAXU8R9MKRWR/ZgAgEaw+qZ14if8DSn/YbKUAFt+eBVOcGG2CqqC wMQ6Py/3cZAtxsfVRYLlMH31NhzhDAp+XUipuFUGmMMt1uSczg4ajz0Ztfn1L5MjqFudtS8MES/ 3w/1r
X-Received: by 2002:aa7:880f:: with SMTP id c15mr10514919pfo.100.1556630344964; Tue, 30 Apr 2019 06:19:04 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwIdCc4DJPHBI+9CostOHihrHianj2inmvPnk38/3HaFECRTWlJyS4vYLOEE12xv+VN0+mmhA==
X-Received: by 2002:aa7:880f:: with SMTP id c15mr10514884pfo.100.1556630344637; Tue, 30 Apr 2019 06:19:04 -0700 (PDT)
Received: from ?IPv6:2600:1700:42f0:da0:ac8d:ebc4:88d2:79c7? ([2600:1700:42f0:da0:ac8d:ebc4:88d2:79c7]) by smtp.gmail.com with ESMTPSA id l19sm48293641pff.1.2019.04.30.06.19.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Apr 2019 06:19:04 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Paul Lambert <plambert@usfca.edu>
In-Reply-To: <C7DA46E8-EBE9-4F4F-A621-23A089C59598@inf.ethz.ch>
Date: Tue, 30 Apr 2019 06:19:30 -0700
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9B0B8A26-9E8E-4894-BDAF-C7DBCF9E8930@usfca.edu>
References: <C7DA46E8-EBE9-4F4F-A621-23A089C59598@inf.ethz.ch>
To: Paterson Kenneth <kenny.paterson@inf.ethz.ch>
X-Mailer: Apple Mail (2.3445.104.8)
X-MailRoute: Internal
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/kdDnuhq0QP6r4oQtdlQYTXoykKU>
Subject: Re: [Cfrg] Adoption call for draft-barnes-cfrg-hpke
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2019 13:19:07 -0000
The area of ‘hybrid’ encryption is an important topic and I support the adoption of this work area the CFRG. The current 'draft-barnes-cfrg-hpke-01’ does have some issues … - the first draft was a bit easier to read. the current ’setup’ should be removed/rewritten - KEM abstraction is unnecessary and seems to be adequately covered by the DH_Group - the PSK mode goals and use cases is unclear - PSK mode should use a Security Context Indicator (versus key id). The ’sci’ could be derived from a prior hike message. - use case/requirements are lacking …e.g. should the mechanisms support firmware encryption (word alignment requirements, header requirements) - the stateful nature of the encryption risks making this a full key exchange and messaging protocol … maybe not a problem - using Initator and Responder does not work well for describing local processing. It’s more consistent for processing to refer to local keys (e.g. my_public_key) and peer keys. - it’s not obvious from the draft how the secret key on sent messages uses a different context than the received message. There needs to be two secret keys defined to make this clear. - the len(KemContext) is defined as a one byte encoding, but one of the modes has >255 context bytes. This should be a 4 byte little-endian encoding. Since the draft was written in a Python-like pseudo code, I’ve addressed the issues above in a working Python implementation: https://github.com/nymble/hpke/blob/master/hpke.py The KEM and ’setup’ functions did not add clarity and these processing steps were implemented in-line (see below). I suspect that the draft would read much better if these were removed. Some additional comments: - The sequence number usage creates a very fragile protocol. The service interface and impact of the communication channel needs consideration. - design is not suitable for very large files or small processors - validity of header should be able to be validated before processing full encrypted data - major fields should be word aligned - message layout for in-place encryption/decryption should be considered - The NIST based cipher suites could be using x-coord encoding for better efficiency - The AEAD abstract prevents better control/placement of the IV and MAC fields (e.g. MAC always at end) - Nonce misuse resistant algorithms should be considered as an alternative to keeping sequence number state (e.g. SIV modes) Paul —— HPKE wrap … working implementation including one minor message formatting change. def wrap(self, pt, aad=None, auth=True): """ Encrypt using AEAD the plain text 'pt' to the 'peer_pk' and return cipher text 'ct'. """ ephemeral_key_pair = self.cipher_suite.DH_Group.generateKeyPair() # generate the ephemeral key pair # definitions for for readability ... cs = self.cipher_suite marshal = cs.DH_Group.marshal hash_length = cs.Hash.digest_size info = self.info csi = cs.csi # octets pkP = self.peer_key skE = ephemeral_key_pair # key pair object used in API rather than private key pkE = ephemeral_key_pair.public_key skM = self.my_key_pair # 'M' for secret key of My key pair pkM = self.my_key_pair.public_key DH = cs.DH_Group.dh KDF = cs.KDF Nk = cs.AEAD.key_length Nn = cs.AEAD.nonce_length salt = hash_length * b'\x00' # all zero octet string enc = marshal( pkE ) if auth: # authenticated mode = MODE_AUTH shared_secret = KDF.extract( salt, DH(skE, pkP) + DH(skM, pkP) ) kemContext = enc + marshal( pkP ) + marshal( pkM ) sci = KDF.extract( salt, csi + mode + marshal( pkP ) + marshal( pkM ) ) else: # unauthenticated mode = MODE_BASE shared_secret = KDF.extract( salt, DH(skE, peer_pk) ) kemContext = enc + marshal( pkP ) sci = KDF.extract( salt, csi + mode + marshal( pkP ) ) context = csi + mode + blen(kemContext) + kemContext + blen(info) + info snd_secret = KDF.expand(shared_secret, b'hpke key' + context, Nk) snd_nonce = KDF.expand(shared_secret, b'hpke nonce' + context, Nn) aead = cs.AEAD( snd_secret ) snd_seq_bytes = pack( '<L', self.snd_seq ) # little-endian to simplify zero padding by bxor nonce = bxor( snd_nonce, snd_seq_bytes ) ct = csi + mode + b'\00' + enc + aead.seal(nonce, aad, pt) # self.snd_seq += 1 return ct Paul > On Apr 26, 2019, at 1:09 AM, Paterson Kenneth <kenny.paterson@inf.ethz.ch> wrote: > > Dear CFRG, > > (This is the first of two adoption calls today.) > > This email starts a 2-week adoption call for: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dbarnes-2Dcfrg-2Dhpke-2D01&d=DwICAg&c=qgVugHHq3rzouXkEXdxBNQ&r=oIg4FfS8P761BlhMPJ2ys3IvSyH4XQ12Mbj_mXrCAJs&m=Wh8bn9aCR4-MFtTP5yCwkeaQZqO2PAOTRibf5ydPXHw&s=tv3ZjsWTM-r7Yk_XfD-Cgcd8aVedPNI9Ekt2_Q1vbM0&e= > > Hybrid Public Key Encryption > > Please give your views on whether this document should be adopted as a CFRG draft, and if so, whether you'd be willing to help work on it/review it. > > Thanks, > > Kenny (for the chairs) > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.irtf.org_mailman_listinfo_cfrg&d=DwICAg&c=qgVugHHq3rzouXkEXdxBNQ&r=oIg4FfS8P761BlhMPJ2ys3IvSyH4XQ12Mbj_mXrCAJs&m=Wh8bn9aCR4-MFtTP5yCwkeaQZqO2PAOTRibf5ydPXHw&s=HD8zv1ivtjPaqEeGlOHxvARItXMw6_tBhK7SLcXXckw&e=
- [Cfrg] Adoption call for draft-barnes-cfrg-hpke Paterson Kenneth
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Stanislav V. Smyshlyaev
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Stephen Farrell
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Richard Barnes
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Benjamin Beurdouche
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Scott Arciszewski
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Dan Brown
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Mehmet Adalier
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Russ Housley
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… denis bider
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… John Mattsson
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Christopher Wood
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Richard Barnes
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Richard Barnes
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Paul Lambert
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… mcgrew
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Marek Jankowski
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Jim Schaad
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Hugo Krawczyk
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Dan Brown
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Hugo Krawczyk
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Natanael
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Alexey Melnikov