IETF Logo Mail Archive

Re: [CFRG] Fwd: [Technical Errata Reported] RFC9180 (7790)

Karthik Bhargavan <karthik.bhargavan@gmail.com> Mon, 08 April 2024 06:58 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C072BC14F68B for <cfrg@ietfa.amsl.com>; Sun, 7 Apr 2024 23:58:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7V4IbPFfDp5M for <cfrg@ietfa.amsl.com>; Sun, 7 Apr 2024 23:58:31 -0700 (PDT)
Received: from mail-ua1-x932.google.com (mail-ua1-x932.google.com [IPv6:2607:f8b0:4864:20::932]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8191DC14F5EC for <cfrg@irtf.org>; Sun, 7 Apr 2024 23:58:31 -0700 (PDT)
Received: by mail-ua1-x932.google.com with SMTP id a1e0cc1a2514c-7e65c56d29aso96596241.1 for <cfrg@irtf.org>; Sun, 07 Apr 2024 23:58:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712559510; x=1713164310; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3nSiZbB1Syqum+010dwPN9XAVZ1NAPVFwySYkYV124g=; b=MSaMpd+Yc8ULn35A+QlddQH/86ChspF2BlqSmZtaxgNzaXT9U8f7qNd0LaOxkM9IQ2 RkCTHgC80H9eQ8lLrzKgktVxO7NnZ3/kFoPsXu8WXkSGIAmUmLtoiUIKDf8/WoSCzOSD RyZ8LCbuo6ZQuqsbVxRFBQqlZZ9pskU+xc1XICaEocBGvq3jSOHWZY2DmpuDjb1dQEh9 DcBSFdIQ359HesAumleN2hm9SghvG2ABFHvu4RBhtCpeSjw1SMePQN9bJQtTB3UMwujt wYhm2lQJZrBT7jLAwrAMJ7DCyPawxW9zPqpX70AswL2TgryF1cOTUhBRX7UHpQoFO3n6 nr9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712559510; x=1713164310; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3nSiZbB1Syqum+010dwPN9XAVZ1NAPVFwySYkYV124g=; b=vZDeqvNXfz6AhqTKXeYBPAWp+qolvuTLi6VyMbmc/BfaZTx2q197iOzdtR8d4c9z3Z pxQHC8ZUW5m/HquIYtShiZh9K1aqUDy9FevdLxHqPuetCNnou1STBR6BlkxLE8YCDjtI ra8j768R5Pgjcn6U356AtrYfWjTtf17s1jpKLZMrRhNM6qiW32kq6cVvQ87eR+DqyLxz YIGQdFWaXuKo4+RAFdSMx7mc3MPwBRfNFOKVFKIVzKWc1Ki166U3k3vdT2GAmQhU0BiS FyAJLAo5+20ZQipv5XjokvxMuhAk2GYJMDu5qGub40uvJO55oV9uTkF6Mh3MOb0RKG5S 08kQ==
X-Forwarded-Encrypted: i=1; AJvYcCVMaPJoel/Cmhedama7KLyN6ZjyxM8m/G+Xlvx7FMqmm7FK7GIu1ROneXiLPcjgBGffguimDDG+l+lZSzjn
X-Gm-Message-State: AOJu0YydJLGwFhyymy3bFXiMQmyN5nPcLvUqsBXrl1Ne245yvS/aMUB0 cmrE+HyKqPtd0LO+ebNGtkP20ng78qM1KrNxC+siAxKrzcwYHIL1qTl1vgJn0ZGV13pkNQRWPL9 oKUcxlKFDjdTSs5kBdBIG1/4UkMQ=
X-Google-Smtp-Source: AGHT+IFUU2Zaw31hFuq7SqYvWv+GsSZKnP4FRuGqY5vgURxY9YixsqdEVHNUn39yLa/6HQVoKbutacdZe8ij0nEMjTY=
X-Received: by 2002:a05:6102:6d2:b0:47a:287:6622 with SMTP id m18-20020a05610206d200b0047a02876622mr907981vsg.4.1712559510241; Sun, 07 Apr 2024 23:58:30 -0700 (PDT)
MIME-Version: 1.0
References: <31cdc56a-db7e-4f06-9ac5-818aaa5fd9ea@betaapp.fastmail.com> <00773A27-1CE2-4A08-961F-C25D4C2FEA35@gmail.com>
In-Reply-To: <00773A27-1CE2-4A08-961F-C25D4C2FEA35@gmail.com>
From: Karthik Bhargavan <karthik.bhargavan@gmail.com>
Date: Mon, 08 Apr 2024 08:58:36 +0200
Message-ID: <CA+_8ft66ZM=QND1Qh+OE9fJ6tDufF484cqeUT9NLdzr8gBYwjg@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Cc: Martin Thomson <mt@lowentropy.net>, cfrg@irtf.org
Content-Type: multipart/alternative; boundary="00000000000043ca440615905526"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/svNkKMz7ZMCrZ_ENSYa_fGpIrTQ>
Subject: Re: [CFRG] Fwd: [Technical Errata Reported] RFC9180 (7790)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 06:58:35 -0000

Hello Neil,


> Are you quoting someone here, or is this your opinion? My own opinion (as
> the erratum reporter) is that RFC 9180 seriously misrepresents the security
> analysis it is supposed to be based on. At least in a JOSE context, that
> misrepresentation could lead to serious security vulnerabilities.
>
> For example, suppose you use HPKE AKEM with JOSE to encrypt an OAuth
> access token to be consumed by two APIs: A and B (each with their own
> public keys). The lack of Insider Auth security means that when A receives
> an access token from a legitimate client, they can use it to create
> arbitrary forged access tokens to send to B.
>

I am not sure I fully understand this vulnerability. An authenticated HPKE
ciphertext sent from S to A cannot be resent by A to B.
Insider-Auth security typically only applies to KCI-style attacks. Could
you explain a bit more what your concern is?
I'd like to have a concrete sense of which security property is being
violated here.

All my best,
Karthik



>
> This serious issue is not mentioned at all in RFC1980, but *is* clearly
> discussed in the linked security analysis. The RFC instead states
> (erroneously) that HPKE “fulfils these notions”. IMO it should never have
> been published with such a glaring mistake.
>
> — Neil
>
> >
> > The correct disposition for this sort of thing is "Hold for Document
> Update".
> >
> >> On Wed, Apr 3, 2024, at 07:46, Neil Madden wrote:
> >> Anyone know what’s going on with errata for HPKE? I reported this one
> >> in January and not heard anything about it. There appears to be 3
> >> errata on RFC 9180 that are in “reported” state, 2 of which date back
> >> to 2022. Is anyone looking at them?
> >>
> >> Regards,
> >>
> >> Neil
> >>
> >> Begin forwarded message:
> >>
> >>> *From:* RFC Errata System <rfc-editor@rfc-editor.org>
> >>> *Date:* 30 January 2024 at 10:24:00 GMT
> >>> *To:* rlb@ipv.sx, karthikeyan.bhargavan@inria.fr, ietf@benjaminlipp.de,
> caw@heapingbits.net, irsg@irtf.org
> >>> *Cc:* neil.e.madden@gmail.com, rfc-editor@rfc-editor.org
> >>> *Subject:* *[Technical Errata Reported] RFC9180 (7790)*
> >>>
> >>> The following errata report has been submitted for RFC9180,
> >>> "Hybrid Public Key Encryption".
> >>>
> >>> --------------------------------------
> >>> You may review the report below and at:
> >>> https://www.rfc-editor.org/errata/eid7790
> >>>
> >>> --------------------------------------
> >>> Type: Technical
> >>> Reported by: Neil Madden <neil.e.madden@gmail.com>
> >>>
> >>> Section: 9.1.2
> >>>
> >>> Original Text
> >>> -------------
> >>>  A detailed computational analysis of HPKE's Auth mode single-shot
> >>>  encryption API has been done in [ABHKLR20].  The paper defines
> >>>  security notions for authenticated KEMs and for authenticated public
> >>>  key encryption, using the outsider and insider security terminology
> >>>  known from signcryption [SigncryptionDZ10].  The analysis proves that
> >>>  DHKEM's AuthEncap()/AuthDecap() interface fulfills these notions for
> >>>  all Diffie-Hellman groups specified in this document.
> >>>
> >>>
> >>> Corrected Text
> >>> --------------
> >>>  A detailed computational analysis of HPKE's Auth mode single-shot
> >>>  encryption API has been done in [ABHKLR20].  The paper defines
> >>>  security notions for authenticated KEMs and for authenticated public
> >>>  key encryption, using the outsider and insider security terminology
> >>>  known from signcryption [SigncryptionDZ10].  The analysis proves that
> >>>  DHKEM's AuthEncap()/AuthDecap() interface fulfills the notions of
> >>>  Outsider-CCA, Insider-CCA, and Outsider-Auth for all Diffie-Hellman
> >>>  groups specified in this document. It does not fulfill the notion of
> >>>  Insider-Auth defined in the paper.
> >>>
> >>> Notes
> >>> -----
> >>> The referenced paper defines four notions of security, Outsider-CCA,
> Insider-CCA, Outsider-Auth, and Insider-Auth. It proves that HPKE meets the
> first three, but, contrary to the current text of the RFC, it proves that
> it does *not* meet Insider-Auth security and that this is infeasible for
> HPKE. This is an important negative security result that should have been
> highlighted in the RFC.
> >>>
> >>> Instructions:
> >>> -------------
> >>> This erratum is currently posted as "Reported". (If it is spam, it
> >>> will be removed shortly by the RFC Production Center.) Please
> >>> use "Reply All" to discuss whether it should be verified or
> >>> rejected. When a decision is reached, the verifying party
> >>> will log in to change the status and edit the report, if necessary.
> >>>
> >>> --------------------------------------
> >>> RFC9180 (draft-irtf-cfrg-hpke-12)
> >>> --------------------------------------
> >>> Title               : Hybrid Public Key Encryption
> >>> Publication Date    : February 2022
> >>> Author(s)           : R. Barnes, K. Bhargavan, B. Lipp, C. Wood
> >>> Category            : INFORMATIONAL
> >>> Source              : Crypto Forum Research Group
> >>> Area                : N/A
> >>> Stream              : IRTF
> >>> Verifying Party     : IRSG
> >> _______________________________________________
> >> CFRG mailing list
> >> CFRG@irtf.org
> >> https://mailman.irtf.org/mailman/listinfo/cfrg
> >
> > _______________________________________________
> > CFRG mailing list
> > CFRG@irtf.org
> > https://mailman.irtf.org/mailman/listinfo/cfrg
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://mailman.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email