Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)
Neil Madden <neil.e.madden@gmail.com> Mon, 08 April 2024 17:37 UTC
Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 611EAC15107A for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 10:37:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.203
X-Spam-Level:
X-Spam-Status: No, score=-1.203 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xZBDuhGSddkZ for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 10:37:50 -0700 (PDT)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59545C151545 for <cfrg@irtf.org>; Mon, 8 Apr 2024 10:37:50 -0700 (PDT)
Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-4167082dabdso2094925e9.0 for <cfrg@irtf.org>; Mon, 08 Apr 2024 10:37:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712597869; x=1713202669; darn=irtf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=6TcwuGCgqfd+iwGPBa4tgTHZwqqplhGYGyiLosmXPuM=; b=BpvG+cWXZ4M3xUVC6a6ZxirGAEaztNZY/CS+Od2WHKzdmQR6pHEbPmnXcXDdyhO7cJ 75A9+RLc5qswnawBG3QBId/q74Z/GTPgULPGT3WFc5Oa+Et8zGwL8MTe5BBn/rMPipvt 7pcK8SkRqu80fOb1UONj3ovq2QvforuWEnJTEZuvxxS1CfDFsgMHsdHEqm59ztz1CAh/ 0ZxCb7p9pTkNK33Jnqd/ICGciXbXSTacXZc6+N1FqoyV1Syc8bZ/RIhDFlIRfSKURM/K UXKHfJks3RVBe4dJNESTE29oQlYtsGMAYzAYahyjPjk0XDrt7JjuGQ2n1eLi2tf+906b XqbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712597869; x=1713202669; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6TcwuGCgqfd+iwGPBa4tgTHZwqqplhGYGyiLosmXPuM=; b=wVkbgCETpewe/FyAY+LOQBGIxFJ0n+Rhig+SVTyfuJyY3+FgYRyHFbr/74PxzGiLBd bmFnunBGutnn2fa29+bsEvnt/rDmMYV1n4+3nANzINKOxmA6ypxUM3zExcp+mb0zQLuh G1qNbSOni+iCVSIxxR+QeS6mwP4/A6RRHLz5/p1xCsosrjRoS4fkLyG1nWmQivA7kf9G bXY7Zk9uvPK/sAMN79lfUdSt0/Eg+sv8Y/UK1dFDFHUECSeo/Cx7B7ypRfKVE32dSprf STHiiLQ72ezGaMXDXfJASWuATH2m3PuvILAx6LDRBrRtgDn0BxzTJKFtebvfaJhik3F+ j88A==
X-Gm-Message-State: AOJu0YwUi5cV3ywsmr8A5n5BijzYt1K+A5yt/4yY3X9SkQZkevHauUer VMFh8LoamGRJAp95QF/lrruFEmjc6LGhjn+h5l24ThezizKy725IV8FiD5xkDAs=
X-Google-Smtp-Source: AGHT+IGeyB8ZzA1zdHpuKwnFqDq0nio5mxNSCmIP0ToA0LpLMZdKBp8ztU1aiaTJ9X1MVUwWYF5GEw==
X-Received: by 2002:a05:600c:3b26:b0:416:3de5:1367 with SMTP id m38-20020a05600c3b2600b004163de51367mr5321500wms.3.1712597868362; Mon, 08 Apr 2024 10:37:48 -0700 (PDT)
Received: from smtpclient.apple (243.211.93.209.dyn.plus.net. [209.93.211.243]) by smtp.gmail.com with ESMTPSA id je6-20020a05600c1f8600b0041496734318sm17666533wmb.24.2024.04.08.10.37.47 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 08 Apr 2024 10:37:48 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-EAB7294A-24EB-457C-AFC2-0415CAF9C2F3"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Mon, 08 Apr 2024 18:37:36 +0100
Message-Id: <6B2EF6E4-91E0-4F26-9623-A722BAAEDF3B@gmail.com>
References: <73d28971-0470-4339-9ae8-f2d07f2303ae@dennis-jackson.uk>
Cc: cfrg@irtf.org
In-Reply-To: <73d28971-0470-4339-9ae8-f2d07f2303ae@dennis-jackson.uk>
To: Dennis Jackson <ietf=40dennis-jackson.uk@dmarc.ietf.org>
X-Mailer: iPhone Mail (21D61)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/x4ZNPbbamRjC8fOzlPgBxTal2TA>
Subject: Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 17:37:54 -0000
Hi Neil,
On 08/04/2024 11:27, Neil Madden wrote:
HPKE only defines an interface for encrypting messages to a single recipient. Therefore standards like JOSE, which support multiple recipients, have to come up with an approach to support that. The obvious thing to do, and what is being proposed for JOSE, is to do what the existing ECDH-ES (ECIES) modes do: generate a random data encryption key (DEK) and use that to encrypt the message using an AEAD. Then run HPKE for each recipient to encrypt the DEK. You then concatenate all the wrapped DEKs and encapsulated keys with the ciphertext and send it.
Can you please point to the text in the RFC that says this is forbidden? From HPKE's point of view there are two entirely separate HPKE instances that happen to be encrypting the same plaintext (the DEK). I don't see any text that forbids this or warns of any dangers at all, hence this erratum report.HPKE doesn't support multiple receivers so HPKE's security analysis doesn't say anything about what happens if you try to build such functionality yourself.
AuthEncap()
/AuthDecap()
interface fulfills these notions for all Diffie-Hellman groups specified in this document.All the HPKE RFC says is that each recipient can be assured of the sender of the DEK and its authenticity. Claims about ciphertexts encrypted with that DEK are completely outside the scope of HPKE.
I'm not sure what a warning could look like except a very generic warning that the security of a primitive does not imply the security of any primitive or protocol that builds on it. Admittedly, this is might be worth stapling to the front of every CFRG draft.
On the upside, if the folks in JOSE (or other WG) want a version of HPKE for multiple recipients with authenticity guarantees, that seems like good motivation for a new 'mHPKE' CFRG draft.
- [CFRG] Fwd: [Technical Errata Reported] RFC9180 (… Neil Madden
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Martin Thomson
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Neil Madden
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Martin Thomson
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Benjamin Lipp
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Karthik Bhargavan
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Colin Perkins
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Neil Madden
- Re: [CFRG] Fwd: [Technical Errata Reported] RFC91… Karthik Bhargavan
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Neil Madden
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Dennis Jackson
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Neil Madden
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Thad Thompson
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Neil Madden
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Dennis Jackson
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Neil Madden
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Eric Rescorla
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Dennis Jackson
- Re: [CFRG] [Technical Errata Reported] RFC9180 (7… Neil Madden