Re: [CFRG] I-D Action: draft-irtf-cfrg-hpke-08.txt

Frank Denis <cfrg@pureftpd.org> Mon, 19 April 2021 19:52 UTC

Return-Path: <cfrg@pureftpd.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C10B23A4106 for <cfrg@ietfa.amsl.com>; Mon, 19 Apr 2021 12:52:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pureftpd.org; domainkeys=pass (2048-bit key) header.from=cfrg@pureftpd.org header.d=pureftpd.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XWyfFbUs1oOQ for <cfrg@ietfa.amsl.com>; Mon, 19 Apr 2021 12:52:00 -0700 (PDT)
Received: from mailout-uk.mx.c9x.org (mailout-uk.mx.c9x.org [137.74.223.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 823E33A40FF for <cfrg@ietf.org>; Mon, 19 Apr 2021 12:51:51 -0700 (PDT)
Received: from msync.c9x.org (localhost [127.0.0.1]) by msync.c9x.org (OpenSMTPD) with ESMTP id 7200fd2f for <cfrg@ietf.org>; Mon, 19 Apr 2021 21:51:47 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pureftpd.org; h=from :content-type:content-transfer-encoding:mime-version:subject :date:references:to:in-reply-to:message-id; s=selector1; bh=OepJ 2Ga5c4UQEtjn+MbrOiNAFRs=; b=OH+mXWoYKmGC0kuOEbMYjV0pefKjSIbh8ZxY jkImin3mFPJMy3bpbxNp6QiK+IiHsjVJXlmSgkdKdZFeNomrvpsJDhczzp6sVv8A rSZRbA2qAh8rPgTvzcSQV4kVU+NbRopzYVDvpzmTid09d9ooHNZiWDByvaZb2pNY LYWdIpVi0AjzNitJt+7BdB72SIx3O8NQxCQ01Mm/52PRviUKI25+oLosy8NXbVTz rHVuzM8hFJQ/996BDL1C1Pz8Bvij7DbPT6GxXmUqlvUL9oxNRnlAgqQx7mS7Vqpi ydx8zLsbjYKEIXQOv5W3t0oXQhnv0B2s0o/NGP5cEZZoAMss+w==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pureftpd.org; h=from :content-type:content-transfer-encoding:mime-version:subject :date:references:to:in-reply-to:message-id; q=dns; s=selector1; b= XGPVdEy3k3afXNa3cilwf0cM0e7bIyrw7y9aQNkY9OA5OxyD2I0+SO7jq+AO9BpH ghRprSX7N9YGRc41kYI2QNITcaJ3+e0jwmhPXdz2uy8hs6LY8QXCz0hCGsaVm+l7 YZRFm2eWHeNWJNJMCRf9NPTRvOmBzKCHJUR1M3LL9s0eLvlYSL3Wx4+PrY+Ilcwr Kp8b1axiAdZbWa7V7ThI2VsHt/CpBtWOaW84HePuuFUzU2yTD+0tKU00rVrmmyFT okbXCmPElRO+zlpMwj8iC9ZPBP1BuDXeH7nxHPkJRp7KcnpdbrTpcpPXkwgpizSX OOXj0VqrXC2kAix7g5ZfJQ==
Received: from smtpclient.apple (110.57.24.93.rev.sfr.net [93.24.57.110]) by premiere.mx.c9x.org (OpenSMTPD) with ESMTPSA id 27c4d6ad (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <cfrg@ietf.org>; Mon, 19 Apr 2021 21:51:47 +0200 (CEST)
From: Frank Denis <cfrg@pureftpd.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.80.0.2.43\))
Date: Mon, 19 Apr 2021 21:51:47 +0200
References: <161342335747.29605.4309828130398666424@ietfa.amsl.com>
To: cfrg@ietf.org
In-Reply-To: <161342335747.29605.4309828130398666424@ietfa.amsl.com>
Message-Id: <72D4DB86-0BA3-41A1-84CE-AAF2D9DBC49B@pureftpd.org>
X-Mailer: Apple Mail (2.3654.80.0.2.43)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/xvpurqGkbFjSO5zd5Ap9c6DmsJY>
Subject: Re: [CFRG] I-D Action: draft-irtf-cfrg-hpke-08.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 19:52:10 -0000

General comments on draft-irtf-cfrg-hpke-08:

* The document is well-written and every function is clearly specified.
I wrote implementations solely based on it, that were verified to be interoperable with other implementations, and didn’t hit anything that required additional information.

* The test vectors also appear to be correct.

Given this, the maturity of the scheme, and the fact that it is a dependency for other protocols, I’d like to see this document move forward.


---


Additional comments:


* Section 4:

“This function can raise an DecapError” -> “a DecapError”



* Section 4: "The Seal() and Open() functions can return a NonceOverflowError."

The fact that HPKE uses increasing nonces is an internal detail; exposing this to applications looks like the wrong abstraction level.

From an application perspective, a more meaningful error would be `TooManyMessages` or a more generic `Overflow` error that could also encompass the case of the AEAD’s internal counter reaching a limit.

Using `NonceOverflowError` may catalyze inconsistencies between the specification and its implementations.



* Section 4: LabeledExtract() and LabeledExpand() functions

The document doesn’t mention any size limits regarding the `suite_id` and `label` parameters of these functions.

This can be an issue for implementations favoring static/pre-allocated storage space over heap allocations.

Specifying reasonable limits (64 bytes?) may be useful to avoid interoperability issues.
These limits can also be documented in section 7.2.1.




* Section 8.1.3

Splitting this into 2 or 3 paragraphs would make the section more readable.



* Section 8.4: “Further, because HPKE uses AEAD schemes that are not key-committing”

This seems to suggest that non key-committing schemes are a requirement for HPKE, which is not the case.
Further revisions of the document can include key-committing schemes, and exported keys can safely be used with such AEADs.





Cheers,
-Frank.