IETF Logo Mail Archive

Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt

Dan Harkins <dharkins@lounge.org> Mon, 02 October 2023 16:27 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55FE1C151551 for <cfrg@ietfa.amsl.com>; Mon, 2 Oct 2023 09:27:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.995
X-Spam-Level:
X-Spam-Status: No, score=-5.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FONT_INVIS_MSGID=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_DOTEDU=1] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q0t93KPoFQpC for <cfrg@ietfa.amsl.com>; Mon, 2 Oct 2023 09:27:49 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB02BC151082 for <cfrg@irtf.org>; Mon, 2 Oct 2023 09:27:49 -0700 (PDT)
Received: from kitty.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0S1W0O4CMTQD4T@wwwlocal.goatley.com> for cfrg@irtf.org; Mon, 02 Oct 2023 12:27:49 -0400 (EDT)
Received: from [192.168.1.24] (customer.lsancax1.pop.starlinkisp.net [98.97.58.27]) by kitty.bergandi.net (PMDF V6.8 #2433) with ESMTPSA id <0S1W00EA2TQCVX@kitty.bergandi.net> for cfrg@irtf.org; Mon, 02 Oct 2023 09:27:49 -0700 (PDT)
Received: from customer.lsancax1.pop.starlinkisp.net ([98.97.58.27] EXTERNAL) (EHLO [192.168.1.24]) with TLS/SSL by kitty.bergandi.net ([10.0.42.19]) (PreciseMail V3.3); Mon, 02 Oct 2023 09:27:49 -0700
Date: Mon, 02 Oct 2023 09:27:47 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <CH0PR11MB5739C38E222CE46C63D56CC69FC5A@CH0PR11MB5739.namprd11.prod.outlook.com>
To: cfrg@irtf.org
Message-id: <c5f570b2-c49e-b44a-947e-575798afca2e@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_aSuzVrnk79OlRrUCZp4S0A)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.14.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=kitty.bergandi.net, send-ip=98.97.58.27)
X-PMAS-External-Auth: customer.lsancax1.pop.starlinkisp.net [98.97.58.27] (EHLO [192.168.1.24])
References: <169592647633.22478.7564567661859429538@ietfa.amsl.com> <105f3992-d271-d3fd-e3eb-23751f763e15@lounge.org> <CABcZeBNG9TTMK7AP8+ecWjzD+k5w6YBOdM0QuePMdc+PD5QXog@mail.gmail.com> <09ef9418-0c6c-3771-a82a-900c8143afc4@lounge.org> <CABcZeBP1+4Tof9K0Zf7mjmHAhqHAs2nqoNSiHhPS9scZJ-E8Hw@mail.gmail.com> <CAL02cgRUTNMf6vt1ppwQbO=UqXMY3ujfgsws8J7NnxfU-ZT8TQ@mail.gmail.com> <C1948A98-B3E4-42EE-BDDC-31BCFD0656FA@akamai.com> <CH0PR11MB5739C38E222CE46C63D56CC69FC5A@CH0PR11MB5739.namprd11.prod.outlook.com>
X-PMAS-Software: PreciseMail V3.3 [230928a] (kitty.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/y5Wh7C30j-6HhPz80kLT3TIKPrs>
Subject: Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Oct 2023 16:27:54 -0000

   For some reason Richard's email didn't appear in my mailer, but
it is in the CFRG archive so I was able to read it....

On 10/2/23 6:40 AM, Mike Ounsworth wrote:
>
> > The TLS registries have learned that we need to have a notes column, 
> and a recommended-or-not column. Perhaps an update that adds a Note 
> column and the draft could cay “not IND-CCA2”. In fact, the IANA 
> action to add that column could be part of this draft.
>
> I’m with Richard that the label “Not IND-CCA2” includes both otherwise 
> perfectly acceptable DAE ciphers, and also ROT13, and so is not a 
> helpful label in terms of guiding non-cryptographer sysadmins and 
> policymakers.
>
> If we think that the deterministic nonce-less AEADs in draft-irtf-cfrg-dnhpkeare ok-ish, then we need a better label than “Not IND-CCA2”.
>
>

   AES-SIV has a security proof (see [1]) so the option shouldn't be to
lump it in with ROT13. I'm sure we could come up with a reasonable
name for a column in the registry that addresses what the mode offers
if that's what the RG wants to do.

   But Richard says that a people wouldn't have confidence that using
HPKE with one of these modes is "safe". The requirement that the
construction with this mode is "safe" should be in the document that
registers the mode, not the IANA registry. And I think my I-D does
that. People don't implement the IANA registry, they implement the RFC,
and they would be able to read the Security Considerations about using
what it is they are implementing.

   The unfortunate downside to this interpretation of the assignment
rules is that HPKE cannot be used in an application on a lossy network.
The world is not TCP and HPKE could be useful in applications that
cannot guarantee in order delivery of every single packet. Preventing
that is A Bad Thing (tm) in my opinion.

   But getting back to this procedural issue. One of the editors of
HPKE (and I believe the person who did the security analysis), when it
was still an I-D, said that "the door is not closed" on using a DAE cipher
mode. And I expressed confusion given the new text that just appeared
in -10 of that I-D, so clarifying text was added to say that you get an
IND-CCA2 guarantee when you abide by the requirements in 9.4. The
implication being, you can get a DAE mode assignment but then you
will not have the IND-CCA2 guarantee. That was impression that the
editors were giving when they accepted the pull request. Now, post
publication, I am being told something quite different.

   regards,

   Dan.

[1] https://web.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf

> ---
>
> *Mike*Ounsworth
>
> *From:*CFRG <cfrg-bounces@irtf.org> *On Behalf Of *Salz, Rich
> *Sent:* Monday, October 2, 2023 8:30 AM
> *To:* Richard Barnes <rlb@ipv.sx>; Eric Rescorla <ekr@rtfm.com>
> *Cc:* cfrg@irtf.org
> *Subject:* [EXTERNAL] Re: [CFRG] DAE for HPKE, was Re: I-D Action: 
> draft-irtf-cfrg-dnhpke-02.txt
>
> My interpretation of the question here is: - HPKE has been proven 
> IND-CCA2 secure if the KEM and AEAD are IND-CCA2 secure - RFC 9180 
> makes no claims about the security of the construction if the AEAD is 
> *not* IND-CCA2 secure - The request here
>
> My interpretation of the question here is:
>
> - HPKE has been proven IND-CCA2 secure if the KEM and AEAD are 
> IND-CCA2 secure
>
> - RFC 9180 makes no claims about the security of the construction if 
> the AEAD is *not* IND-CCA2 secure
>
> - The request here is to register an AEAD algorithm that is 
> affirmatively *not* IND-CCA2 secure (can't be, not even claimed to be)
>
> If this is an accurate summary, then I don’t see a reason for the 
> experts to reject the algorithm.
>
> So the question for the RG is -- Are folks OK with values being 
> registered that do not meet the security requirements in the RFC?
>
> Well, the RFC doesn’t have that requirement.  It says “if X then Y” 
> not “only X is valid.” But I gave it a quick read, so if I’m wrong 
> please point to the section where it says IND-CCA2 is required.
>
> The TLS registries have learned that we need to have a notes column, 
> and a recommended-or-not column. Perhaps an update that adds a Note 
> column and the draft could cay “not IND-CCA2”. In fact, the IANA 
> action to add that column could be part of this draft.
>
> /Any email and files/attachments transmitted with it are intended 
> solely for the use of the individual or entity to whom they are 
> addressed. If this message has been sent to you in error, you must not 
> copy, distribute or disclose of the information it contains. _Please 
> notify Entrust immediately and delete the message from your system._/
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

v2.23.0 | Report a Bug | By Email