IETF Logo Mail Archive

Re: [COSE] Update to the COSE-HPKE draft and new use case (?)

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Mon, 25 April 2022 11:13 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F9A63A1785 for <cose@ietfa.amsl.com>; Mon, 25 Apr 2022 04:13:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=SXEg3Eda; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=SXEg3Eda
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hxdGMuxyU89Y for <cose@ietfa.amsl.com>; Mon, 25 Apr 2022 04:13:47 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2060c.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1b::60c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C7033A0A8A for <cose@ietf.org>; Mon, 25 Apr 2022 04:13:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=m3gE0wwBLxDpSh47K+Sok0wVLgfjmK6Ihj532mkJd/g=; b=SXEg3EdaWMXhNJmBY/FRmTDJDtL/6WdT9W6AMgatB5nsU4xprC2R2rwtw6kxJ47bvJTb9xhJszZtSycTB0lNP2bdYKhPMv1ZCIaMRSioq/I5wALuy82ItI+AL7/vJuz7daxbzBxixB2Ag2//4kyQjYFEoeqiCq3Fns4rRCA+1BQ=
Received: from DB6PR07CA0194.eurprd07.prod.outlook.com (2603:10a6:6:42::24) by PAXPR08MB7232.eurprd08.prod.outlook.com (2603:10a6:102:1dc::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.14; Mon, 25 Apr 2022 11:13:41 +0000
Received: from DB5EUR03FT032.eop-EUR03.prod.protection.outlook.com (2603:10a6:6:42:cafe::80) by DB6PR07CA0194.outlook.office365.com (2603:10a6:6:42::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.6 via Frontend Transport; Mon, 25 Apr 2022 11:13:41 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT032.mail.protection.outlook.com (10.152.20.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.14 via Frontend Transport; Mon, 25 Apr 2022 11:13:40 +0000
Received: ("Tessian outbound ac9bb5dd84f6:v118"); Mon, 25 Apr 2022 11:13:40 +0000
X-CR-MTA-TID: 64aa7808
Received: from 490e34a42d18.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 9242D600-AFDE-4F1B-8F71-89CB6003BC1F.1; Mon, 25 Apr 2022 11:13:34 +0000
Received: from EUR02-VE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 490e34a42d18.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 25 Apr 2022 11:13:34 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BY21W5hmtzLl28db/50CJYP+zzyzj7NkpykuFk2yGtNGBv/KTdKgyFHe/uUNhAYdAq4gOjtQmX/SekefBJaXZ9+K4Eb5glBRcDquKNGOKFwNdg+pYFWeP007u1nrzCWJuGcGaW3b5b63osIhSYc9wtF8fatKfxFNO4J+KMER/uUiv66X8BbHmm8SggoCgLPgCo/hz3V2jX9G6j3VmmubtacK54mSUU1ig1uKeoPZA+1kJgzJeVAHyxDq3TOOf6c9eIfo71R7WaKt7pQU7KiybjsQ4DsSI7hFPgCLUIwtPHaridfe+cB5UdACfuPwkvhlldtY0A/v6lnmybIazI5QvQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=m3gE0wwBLxDpSh47K+Sok0wVLgfjmK6Ihj532mkJd/g=; b=Wnjy3rH4wopSxfvjXmmj2fnkFfyRy0eEzZxJY7+uQa8kD+38IH7gZzLOn7DlcFOySwp9wNs2NWD0sw4A0UBvLuKg4hiDEXpT/ZpJw0IYXfYj/uMP5c7cPmmQwuY3sqbFEjy/+iizbu3pBnWVEPuKsVZ0XBNCN6neWCNRHXBW8ERhaZg0cxX244MoMBraUuao2NSL1YrSDax42n7ScRkERA+q8EU7GZ3aZUfiK5dQP53deZL3T5aY6VjBADEVk7KueDuyyTh1zyqByAxALITyRDHhpJ1mEEohaNpHZWlgdulmNVk/wGArvp/XcQ0rOMy9CzYj4PyH4jpDTQ3yIAGyYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=m3gE0wwBLxDpSh47K+Sok0wVLgfjmK6Ihj532mkJd/g=; b=SXEg3EdaWMXhNJmBY/FRmTDJDtL/6WdT9W6AMgatB5nsU4xprC2R2rwtw6kxJ47bvJTb9xhJszZtSycTB0lNP2bdYKhPMv1ZCIaMRSioq/I5wALuy82ItI+AL7/vJuz7daxbzBxixB2Ag2//4kyQjYFEoeqiCq3Fns4rRCA+1BQ=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by PAXPR08MB7393.eurprd08.prod.outlook.com (2603:10a6:102:2bd::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5186.15; Mon, 25 Apr 2022 11:13:32 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::5896:9eec:b108:9a3]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::5896:9eec:b108:9a3%7]) with mapi id 15.20.5186.021; Mon, 25 Apr 2022 11:13:32 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Russ Housley <housley@vigilsec.com>, Ilari Liusvaara <ilariliusvaara@welho.com>
CC: "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] Update to the COSE-HPKE draft and new use case (?)
Thread-Index: AdgssVAELsxNzCHhRZOACjsjjmMa5gpjlqtwAApKUAAAaL1zAAAiXOHg
Date: Mon, 25 Apr 2022 11:13:32 +0000
Message-ID: <DBBPR08MB59150C1D51B1D058A2030AE8FAF89@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <DBBPR08MB5915DBF46D50E44049EEEB72FA019@DBBPR08MB5915.eurprd08.prod.outlook.com> <DBBPR08MB59156170634FE8A6899F7323FAF79@DBBPR08MB5915.eurprd08.prod.outlook.com> <YmLcbAWZRrllV0Gj@LK-Perkele-VII2.locald> <31ADB283-08B4-48A5-9AA2-27F8E929A822@vigilsec.com>
In-Reply-To: <31ADB283-08B4-48A5-9AA2-27F8E929A822@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: C714833F99D7894BA159C2B83CCF3972.0
x-checkrecipientchecked: true
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-MS-Office365-Filtering-Correlation-Id: 18ce8623-4d34-41f6-cffc-08da26aca6c6
x-ms-traffictypediagnostic: PAXPR08MB7393:EE_|DB5EUR03FT032:EE_|PAXPR08MB7232:EE_
X-Microsoft-Antispam-PRVS: <PAXPR08MB7232794E34FB956341A308E3FAF89@PAXPR08MB7232.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: ymy7sH34a8hnG2ytzlS7GAM+j71m3hkQbZpdMuKQ8jOSSxbHK+C97N+OWKeYxE6J532gd+EEzdRHy2ZI7RkQ4AOWv/Gdjr0Mz6HmNJAwL+IPhSeoQEQvGb2ix7FxpAwr+7ooTVjkGl+6xipkyE/0W3IBSQPYFycTjCduKB4lSMOOO+oK4MhdphkiGDovQ6x+mp629tbT6fZsBhOk+UE7ZIpkAuvfdhdhXHVFBlarfHhNzQL+pezuGDCr7pysBELcEuC8lRlXCFNjvb4XV2b7OYSkiRclyKwxAv5dLMLl+xFKiCo3OeSzox1e7rMPG6lGZDOEdnoB02Emvo3XSWPmV1xSCJflHhtYnbKNzfYAjN+JzTwUAjhOxJOknL6TUQx0hrSYWxAf1z6+PWBP/hFpiDp+90dKaJkcPZQdY/tD6sVVkacJmy49nlRw78oL/9WdwMlTGjYtF2hTg0mmSiAer5dQIntOIIEuHoTaXGo2vqBzb7w59vB4jJASA96U9gcpX4XpHRhZTjZGPGoHTWPbT9xH9E/NBZcAba/NSur9vMt3dR0fr1jU2DJrr5ox/9YHyMndSQFgFRrhdLJ0OHBei6WCoFG4fcxgft5L5pGmSlmltGYMIkfdwYMgI/+XztUYnagge1J+YYhPiZfysv/7KSOThTTtyoBVslKECOaZ4+WUfFskawhuU/O06MNWjesn1IFfC3fqwD0Fw/QP8u126PKqVlPopj2AGSVqfXXd4xEFyhJMGCPRWmoiAizmqVxDN/Wv4uxZFI8PMFURt+Oook6cDx9nsTWK6YLE2FbvCgG8tMXlbkXRNzKtMDWpEO+uRXpA/9XG0OBUTDzZEVtFeQ==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(122000001)(5660300002)(966005)(86362001)(33656002)(110136005)(19627235002)(52536014)(15650500001)(66574015)(8936002)(508600001)(71200400001)(2906002)(55016003)(83380400001)(8676002)(186003)(76116006)(66946007)(64756008)(66556008)(66476007)(4326008)(66446008)(26005)(6506007)(7696005)(316002)(53546011)(9686003)(38070700005)(38100700002); DIR:OUT; SFP:1101;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR08MB7393
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT032.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 806cb818-2f09-481c-579c-08da26aca20c
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: +rkejPL4ZBMXoQNZbQRGmS2VUaiXBUXlMfanslNb6ZowkP+G8JeB/fSyO5eccEnhIsAw7jk1zQxP/vU6AdAA+5xzEUyFnNX8KbNuAzb55u68q6lkOPAx+lZ7bSPx368dGfOmEp3uOavDL8pQHDqPvpX346sLiaGf+yQt3fVaZIGxjE73PMZxNXYRHp0dZmrUwkKoY5EMlp2ObXuFvAYkRzj1pEfaC/yqqlUJUoaWWoNReGu4z9CaYdIjPFRFS49Vi9vwDWKmrGtKUf4ahwJC7/WAN1/DXjrzjRYpsib8GWPLLnbGSSO9gWL6Lg2kv4O9bJ5D/B6ISrvT0T2mBFEAznyIKit2I9+RbT94EzAJM7RWnWkJJc+LmWFStuS/tyJz6dqX5Zo0rG+oBYg0HdaEvGr0VW2jDyEf6GdpNIX5w/tCbqutiboUoe7224JC1HuiNBEG0WV6PdlnN+NXCi6h8t/q22Mvz1LcVZ6vokgdlhWxhHRJLts4ojc1qTiv7cny72lHpbOpLS4XYOnJq8YuQOCclqHSLtIZPa4seLY0Xfuz6DwZHm9e9SYADom8QnxQLX8gzKbvr0ZCtoItnV02v1QlI61su40xIAZITf4UnlZiosDrRhVXxDUGTioWSSYTufn0mKpaACLjdREQcQy4ME+xrjj74Jxi+Tu9HS13o5XiSrUqcHljznuD2eL0tpMX7bIcVuXip2fZwhlRyYZH/DRHOJ3ve3OpT6gy4XSGPZfsFvgENUceTVmMrkC87xgkRdEIp/qnXtbhJ4V4OoeAMw0z7eEk7GMlkVIn75ajzCo=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230001)(4636009)(36840700001)(40470700004)(46966006)(4326008)(86362001)(81166007)(8676002)(9686003)(15650500001)(26005)(7696005)(53546011)(6506007)(2906002)(966005)(356005)(83380400001)(52536014)(5660300002)(36860700001)(55016003)(508600001)(33656002)(40460700003)(8936002)(82310400005)(316002)(186003)(19627235002)(70586007)(70206006)(336012)(66574015)(110136005)(47076005); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Apr 2022 11:13:40.0467 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 18ce8623-4d34-41f6-cffc-08da26aca6c6
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT032.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR08MB7232
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/3fcYo_wYtKtVjavVmqNFQfE7iMw>
Subject: Re: [COSE] Update to the COSE-HPKE draft and new use case (?)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 11:13:53 -0000

Hi Russ, Hi Ilari

Thanks for the comments regarding the COSE_Encrypt0. I have created PRs in https://github.com/cose-wg/HPKE/pulls

Regarding the algorithms and the ephemeral key I would like to send separate emails around.

Ciao
Hannes

-----Original Message-----
From: COSE <cose-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Sunday, April 24, 2022 8:48 PM
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: cose@ietf.org
Subject: Re: [COSE] Update to the COSE-HPKE draft and new use case (?)

Ilari:

Thanks for the review and keeping us honest about_encrypt0.  We were focused on the HPKE situation where there are multiple recipients.

Russ

> On Apr 22, 2022, at 12:48 PM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
>
> On Fri, Apr 22, 2022 at 11:54:59AM +0000, Hannes Tschofenig wrote:
>> Hi all
>>
>> I have created a PR to add the use case described below into the
>> COSE-HPKE draft:
>> https://github.com/cose-wg/HPKE/pull/5
>>
>> I briefly talked about this topic at the IETF meeting in Vienna.
>> Comments welcome!
>
> For this change specifically:
>
> 1) In section titled "HPKE Encryption with SealBase", there is this
> text:
>
> "IMPORTANT: For use in this specification, the plaintext "pt" passed
> into the SealBase is the CEK."
>
> While this is true in multi-recipient cose_encrypt case, it is not
> true in the single-recipient cose_encrypt0 case. Then the plaintext is
> the raw message.
>
> It seems this was forgotten to be changed to deal with the
> cose_encrypt0 case.
>
> Maybe something like:
>
> -----------------------
> IMPORTANT: For use in cose_encrypt, the plaintext "pt" passed into the
> SealBase is the CEK. The CEK is a random byte sequence of length
> appropriate for the encryption algorithm selected in layer 0. For
> example, AES-128-GCM requires a 16 byte key and the CEK would
> therefore be 16 bytes long. In case of cose_encrypt0, the plaintext
> "pt" passed into the SealBase is the raw plaintext.
> -----------------------
>
> 2) In section titled "HPKE Decryption with OpenBase", there is this
> text:
>
> "When decrypted, the result will be the CEK. The CK is the symmetric
> key used to decrypt the ciphertext in layer 0 of the COSE_Encrypt
> structure."
>
> Which again is not the case when using cose_encrypt0. Then the result
> will be the raw message.
>
> This seems to be similar text that has been forgotten to be changed to
> deal with cose_encrypt0 case.
>
> Maybe something like:
>
> -----------------------
> When decrypted, the result will be either the CEK (if using
> cose_encrypt), or the raw plaintext (if using cose_encrypt0). The CEK
> is the symmetric key used to decrypt the ciphertext in layer 0 of the
> COSE_Encrypt structure.
> -----------------------
>
> 3) The sections "Examples" -> "One Layer" and "Examples" -> Two Layer"
> both seem to have duplicate anchor "{#one-layer-example}".
>
> I think the anchor for the two layer example should be
> "{#two-layer-example}".
>
>
> 4) The one layer example expands the ephremeral key, but the two layer
> example does not. One would expect the two examples to be
> stylistically consistent.
>
>
> 5) The text about cose_encrypt0 says:
>
> "The sender MUST place the kid and ephemeral public key into the
> unprotected header."
>
> However, RFC8152 says:
>
> "If a key needs to be identified to the recipient, the enveloped
> structure ought to be used."
>
> While these two are not in normative conflict (MUST vs. ought), this
> still seems inconsistent.
>
>
>
> And then some comments on the spec in general:
>
> 6) The encoding of the encapsulated key produced by HPKE seems to be
> under-specified.
>
> HPKE gives octet string as encapsulted key. This apparently is placed
> into the ephremeral public key field in unprotected header. However,
> RFC8152 specifies this field to be cose_key, and it is not at all
> clear how to encode the octet string as cose_key. Especially what to
> fill as the kty field, which is mandatory in cose_key.
>
> Searching for existing RFC8152 construct to abuse, there is the
> "Symmetric" kty. Then the encapsulated key would look like:
>
> -1: {
>       /* kty => Symmetric */
>       1:4,
>       /* The raw encapsulated ciphertext. */
>       -1:h'04ca591f4b1139c1c325be3265a6ce4dcc79a5895e9ef12a0726406bc72282697c8d12f18230208ebaa769f903917d59284526fd65a27ab5898913af10ed334398'
> }
>
>
> 7) I think that combining all the HPKE algorithms into one ciphersuite
> is a bad idea.
>
> While the KEM and KDF could be combined, trying to combine AEAD would
> lead into combinatorial explosion, or worse, into broken
> combinatorics, which are nasty to handle in any sort of sane way (see
> TLS 1.0-1.2 ciphersuites).
>
> Even with KEM and KDF combined, present HKDF would give 15 different
> ciphersuites.
>
> What I think should be done is just registering the HPKE AEADs as alg
> values (there are 3 of those currently), and then having OKP crv's for
> the combined KEM and KDF (there are 5 of those currently) in the key.
>
> That is, alg's like:
>
> - HPKE_AES_128_GCM (HPKE AEAD 1)
> - HPKE_AES_256_GCM (HPKE AEAD 2)
> - HPKE_ChaCha20Poly1305 (HPKE AEAD 3)
>
> And crv's like:
>
> - HPKE_P_256_HKDF_SHA256 (HPKE KEM 16 KDF 1)
> - HPKE_P_384_HKDF_SHA384 (HPKE KEM 17 KDF 2)
> - HPKE_P_521_HKDF_SHA512 (HPKE KEM 18 KDF 3)
> - HPKE_X25519_HKDF_SHA256 (HPKE KEM 32 KDF 1)
> - HPKE_X448_HKDF_SHA512 (HPKE KEM 33 KDF 3)
>
>
> This also mirrors the internal structure of HPKE: Mixing and matching
> AEADs is cryptographically kosher, while mxing and matching KDFs is
> not (and it is not possible to fix this due to shortcomings of the
> standard KEM interface).
>
>
>
> -Ilari
>
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose

_______________________________________________
COSE mailing list
COSE@ietf.org
https://www.ietf.org/mailman/listinfo/cose
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email