IETF Logo Mail Archive

Re: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01

Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 17 January 2022 11:19 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ACAE3A0858 for <cose@ietfa.amsl.com>; Mon, 17 Jan 2022 03:19:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6KsB-Jd81Adh for <cose@ietfa.amsl.com>; Mon, 17 Jan 2022 03:19:07 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D54E3A0859 for <cose@ietf.org>; Mon, 17 Jan 2022 03:19:06 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 70B73C3F1B; Mon, 17 Jan 2022 13:19:02 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id hpR4eMaXh6hi; Mon, 17 Jan 2022 13:19:02 +0200 (EET)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id E01722315; Mon, 17 Jan 2022 13:18:59 +0200 (EET)
Date: Mon, 17 Jan 2022 13:18:58 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: "cose@ietf.org" <cose@ietf.org>
Message-ID: <YeVQooQEGzfjFeE9@LK-Perkele-VII2.locald>
References: <DBBPR08MB5915C899B9EF8122898057BDFA579@DBBPR08MB5915.eurprd08.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <DBBPR08MB5915C899B9EF8122898057BDFA579@DBBPR08MB5915.eurprd08.prod.outlook.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/7QSeIKDEiTzvOATOVFAYOa5Xte0>
Subject: Re: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jan 2022 11:19:10 -0000

On Mon, Jan 17, 2022 at 09:36:34AM +0000, Hannes Tschofenig wrote:
> 
> with draft-ietf-cose-hpke-00 I have submitted the draft version that
> was subject to the working group call for adoption. John and Goeran
> provided feedback already and suggested to re-use the algorithm
> registry created by HPKE.
> 
> In https://github.com/cose-wg/HPKE/blob/main/draft-ietf-cose-hpke.txt
> the proposed -01 version can be found.
> 
> Please have a look at it and let me know if the proposed changes
> are inline with the suggestions.

In can make little sense of the way HPKE is used.

- Why are the symmetric and asymmetric parts of HPKE split into two
  different layers? The whole point of HPKE singleshot mode is to
  combine them.

- The layer 1 algorithm is specified as COSE encryption algorithm,
  but for actually performing the encryption/decryption, one needs
  HPKE AEAD ID.

  * How is the mapping between the two done?
  * If new AEAD is added to HPKE, does one also have to register COSE
    algorithm for it?

  Embedding the registry would mean 5 byte algorithm identifiers, as
  there is just not enough space with smaller ones (need continuous
  block of 65534 (sic) algorithm ids).

- Recipients at layer 1 are specified as one-or-more. AFAICT, more than
  one recipient here makes absolutely no sense.
  
- The algorithm ID at layer 2 needs new registrations to take advantage
  of new HPKE algorithms. This especially inclures KEMs, which are one
  of the most important extension points (post-quantum!).

- Decomposing the keys at layer 2 needs code changes to support new
  KEMs. Which likely can not be nontrivially decomposed anyway.

  However, currently HPKE does not have compact NIST curves, which
  allows space saving via decomposition.

  Compromise might be to embed the registries (both may be jointly
  embededed into 5 byte algorithm identifier) and have special values
  for decomposed stuff (and shorthands for X25519/X448).[1]

  If both KEM and KDF can be sepcified, the KDFs SHOULD be matched.

- HPKE is different enough that I think both new kty and a new
  operational mode are justified (I can make very little sense of
  existing operational modes).

- Doing HPKE with two layers with cose_encrypt, easily extends to
  doing HPKE in cose_encrypt0: The only difference is directly operating
  on the plaintext instead operating on the CEK. The limitation is
  only having one recipient.



[1]

E.g.:

- algid=-1 is like algid=0x00010010, but key is compressed like in C509.
- algid=-2 is like algid=0x00020011, but key is compressed like in C509.
- algid=-3 is like algid=0x00030012, but key is compressed like in C509.
- algid=-4 is alias for algid=0x00010020 (X25519 with SHA-256).
- algid=-5 is alias for algid=0x00030021 (X448 with SHA-512).


-Ilari

v2.8.7 | Report a Bug | By Email