IETF Logo Mail Archive

Re: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Mon, 17 January 2022 14:51 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5307C3A0163 for <cose@ietfa.amsl.com>; Mon, 17 Jan 2022 06:51:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=p7tKZc3o; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=p7tKZc3o
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11jq0MtWbGh3 for <cose@ietfa.amsl.com>; Mon, 17 Jan 2022 06:51:29 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20052.outbound.protection.outlook.com [40.107.2.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85E163A0139 for <cose@ietf.org>; Mon, 17 Jan 2022 06:51:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XFVHaeILewWlAYkPL4k22018WZkUHRCQ0ov4SCGG1+4=; b=p7tKZc3odvlkp3xleAEZ+AsH4/G9bgtTtVcyIrkGLMV9bsDU2AVLh354gOQj57xr/1/oTlyxjs+47kVsvMQst9iY6NX4XZI8fG/NT1J95S2pLXxESKfP2wY5Vs9arC7A3/dvS0Gno3uqvfGz7ASG/vQAji99gK/sgh7/PwMZU4Q=
Received: from AM6P195CA0066.EURP195.PROD.OUTLOOK.COM (2603:10a6:209:87::43) by DB7PR08MB3498.eurprd08.prod.outlook.com (2603:10a6:10:4c::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4888.12; Mon, 17 Jan 2022 14:51:22 +0000
Received: from VE1EUR03FT013.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:87:cafe::f5) by AM6P195CA0066.outlook.office365.com (2603:10a6:209:87::43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4888.9 via Frontend Transport; Mon, 17 Jan 2022 14:51:22 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT013.mail.protection.outlook.com (10.152.19.37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4888.9 via Frontend Transport; Mon, 17 Jan 2022 14:51:22 +0000
Received: ("Tessian outbound de6049708a0a:v110"); Mon, 17 Jan 2022 14:51:21 +0000
X-CR-MTA-TID: 64aa7808
Received: from eb3595379776.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id DD5C6C7F-ED2D-45A6-BD80-7E6F7A24529C.1; Mon, 17 Jan 2022 14:51:15 +0000
Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id eb3595379776.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 17 Jan 2022 14:51:15 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P+uoiK7SV4eGfOxLwIb6dhoGOGpFUHdalqPuUVecmCNG47mnWvU5+88YZFZW3t2+c7WY815SPA12jaGIbQX77uE1cccHcqABX6TpkyMc4FHUTG2uTm9iB8sCGM/eQ/z99J8gR1j97YH8xj7fOPAxHF+T9QHiLIbWg6RVJ3yRO9eEn4nA4wbCBFtmkmHH0AJwGOh4XBni9gAS47sBtw9DlBVIRJwP5AajU2Qf8HlmDmsiABc2eInvxnaS4u1G9RVnaDD30SbkGXQ1N2tAOi3pJbP3bxKvYehSxbl/Bb20pypKjghQulG/vUWbbZykfRwfA74EwLqwzZGb8eR2DBxDGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XFVHaeILewWlAYkPL4k22018WZkUHRCQ0ov4SCGG1+4=; b=HApa+HZzIdkfVCCkxjCdUsqlE52pliNI0H0T0vuWGl4P4vMvLm9/FpqZ1qc3krmmNzzU4k8RIZYw2gu5Orl4YuKr5qFZHow1qyDVZvb8wg6gUd3kkxBu8Qh7Gr8QFnQ/y/dHgezGf2FsOq//u19Of/57m+zK1TI1h5Jr4yY7jPOTlhPuRiPNnl90fg2rdSrT/44KGoCU+rWEB2wrH7v/Taf2SxrIb8r0+X+wcTtxeiNmevErMEWjg/acQ81A4OirWzSUoW7gGchCHrmmnnNS26ajcBwqDNolrWxD95//yROf6AX8Cqci/l+6ijxEiRDpyiH0Q4RZpiOlQl1ypZlqCw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XFVHaeILewWlAYkPL4k22018WZkUHRCQ0ov4SCGG1+4=; b=p7tKZc3odvlkp3xleAEZ+AsH4/G9bgtTtVcyIrkGLMV9bsDU2AVLh354gOQj57xr/1/oTlyxjs+47kVsvMQst9iY6NX4XZI8fG/NT1J95S2pLXxESKfP2wY5Vs9arC7A3/dvS0Gno3uqvfGz7ASG/vQAji99gK/sgh7/PwMZU4Q=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by AM9PR08MB6081.eurprd08.prod.outlook.com (2603:10a6:20b:2dd::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4888.11; Mon, 17 Jan 2022 14:51:14 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::ec71:ec1b:a356:3ccb]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::ec71:ec1b:a356:3ccb%7]) with mapi id 15.20.4888.013; Mon, 17 Jan 2022 14:51:14 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>
CC: "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01
Thread-Index: AdgLhM0SJ9GR/pH8Rn+twyj8D7yFcgADzhAAAAbPMOA=
Date: Mon, 17 Jan 2022 14:51:13 +0000
Message-ID: <DBBPR08MB5915C7AFF11B55A8AA8CBBEEFA579@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <DBBPR08MB5915C899B9EF8122898057BDFA579@DBBPR08MB5915.eurprd08.prod.outlook.com> <YeVQooQEGzfjFeE9@LK-Perkele-VII2.locald>
In-Reply-To: <YeVQooQEGzfjFeE9@LK-Perkele-VII2.locald>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 0A7ED7B3CD9679479757D98A094E1488.0
x-checkrecipientchecked: true
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-MS-Office365-Filtering-Correlation-Id: ba41e81a-4402-47b5-4e36-08d9d9c8d3ea
x-ms-traffictypediagnostic: AM9PR08MB6081:EE_|VE1EUR03FT013:EE_|DB7PR08MB3498:EE_
X-Microsoft-Antispam-PRVS: <DB7PR08MB349833999A632B85751FC93CFA579@DB7PR08MB3498.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: o+PpcOS7dckvGnIVBDCkB0uCk9v91iZ8b4x5sMMszG159nYVYuydFDsY+H07AZvEuuFbp1Yo7yIKPnJTHdjUWSwCjBjAV7bkLUl372s3hp4fyEC6XDWWaVExeK8DOyX78aaVpVpSynpcI2gkGRDvvjr9jaqWJ1lHxuzKSHSc+UQ/7U8l34k/XV66F2lfnzcil6CDYDKJv8EQj0qox4YU15UQbGB8pRr78WBB01ydtpxPkVJ0Uzv0Grzkp2yqsyUi3mH0Kxo2aqtVWJVvoXcJDqXiRtgK3CgufD6nzx0T9RFXlLSw0BtI2WgjNsrtxKMtpvq7S6XQqQ4e0bBM/FCRitzpUnvM0inbRIQDtb7PUUQ1V6wXfJMq2PJNj1YN2LmWe2OXc12LSCLqerzYOca9Fd+UXF0wwIAPz+IMoZAhY7dEdilsiuHzYjkAYTD0iokHhsnK7X4GAcECaI96VpCDwElAF6dLrcoKkskq1QG4Rsx5wSUT2D9ysQCVd404/bBoanqQ0A0dn0GSP14wPhSt7Xn0Vd2Z/feNH+yf4T8voJsJyRTv1lEHvCQk9hN4A4+cFgMB9/ePmtJV5nToDSZ6nifwzEe5EACQgPTbTOwNhCYmo53l447CC1Yzej2T1g0u9nv+Snh364smzOWKwH2z8Y91+1kqexiKzUfgDpFr5gUWn+cFv7cKDm2a8tnOkoQqVlm2kg6x0yeavqBsu0kPQA1VDK5ZzJAUtQRs2ERUW5yGV7TXvVAPG7FWUDBwGgi77P0JLz4GFxMymFSKk10FV2euJp/S8HEnUP0oX9k3LtTpcmkiUH0x7x6aN6j2ilQl
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(66476007)(6916009)(83380400001)(71200400001)(66556008)(38100700002)(66946007)(4326008)(66446008)(7696005)(86362001)(316002)(55016003)(33656002)(8676002)(966005)(26005)(8936002)(76116006)(122000001)(53546011)(508600001)(6506007)(64756008)(186003)(52536014)(2906002)(5660300002)(9686003)(38070700005); DIR:OUT; SFP:1101;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR08MB6081
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT013.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: e869eb87-c8d2-40ba-4989-08d9d9c8cf10
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: pObkLGzkki7rG8inw6jwgzsAgxpchGkqMy6v6YIg3VGhAKdMh/Lx0JaVpjzH979DQIq/W8zC5lw7KUkBgsA95rYE3DWqWDvx6kn+/Bn4xk5CyeAlfWEHxPedznEIAMXVE2RcOMh9MKLSt4DmWGHzdRdVR4vI3ZJcqd23s1wogFfYZemnRK9HUmn3VFzu7Urck87j6NrYpev4dEGPf7mWqi05wFVCXft6OCpD4fRGWhdDb4KXjmLgHNAtCxqw5TvZGpMn0kW5yasNk59ZivUSiBJRRnxe6+KtmSQB1i8gl53I/lXld/i+IHosJPZUbu8XBTuaoTyUz5+1AvZ9Ld96TUAm57aG2Wtf52jKGCQbPfl8/ieRn45w+wiECRBrUKRdgx9aHgaYUfJ3xsmEfIhlBYUpajTbL65ZdpeD8w0+vw2UzLBeKjNbqqjARjvMFWviTx2dlsQYNnW2J5rajNAFkpzDt+ahlbcvb9tN1I3jocF3eS/T20irMXnboNGn3f+aC3iqyvjoWKCqUWq8sN1XhxridU/+GXhmVT+5z7oxDjdfTlNjeJW2EZf1yneCmMdmjUMAy4YU7Prq6xByTOf8Jkyrs0gP11bVOQVbSt8fnQGe3iAfl9kKD/Ko6v6WF3RCHLH610ALpVTbi1gKqvZ9HJ/9J/zt9Qi04CQdSL7Jgown9AyPW6ocIyC/MkJdCa79u29IeV09wOQI3DUNhJEK/ZA5r1LprFARDJ37qMtaAAyQo594OkN+Sq+m59Dx06Re7dBtSPpVW3GjiPEvrGkMJLC74CKozFYN4KvdzTU+mAJ91F4WAsOBy8JlIVw83OB2
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(46966006)(36840700001)(52536014)(6506007)(5660300002)(4326008)(53546011)(82310400004)(55016003)(9686003)(47076005)(86362001)(36860700001)(356005)(26005)(316002)(966005)(186003)(81166007)(33656002)(508600001)(2906002)(70206006)(7696005)(6862004)(70586007)(336012)(8936002)(83380400001)(8676002); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jan 2022 14:51:22.0108 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ba41e81a-4402-47b5-4e36-08d9d9c8d3ea
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: VE1EUR03FT013.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR08MB3498
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/Jyn9IX79GFjgrtWcrtgXACJCy0Q>
Subject: Re: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jan 2022 14:51:34 -0000

Thanks for the detailed comments, Ilari.

Let me provide comments below:

-----Original Message-----
From: ilariliusvaara@welho.com <ilariliusvaara@welho.com>
Sent: Monday, January 17, 2022 12:19 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: cose@ietf.org
Subject: Re: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01

On Mon, Jan 17, 2022 at 09:36:34AM +0000, Hannes Tschofenig wrote:
>
> with draft-ietf-cose-hpke-00 I have submitted the draft version that
> was subject to the working group call for adoption. John and Goeran
> provided feedback already and suggested to re-use the algorithm
> registry created by HPKE.
>
> In https://github.com/cose-wg/HPKE/blob/main/draft-ietf-cose-hpke.txt
> the proposed -01 version can be found.
>
> Please have a look at it and let me know if the proposed changes are
> inline with the suggestions.

In can make little sense of the way HPKE is used.

- Why are the symmetric and asymmetric parts of HPKE split into two
  different layers? The whole point of HPKE singleshot mode is to
  combine them.

[Hannes] We are adding another layer to allow for additional use cases.
The use case is to encrypt a payload once for different recipients.

- The layer 1 algorithm is specified as COSE encryption algorithm,
  but for actually performing the encryption/decryption, one needs
  HPKE AEAD ID.

[Hannes] Layer 2 uses the KEM algorithms from Section 7.1 of the HPKE spec:
https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hpke-12#section-7.1

Layer 1 uses the COSE algorithms instead of the algorithms in Section 7.3 of the HPKE spec
https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hpke-12#section-7.3


  * How is the mapping between the two done?
  * If new AEAD is added to HPKE, does one also have to register COSE
    algorithm for it?

  Embedding the registry would mean 5 byte algorithm identifiers, as
  there is just not enough space with smaller ones (need continuous
  block of 65534 (sic) algorithm ids).


[Hannes] It is possible to re-use the AEAD ID values from the HPKE spec instead of the corresponding COSE algorithms.
However, there is not much of variation between the AEAD algorithms in COSE vs. the HPKE spec.



- Recipients at layer 1 are specified as one-or-more. AFAICT, more than
  one recipient here makes absolutely no sense.

[Hannes] It makes sense if you consider the use of firmware encryption. There, you want to have one CEK to encrypt the firmware image but multiple recipients.


- The algorithm ID at layer 2 needs new registrations to take advantage
  of new HPKE algorithms. This especially inclures KEMs, which are one
  of the most important extension points (post-quantum!).

[Hannes] By re-using the HPKE registry the idea was to re-use new KEMs as they come along.



- Decomposing the keys at layer 2 needs code changes to support new
  KEMs. Which likely can not be nontrivially decomposed anyway.

  However, currently HPKE does not have compact NIST curves, which
  allows space saving via decomposition.

  Compromise might be to embed the registries (both may be jointly
  embededed into 5 byte algorithm identifier) and have special values
  for decomposed stuff (and shorthands for X25519/X448).[1]

  If both KEM and KDF can be sepcified, the KDFs SHOULD be matched.

[Hannes] There is obviously a downside to the re-use of the HPKE registry, as you point out.
Splitting the registry into two appears quite complex to me. Adding new KEMs will, of course, require code changes.
We should indeed think carefully whether this registry re-use offers enough benefits to do it.

- HPKE is different enough that I think both new kty and a new
  operational mode are justified (I can make very little sense of
  existing operational modes).

[Hannes] We are currently only using the base mode from the HPKE spec and utilize the COSE capabilities for authentication.
The kty is used to describe the encapsulated key and there is no difference in the keys.


- Doing HPKE with two layers with cose_encrypt, easily extends to
  doing HPKE in cose_encrypt0: The only difference is directly operating
  on the plaintext instead operating on the CEK. The limitation is
  only having one recipient.

[Hannes] If the group wants a variant of COSE-HPKE that supports hybrid public key encryption for a single recipient only then I will, of course, do it.
However, it is not clear to me whether this few additional bytes justify the extra variant. More variants = more complexity.

Ciao
Hannes

[1]

E.g.:

- algid=-1 is like algid=0x00010010, but key is compressed like in C509.
- algid=-2 is like algid=0x00020011, but key is compressed like in C509.
- algid=-3 is like algid=0x00030012, but key is compressed like in C509.
- algid=-4 is alias for algid=0x00010020 (X25519 with SHA-256).
- algid=-5 is alias for algid=0x00030021 (X448 with SHA-512).


-Ilari
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email