Re: [COSE] Consensus on cryptographic agility in modern COSE & JOSE
Laurence Lundblade <lgl@island-resort.com> Sun, 26 March 2023 00:16 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A2A9C151B13; Sat, 25 Mar 2023 17:16:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.886
X-Spam-Level:
X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MpMsXKHMb5CB; Sat, 25 Mar 2023 17:16:51 -0700 (PDT)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on20708.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e89::708]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A22CC151547; Sat, 25 Mar 2023 17:16:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bmJ8zddgVVgVI/gBvpN6R/6ZLTbcKEY+B0qAAU8zFL1wUVG3qDvt5iPXKharD8EvaOKWQKn4rLdEFR5yVKDwMvY7LEyIpZCqEVnd8q85cileOaiVfScvq0E7vxoWqa5pV+FwIgJQnJ179hK2n6D/GsoCO2m1MnhdU7xoQRDmCdrpHq1cVq2nqlLy0G1E3a7c8bDw/wSxYt3cIK3NG1MDFAE0TIsc1Lng698wxCsGX+XkD9Weew/VThuCDfUJ+9KtFIAV9w+WpGVP76b0ZsSHnEsonYCFl3NGojsSUq55bmXqyhu11SpA7kkJY7XEW4cMxpj911ARAMjEX/6dnld26Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QpLyZjDMCnG+JTRDpnVAqPNlr+YOB4zVlzUJrITKTUM=; b=diye8MSVXVcfDkqYgAAWNGq4+bhkUMJUs7LNfSwH/USSBvP2T9Ti1uiklPk671uQzCX7u8DsnJpX1ODlh7oQYwbLpKeGuAxGl3JOOlDOaompbt4476L6fSmo9wKGqdCTJ7dYtqIl9+I7YR/K+DeIrClBZrAPieaUjiqHNgUBGhnHogkBdnPBqGx/bUjI7LPvt8ZzqfkZoyD+FHsK+8wRkliHbvD4k0sTjcVdV5lZc+bn2i83Iv2r/4TMdSyBcxcJwYyqbp2AhLcPwZcfxmEu5UBGKUiSgdpbhAXtcXCBFFle5Hi3B3bNl+T8XhuihpwotXRcASsqj+igtQffdM0x+A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=island-resort.com; dmarc=pass action=none header.from=island-resort.com; dkim=pass header.d=island-resort.com; arc=none
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=island-resort.com;
Received: from PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8) by SN4PR22MB3355.namprd22.prod.outlook.com (2603:10b6:806:21b::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.38; Sun, 26 Mar 2023 00:16:47 +0000
Received: from PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::1aae:283a:d7b:3d58]) by PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::1aae:283a:d7b:3d58%4]) with mapi id 15.20.6178.041; Sun, 26 Mar 2023 00:16:47 +0000
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <4F8B7AF5-C822-4ED2-8B2B-B01A3E92C100@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_148DE813-49AE-4339-8C1D-A04DE7A08FA2"
Date: Sun, 26 Mar 2023 09:16:38 +0900
In-Reply-To: <CAN8C-_KqEbX10mE=3sNWAJoWUkb8OSG9mDJ82XNaZHBwKNtrYg@mail.gmail.com>
Cc: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
To: Orie Steele <orie@transmute.industries>
References: <CAN8C-_KqEbX10mE=3sNWAJoWUkb8OSG9mDJ82XNaZHBwKNtrYg@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-ClientProxiedBy: MN2PR06CA0008.namprd06.prod.outlook.com (2603:10b6:208:23d::13) To PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: PH7PR22MB3092:EE_|SN4PR22MB3355:EE_
X-MS-Office365-Filtering-Correlation-Id: 8f71cd1e-26df-4a82-c300-08db2d8f6325
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: sUfx4fkO2bRi2NTSQ38/BUjfqUjRggkn5/5mubCc2tIMQbZg2pQaijEJ0aWvR15Rz9RMLJn2Fc5GMcnLxrrAOqUkACEtTTU/rOpt4Ny0txotu7l3/8L0n5+bBY/8dfT4GS+HvXsrbGCbXdMV2uuV4sV3rjY56Mnu49juye2L6mj4UEULeAEtSO+YC8HYO3BKIGTJSuPsIpMefdqgVMrlZ5Yf4B26tWkkxNHhQzmoyhc9kEmrDHURophbKLstKTZl+dktkecPT/gsX26UeT1z26EOIbZ1VncT8IuEH+/ccJdquJuppnYnpEQLbEkoDr2c1qzvVyQVZruqHzFh0sb0zYWUwMoLmkOE55WeMH2kqwca2VRUZB96mtII/7y3uhQE635fCUOeJqX7Jfrbt/VgQgRJzlZGpxGYdiFihDE51H43MfmClmStcdheXDV1TB6OJAWyhlUFU523CIqad59Bj36Vd3jxLF31zEkjcCl7dMGx4iikRizdhxGaTQTfFv6iPSuo6JOjGg3r3c+S+C5xUyD7vdYHttEAkzx/gjsgweqDd6N9Lvb5eibtZoE0SlByFTilercvSY6xWhPHeRcmn9/aJVNgOir2LQwk6wTkjS5CuLLP/boKPaojk+JSZM89k3TzNZTB1IQ2U80SOLSBwEisukMnqSWYA9MFo86ZVP0=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR22MB3092.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(366004)(396003)(39830400003)(136003)(376002)(346002)(451199021)(1690799014)(5930299015)(6916009)(30864003)(33964004)(166002)(2616005)(33656002)(26005)(6486002)(66476007)(66946007)(316002)(53546011)(66556008)(4326008)(36756003)(6512007)(478600001)(966005)(41300700001)(8676002)(38100700002)(83380400001)(2906002)(5660300002)(86362001)(15974865002)(54906003)(8936002)(38350700002)(6666004)(52116002)(186003)(6506007)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: b9IHfV0Ozym5RaidKHL5TvRNb50MPPLHRuBKMew4vJNxeJ9u4lyydCBYiuw5rREKhzWtyjFTO+Ub3csM8nE6HgWREKvk3s8suKvu6cEZHVteWrnyQIu8TiFQvfKO9HnsXq/S4D41EFoYQRgDYG1lM4ZPitq+Y8+DYHVRuHekkSB0c1G65zBktAW3YcHlwjbastDLoVfJ/V7JS6jJOEfcUkZ/XqAv3xFKHxjNpW53PpGwY+vnGGP8IjiC+8iwmh7MHmy9VOaGPfiWnN+5HQWaXgM72kEBxUoy6F6+p6yHDAIheyzRydwgM5fcpbcNP8DF9o+6Y4VcCZzjMX41EXeW43FBtW+bxEA2/S2tTi1XfXqdTQ45mNupmdKx7nHMXEXC27xRikXpHHcSetP/1fkFBfeb7bzEsrBS97EFlSJfjfmSEq9h5ApjoFaL2FDh+FIMiahs6tFA2CiltfGB0g5yGv7dMalB/HPosaHUWvYW8IEmZOj082cUmgqtOdfyolSyDZrP1DQAI2sW5fQr63l38vxFC5bWlKbGRu50iJJcQQQSoWSoFrZ1GjL9G0i18gNhjYRGkFaxsMUKNxYK8HOhPDUzbqw7yFqo8x63zQ3hof7ztsriDY+WZN5itcnrPwbnjAqhpIaFtkwBTLUxmD13e1dlGUCYSWH4feC5LmyyES2dlTGEARHIXE0Wn5SICAqx5eX0cGIA0Oc3hbouy8fvqlyps51lY30ULgFeU+f4XEMPRgRGmxW9LI+cEMqoaCSzaXJ+Tiqkv6nds5SvP76xv6cCqeT49sLEKFdNU+67IFg/Nc2lio+o6WyTPJ8S1roYMjZy8YPcGZI/bDteOFeUm1fhRcd7Ffw0qdjzggdiUGi5Up02ury2x4s4NOCVxAFRQlBION7hqSvovN5HiUQYQ/Ht/116I9DMlDTV/EfJYkNYcBDPYnjeJ6WdRJVkqlQ2tJ2AIEAsl0tO+P36EbafuQemySI7CjX7QBQYtJJaf8eU0yVsDgG2GwoZlrmeAbRRU64ZBghk/sTP5jIN86dlWHcxderGC3iT+NbYN/zfp6/OEyolVbaZGx3c70xwyMj9PheNz/KG6V7GMV564+HJg5ZLwnzxaT4yHpu6+smNZZh5ePcnbOBrb6c2QRbWHXFuZ2zOnFafhXfBirE14VrNojBEkNexP+Wkqeb4n6RrZCXfw3QroQDSd5uTDvmNGtrvXa6PlKFpqvvzSF2qFiF5/ZNCJgLF2+rKbNtLLwIT7H6RrQ3exfGxVbxjLBldI7cLl3cOftzIWMwEY+THIp0iSF+HQd7OHy7mc+L6AD0miWoFMozLvoVz9/lOiqVzPoPRbyZN9Y3rDymrom0L5o3r90+xl4EcouYANypSL4NcKpi+3KZ0R6ZLoPbhbiGprn41Efx7jgiwkfsbuHvcWDaHrVoH2+6AMxKdDHw3TUslgsKdnvzQuGXvede/gJfYW+lOTJlbazRBxk0ierU4Hibr96F6IAwskDiWUcxe/OAQqs77SBR1syp0RcL+CE/tGHgLd6c4n+3Bb36nNcRj0pooxeQbRnBw7/CmfU5X0e8kUU7QbdSQEpUiUbtXXYHcBiEi
X-OriginatorOrg: island-resort.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8f71cd1e-26df-4a82-c300-08db2d8f6325
X-MS-Exchange-CrossTenant-AuthSource: PH7PR22MB3092.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Mar 2023 00:16:47.1611 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: ad4b5b91-a549-4435-8c42-a30bf94d14a8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: J3VHDGHS6/Aq4qK+q1jqmXbUZIBZwwKfuJgI5tYqAzl3vGmJW4ni9ZVOw9x/q4sd936FrIpKPln4Odc33Dt36Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN4PR22MB3355
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/M-3W_1EuDjAui1t77u4JIo0MeIY>
Subject: Re: [COSE] Consensus on cryptographic agility in modern COSE & JOSE
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2023 00:16:55 -0000
Hi Orie, I dunno about the new/old thing. CMS/PKCS is old and it doesn’t use ciphersuites. :-) I took COSE’s use of ciphersuites to be new and enlightened because: - Only a small percentage of the fan out is sensible - Us experts limit the choices to the sensible ones making it easier for non-expert deployment - Fewer bytes on the wire and a little less code - Much smaller test and validation fan out. For example https://github.com/gluecose/test-vectors will be much larger without suites If one part of a ciphersuite is found to be weak, you don’t throw out the whole car, you just make one or two new suites, which is not that much more work. In my experience the transition away from MD-5, SHA-1 and RSA has been mostly about the ability to do SW update of deployed systems. If you’ve got data at rest secured with broken algorithms you’re gonna have to do a major data conversion operation. If you’ve got HW acceleration or HW enclaves, you’ll have to replace devices in the field. All these make the choice here look a bit insignificant to me, so I’m not too worried about it going one way or the other here. I don’t know much about PQ yet. Maybe something is different there? LL > On Mar 26, 2023, at 7:33 AM, Orie Steele <orie@transmute.industries> wrote: > > Friends, > > Recently I have had a lot of conversations regarding cryptographic agility. > > My goal in sending this message to the list is to attempt to gather what consensus may exist within IETF on the subject. > > The topic is difficult, because many people think certain forms of agility are "good" and others are "bad"... > and the answers are often inconsistent across subject matter experts. > > So far, I have learned of basically 2 camps. > > The "low agility, named cipher suite" camp, where primitives, parameters and algorithm are all combined into a named algorithm, such as ES256, which uses ECDSA on secp256r1 with sha256, or ECDH-ES+A256KW, which internalizes a KDF > > The "high agility, parameterized algorithm" camp, where the algorithm is fixed, but all its parameters and primitives are exposed, typically in registries dedicated to the "fixed algorithm", they are not meant to be "used with other algorithms". HPKE is an example of this, kem, kdf, aead, each are bound to "HPKE", they are not meant to be used by other algorithms, and unlike ES256, ECDH-ES+A256KW, HPKE is only a meaningful name when these parameters are supplied along with it. > > Because time is a factor in all cryptography and standards work, it is easy to generalize these 2 camps as "the old way" and "the new way"... but I wonder if that is wise to do, or if there is something special about HPKE or encryption that implies "the new way" is not meant to be taken for other "new work", such as digital signatures. > > It is worth noting that if the KDF or hash function is broken and you picked "the old way"... you might end up needing to do a lot more work than simply moving to a new registry entry for KDF or hash function... During that time, bad stuff could be happening in all the places where the broken cipher suite was deployed... You might also be forced to do this work because of the regular lifetime of cryptographic primitives... This could be interpreted as a "higher maintenance" cost for "the old way", you are forced to throw out the whole car, because 1 part is no longer safe to use. > > The main motivation for this question comes from work I have collaborated on regarding post quantum key and signature representations for JOSE and COSE. > > - https://datatracker.ietf.org/doc/draft-ietf-cose-dilithium/ <https://datatracker.ietf.org/doc/draft-ietf-cose-dilithium/> > - https://datatracker.ietf.org/doc/draft-ietf-cose-falcon/ <https://datatracker.ietf.org/doc/draft-ietf-cose-falcon/> > - https://datatracker.ietf.org/doc/draft-ietf-cose-sphincs-plus/ <https://datatracker.ietf.org/doc/draft-ietf-cose-sphincs-plus/> > > I also explored applying the same approach to kyber: > > - https://datatracker.ietf.org/doc/draft-steele-cose-kyber/ <https://datatracker.ietf.org/doc/draft-steele-cose-kyber/> > > ^ these are all in the style of "the old way"... they try to make use of "alg" and internalize parameters and primitives into a single useful name, for example "CRYDI5" uses dilithiums's parameter set 5, "SPHINCS+256f" uses sphincs's parameter set 256f. > > Perhaps an example of "the new way", can be found in: > > - https://datatracker.ietf.org/doc/draft-ajitomi-cose-cose-key-jwk-hpke-kem/ <https://datatracker.ietf.org/doc/draft-ajitomi-cose-cose-key-jwk-hpke-kem/> > > In section 4.1, the kty is "HPKE-KEM", but this is meaningless without "hkc", which is the key configuration, which defines the parameters that are allowed for the key, a single kem id, and an array of kdf and aead identifiers. > > It is a bit awkward to compare key design for kems and digital signatures, and yet, I think developers will hope for some consistency in the post quantum key representations, even if there are no examples like P256 that is used for both ECDSA and ECDH-ES. > > Just for the sake of argument, let us imagine an HPKE inspired Dilithium key with hash before sign (a made up additional agility parameter): > > { > kty: "HPKS", // similar to HPKE, useless without parameters / configuration > hkc: { // like HPKE Key Configuration, but for "Hybrid Public Key Signature Key Configuration" > parameter_set: CRYSTALS-Dilithium parameter set 5 // like kem id, bound to pub / priv. ... REQUIRED > digests: [ shake256, sha256 ] // like kdfs, aeads not bound to pub / priv ... OPTIONAL > // are there other parameters that are internalized in "the old way", that you can think of that would go here? > } > pub: ..., // public key, but more obvious than x > priv: ... // private key, but more obvious than d > } > > Similar to EdDSA with Ed25519, it would be annoying to use sha256 here, since dilithium uses shake256 internally, (EdDSA uses sha512 internally). > > Do we need to make something like HPKE, but for keys for signatures, something like HPKS? > > What happens to the old registry entries and old key formats if we fully embrace "the new way"? > > Should post quantum keys use "the old way" or "the new way" or "both / it depends" ? > > As an author on the post quantum signatures work, what else should I be doing to make sure the drafts reflect the "best path forward"? > > Regards, > > OS > > -- > ORIE STEELE > Chief Technical Officer > www.transmute.industries > > <https://www.transmute.industries/> > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose
- [COSE] Consensus on cryptographic agility in mode… Orie Steele
- Re: [COSE] Consensus on cryptographic agility in … Laurence Lundblade
- Re: [COSE] [jose] Consensus on cryptographic agil… Ilari Liusvaara
- Re: [COSE] [jose] Consensus on cryptographic agil… AJITOMI Daisuke
- Re: [COSE] [jose] Consensus on cryptographic agil… Manu Sporny
- Re: [COSE] [jose] Consensus on cryptographic agil… Ilari Liusvaara
- Re: [COSE] [jose] Consensus on cryptographic agil… AJITOMI Daisuke
- Re: [COSE] [jose] Consensus on cryptographic agil… Manu Sporny
- Re: [COSE] [jose] Consensus on cryptographic agil… Manu Sporny
- Re: [COSE] [jose] Consensus on cryptographic agil… Orie Steele
- Re: [COSE] [jose] Consensus on cryptographic agil… Ilari Liusvaara
- Re: [COSE] [jose] Consensus on cryptographic agil… Ilari Liusvaara
- Re: [COSE] [jose] Consensus on cryptographic agil… Tobias Looker