IETF Logo Mail Archive

Re: [COSE] [jose] HPKE PartyU / PartyV

Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 23 March 2024 17:14 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75EC5C151710 for <cose@ietfa.amsl.com>; Sat, 23 Mar 2024 10:14:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S6rpbDuHRkVn for <cose@ietfa.amsl.com>; Sat, 23 Mar 2024 10:13:59 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32181C15170B for <cose@ietf.org>; Sat, 23 Mar 2024 10:13:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 927FD14A88 for <cose@ietf.org>; Sat, 23 Mar 2024 19:13:55 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id uSRVLEE5EF0s for <cose@ietf.org>; Sat, 23 Mar 2024 19:13:55 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 654967A for <cose@ietf.org>; Sat, 23 Mar 2024 19:13:54 +0200 (EET)
Date: Sat, 23 Mar 2024 19:13:54 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cose <cose@ietf.org>
Message-ID: <Zf8N0hhwhhFJuFlI@LK-Perkele-VII2.locald>
References: <3732594D-ECA8-4BA3-9CFC-4E4E6E88D13A@island-resort.com> <CAFWvErXkcV8prWVTF=VLRZtin9wA1Z8+DPkopQxvDzqTepZ1ZA@mail.gmail.com> <A1D2BF92-68FE-4E67-A420-D19D55AD6C99@island-resort.com> <CAFWvErWo11A--1Nkkv8p7JkF+xCPD66hVxJa8CTU+nO74cbCrA@mail.gmail.com> <2FC023C9-9091-4C9C-A2C7-350945C04B23@island-resort.com> <CAN8C-_KgZmFMkg_GsF0YgzgS+jCJKWAOZdytZKVwgbirrDUc_Q@mail.gmail.com> <Zf1jjGx2ZimgRqAD@LK-Perkele-VII2.locald> <CAFWvErVR6CSTd6bxRyTXWpib3jyjOWwdvDnprBOwPSed8GSDVA@mail.gmail.com> <B9B41D94-6708-491B-8551-5D504B8D8339@island-resort.com> <CAFWvErWKs0gzfvPymsOGfQXjMuAQRUJNaodvVfAbUWiwbuNMwg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAFWvErWKs0gzfvPymsOGfQXjMuAQRUJNaodvVfAbUWiwbuNMwg@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/QaElDjAiEPPlhcSyel3aMxl3Nes>
Subject: Re: [COSE] [jose] HPKE PartyU / PartyV
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2024 17:14:01 -0000

On Sat, Mar 23, 2024 at 08:35:32AM +0900, AJITOMI Daisuke wrote:
> 
> Ilari, I interpreted what you said as meaning that there is no algorithm
> for encrypting (wrapping) the layer0 keys at layer1, including COSE-HPKE,
> that can prevent the lamps attack. Am I mistaken?
> If I was mistaken, could you tell me how the next_alg can specifically
> protect against the lamps attack to the algorithms that takes a key?

My point was that no _existing_ algorithm does so. And some of the
existing algorithms can not even be modified to do so. Having insecure
algorithms is a major problem.

CMS is in the same situation. And because CMS allows unauthenticated
content encryption, the solution they picked (add KDF step before
content encryption) is the only possible one.


> > Could you tell me specific attack methods or threats?
> 
> This is the question I posted previously, and I found a threat myself. I
> thought there might be a slight possibility for a lamps attack to succeed
> if the victim can accept both A128CBC and A128GCM as content encryption
> algorithms at Layer0 and uses the same CEK for both algorithms. However,
> the next_alg is only bound to the key wrapping the CEK and cannot affect
> the CEK itself. Therefore, it doesn't seem like a meaningful measure since
> it can't limit the reuse of the CEK.

_If_ key management algorithm is aad-capable, adding next_alg to aad is
an easy way to make decryption fail if attacker alters algorithms.

However, the problem is that COSE explicitly allows aad-incapable key
management algorithms (e.g., Key Transport or the whole section 5.4
stuff). And often there isn't even hacks around that.




-Ilari

v2.23.0 | Report a Bug | By Email