IETF Logo Mail Archive

Re: [COSE] Other things from COSE_KDF_Context

"lgl island-resort.com" <lgl@island-resort.com> Wed, 13 March 2024 20:45 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FDB6C14F70E for <cose@ietfa.amsl.com>; Wed, 13 Mar 2024 13:45:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dNp5DxhRkPeA for <cose@ietfa.amsl.com>; Wed, 13 Mar 2024 13:45:42 -0700 (PDT)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2111.outbound.protection.outlook.com [40.107.94.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F765C14F6EC for <cose@ietf.org>; Wed, 13 Mar 2024 13:45:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZPxo3Uis69CqHP3Liqqn+RgxxyQcCVmb9322Ili4Re2vng79BSzd3Y2BMd4Gs/4WXFjmyaYXUBFQDyZB/Ah5ORIywPbCBdiMj9K0vMVVlXSHPpgrIZW4LEiQkPv3Khek0pFP6KXluSMaCeGlpr20o36g6IOA9FnPcZ5BG39jMOvr1MeIrBNQ5ltJOWLzBbmXfTzqMC3ll5jKaDyXn1YeEmtmk1cfIhtg1ViXF08ui7h0u/S3VzywaKfciVNobxYUqPnNx5RR5yYk8IR7Hg2Pc6ACl++rA3Z1j/FAKv9h0NFeYM4QxMgBJ/k/eSC0gkUEeqTySr/Hm0NPM9oo+Tjb9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GCdEFqOxxdPudrD0/GUUwwGZuHUDMgI0g2X1qfJgDTI=; b=jAdZtZEcoAiHVcs+dHqTCOleEtxjxjnfh5QiuKoo/heMiSmDO0LYg9bHkM2ALROln7pHMujOHlmSZGWLEeGKNP8VYUa/rbzrASX1uI1/nGOYw/LpN6tAgoTldrMr5/K+xJnfFuZxSFUVBAmG+qLMMXGzOEgxG/zCNt2dJAJkHkMPa/yLNSBUjxfdMSaxB2woXdeRkipAbjYiuHN3x3qYTkGOLOG4tC3sGutVe7lJnskSzqwrIgE59uox/STrttF2m2MpDmtIN27xlG9DRiXWpTBuuJda7RVI1UoVHxQgvcci7mOetK0f4REdgsU9XN64dIBCSuxmMYz+wJBgC2bMSg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=island-resort.com; dmarc=pass action=none header.from=island-resort.com; dkim=pass header.d=island-resort.com; arc=none
Received: from PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8) by SN4PR22MB2886.namprd22.prod.outlook.com (2603:10b6:806:209::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.36; Wed, 13 Mar 2024 20:45:39 +0000
Received: from PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::1cab:7344:221c:bb8e]) by PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::1cab:7344:221c:bb8e%5]) with mapi id 15.20.7362.035; Wed, 13 Mar 2024 20:45:39 +0000
From: "lgl island-resort.com" <lgl@island-resort.com>
To: Orie Steele <orie@transmute.industries>
CC: cose <cose@ietf.org>
Thread-Topic: [COSE] Other things from COSE_KDF_Context
Thread-Index: AQHadYIyMiUEpA1LoU6aiiVuXrQlZbE2HQGAgAAGvQA=
Date: Wed, 13 Mar 2024 20:45:39 +0000
Message-ID: <F7811C3B-84BC-441A-A507-91275951118C@island-resort.com>
References: <3654F1C8-1BF7-4645-B2D8-8CD6D27E187B@island-resort.com> <CAN8C-_KwuOjUp6NhKOE5mthgUKdjDJkdskfJo6q5hg_81P3Ttg@mail.gmail.com>
In-Reply-To: <CAN8C-_KwuOjUp6NhKOE5mthgUKdjDJkdskfJo6q5hg_81P3Ttg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=island-resort.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH7PR22MB3092:EE_|SN4PR22MB2886:EE_
x-ms-office365-filtering-correlation-id: b01ff7cb-d659-4c3d-28b9-08dc439e8ad3
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bAU5puPyzhA6GUfGk5cAafztrJjibmGTcSpz7JchtIRBCmbUE36BhfKj+r3Scn/7HnRiOkdcp9fbgwbVLjGJkGW6SLnmztEjQiT1l6cO4Bu5MFDLt+zYi6cXVHo3081tNvouvXws2/8gdC/SPOWbQCJpFYgIpMgsTp6cNpGiwMWn5dmEcGxsY1MjmFuCTjx3AKiIyapBP5x8esPNBYlkfRovdlTYsFECWkzMwanrd1Q07X4h3C+RBDKx6kLV3YTUbB1zxP2MlJMilD5YjTla/mBtc9EwHVLRQZqkAJvHsibqUz1DZJOIQA4ewj0C4oRw+BpzgAV3qQRgFoX1QFPOmgUCWWurBCRrx1558pvlCN4FBxAfH1FzcMwZCi33tI8dMrTsKjV5M/ovmhwyLDY56VmdWfONUosrCzr/R46NwPRQQY7UoH2ppIqkeai+m9hMmKeFGF38keC01vhlg8ySnQ5E8YsGZVIuJBgckNHzwXMnprmhfk8HDQRpm1kiszUm1RlCDT8icoQGF19Br65qgo0+5euqUSGi1fovwRTgF8iuD65F/5lMh0+hoRkdj7ZYKoskr1y+0dsfRBga65LdkJ0wuJdx9/+rYD+p+dlo4HsvXleEhYt4/Nd0y8zca/J1MBKnR0xdt6XhxKJdKIzZd4mq6Gqv0m+a3pa/M7R3FNA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR22MB3092.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 6KyzDwh7o1vMvBXvgrox5P1THAk/TUM5eXjJyd10iQvcC4kG/pQuy+AzDgSPPSpt9i/xMx6IfR/bYEDwIGiwLEXhijwH5zQ6yucKfTuFWE4CYclIHlNReS24RTp0aqok+VhCFthpRkkR3MmccKltgtDKZgkl4/SY1jx2OhHpQtJiAMRq1fr2HGSCWO4zIkZ9GtRg0Dz+ir0ZwxnTH9UnWuXIzza1QLnGVKmBjXkbDpWhbMNWqMYxxpzCgManMxUSHdyucZZ1J4qejPxJftKCOrVPq1k0V5V5aAU/9fSC0Y1QsBym+7yfm5nT6Ikak4+27b9EveuSIwyA38ZznWRKgSepP1NmyOcqDEBE6tqgyPX1XhnfNX61r/80zuI7YZcOOitnaUtGuX70yen7PYzc0EGQHXJE443l4AKBE4fbCSjr9LL2RCOskKXaAosNLgS7ZB/watuZB2ggUrsWvsFADJC3j00N9nFe3aqZw+fRqxnuSxAqo2NxGOHENxPdFde4AfJSm1zUUv/jSxsT/+11i5MhCu7K/ZAh5jyY8GasZBc37+lmDNR22QeBF0dz3mI/e4Uifq0/0NCTrMAsTjr4BcdwXurU8Ct2VpLT0SPW7NOcLkmjOTN7/HXavG3dN76O/fgxkl6cha3CCv38vxCI0QiRGo+ILxk7OWOBSHhAlrvB8nCYMSAauFJtsI3/CdU53igDWkMPh6aeJIxoSozkVWUjMuWYwFA/GhuyQoQp3mQ6AvynkgTy6oBZzwZ2+sML5rQwyPHUzN3AYQGuFWmVXOIkoQ/qcPVMIve0LgUKvJgA4ShZ8JHcBIHxQWTrtEjPMj+D8rc37da4svMPKvHbMq0ZL2UHw09/JdgRkWEsV+dJay+xjJJQKwhKd5G13zrcYpvkwlvnM9l67A5q6pJRfQV7Pbpgya+lIq4SgSIhwgPYR/mySjlQRn1yZqVkodSpIvIct5dwMATLMaCBZv7TnqgJxJf9XkhVnL/Sdk747/4git7LBNB3/mindAjDBAiVn0z1eUyr4tkcO7KyhLId4Hp3KBXMQBoGmHm5NKyjIXWtW83ml0zTlC7XbqsbKK1gD2yauUUSAAefUtyWLHvO6HcD5o3oN6TRQjkxmyJxfnW34GP6lmXoXtm/Elk+JEyvkcJsgzVINDBSugH1wFzgEx9+TM+h+fa/4tmulmGa+8iopZe0VPb+HnLWdir3NC9ygPqioign68tuNJQXSskXa39F/Kc10vKxQbEPq84sFmeiHqaW/aPNCqAzAoIzR47Mwt7nGGqfIhpYH9XhpGCpAWjHg3ugJSaQmuuedgNXAf8YgBnlv8kYuoOoMWfoQstUuOVrHGl1Z4T1LBzW2NCWfuatygzVx9h/A7Y9u1cnCAzJF/Gk3gwY79zOCQgGBDX0nlVCRFNcxiObCeZ8Rjw9hAHLkO168Zwmds+SKDDmyWhNCuirzg8R4oXGHkz5BpmoAZ9TZq9SZkozvYlBnmPoXDkw+Iv/tiyOGYMyl4uooqWRsxWlLxTxED2ERABovq36TeETHP5QfIaVFRTkC2KiLxInDibfvf7GJ0SifJCXPZIaPX/bLCfM9aEWlBKW5sjXiS4xZo9egevRgTAIwzjs4w==
Content-Type: multipart/alternative; boundary="_000_F7811C3B84BC441AA50791275951118Cislandresortcom_"
MIME-Version: 1.0
X-OriginatorOrg: island-resort.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH7PR22MB3092.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b01ff7cb-d659-4c3d-28b9-08dc439e8ad3
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2024 20:45:39.2125 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ad4b5b91-a549-4435-8c42-a30bf94d14a8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2Ib5YR/WBo+CdK/ugyznijA7z4i4nZENDzDjyP0rhZfm7wADz9QUyog48lHf5zOuxWMk3T3m8iBokHzAl4lAuQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN4PR22MB2886
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/T4ylD9-bPMf2BcMyhiRauB5-wqA>
Subject: Re: [COSE] Other things from COSE_KDF_Context
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2024 20:45:46 -0000

Yes, two categories for COSE_KDF_Context, public and private. We can add a field to Enc_structure for private and use headers for public.

The salt from 9053 section 5 is not part of COSE_KDF_Context, but it is part of the KDF context. That probably wasn’t clear from my first message. There’s also an *unprotected* header for it. It is not input to the processing as a header, but rather as a direct input to the KDF function itself.

To be more clear about the salt, I think it’s fully outside of COSE_KDF_Context and we don’t have to consider it in that discussion. Further, I don’t think we need to consider it in COSE-HPKE either, because HPKE internals do the job of the salt in 9053 section 5.

LL


On Mar 13, 2024, at 1:21 PM, Orie Steele <orie@transmute.industries> wrote:

Seems there are 2 categories of information you are considering.

Public information in the protected headers (top level and recipient level).

Private information, that might be passed as external aad to the enc structure.

I think it's a nice property of enc structure, that the extensibility of the protected headers, can be used for additional context.

We might be concerned if that structure gets very large, and given we are talking about encryption it's also important to warn users about putting sensitive information in the protected headers.

OS


On Wed, Mar 13, 2024, 3:08 PM lgl island-resort.com<http://island-resort.com/> <lgl@island-resort.com<mailto:lgl@island-resort.com>> wrote:
In getting rid of COSE_KDF_Context, it seems important to be sure we’re not leaving anything useful or important out.

Generally, it seems like we have a general mechanism by adding new header parameters that can cover a lot because they end up in the Enc_structure and then as input AAD to Seal().

In the side discussions at the San Francisco IETF (Russ, Hannes,…) I recall consensus that COSE_KDF_Context.SuppPubInfo.other should be set to a fixed app/use-case identifier like "Xxxx Firmware Encryption”. As part of getting rid of COSE_KDF_Context for COSE-HPKE, we should provide an option to do this.

Seems like the usual two possibilities::
- New header parameter, perhaps “Usecase Context”?
- Add it to Enc_structure (or the recently proposed Rec_structure)


RFC 9053 also allows the input of a salt into the KDF. That would not be covered by a new header parameter that gets passed to Seal as AAD. I’m not too worried about this for HPKE, because I think HPKE covers that internally, but it might be retained for a replacement for -29.

LL
_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose

v2.23.0 | Report a Bug | By Email