IETF Logo Mail Archive

Re: [COSE] [jose] HPKE PartyU / PartyV

Orie Steele <orie@transmute.industries> Sat, 23 March 2024 00:09 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E40C2C151091 for <cose@ietfa.amsl.com>; Fri, 22 Mar 2024 17:09:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id USHoy1VMPOJ1 for <cose@ietfa.amsl.com>; Fri, 22 Mar 2024 17:09:54 -0700 (PDT)
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9657DC151086 for <cose@ietf.org>; Fri, 22 Mar 2024 17:09:54 -0700 (PDT)
Received: by mail-pg1-x535.google.com with SMTP id 41be03b00d2f7-5ce07cf1e5dso1585606a12.2 for <cose@ietf.org>; Fri, 22 Mar 2024 17:09:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1711152594; x=1711757394; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3qK+DHYhrKMWENkxsP4ogjwr/LHjt4etzx71OaUG9zk=; b=Utmn7foF5qCxT6TzOZD/xEhUh1EZCd6HFtYf76aqmc4ARMw7NyhxBZA4Fy+J8e+NAe M/OCvGZvefZ13W0VA8a9RBVeSG/ByJfnAcj4Gf0LSG+D7rCVlCnOJw1w6jS61R1N0z1E V6Ym0awHm5ZscDw5o/XLa/835H5tBjxzm+TFjMwxWYHcDZkrJWcbpbsxLQjVN0NA/CBG SgEO+PsyDkF5NZO3nn/Ub8LvKegLZItc9RuT6I7kzZg3FGE6wt7HMVgczeYTezHOpHFJ KDKw2P32TxcC00myfqJabEh2M4yLYj3WvV4KZ8gntr1iDxY+jXP0nZCqFjpZwWkFeRgT 4epQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711152594; x=1711757394; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3qK+DHYhrKMWENkxsP4ogjwr/LHjt4etzx71OaUG9zk=; b=orqPGYBRAZ6MRrwT4H7J1a6RcULPtwRQEqrY4u+uwdvBMjgO/M5KaacOKG1PsBBWj7 bVCnsRKjFc2aBCwOg+G6E1giBKPcaEtrA5qe2MIuz40tpOkNKmScfyO2VAvENDKAh4rX Bl6Z76yqSiVuM3vJ1wXhYBI84W9UZ0iAAs806Gmy9Pe61lc6WCS/vyOPvso+NBHNuLNK sRhHRiVNz18R+4gM9R2TE1ME1Zni+9Uvzl/bMIORk0bPzsM8VTVfQnNNn1YszJ48ziGC 5kcUPETuUJtknL45/tT+amTNtuxohuHCJE6S29GULvlzZ3l/q3Sj++UIvbG9wEfTlG9+ fPrA==
X-Forwarded-Encrypted: i=1; AJvYcCVdvw5uQhGMm7HdJTsGkQVAqW0V040oPD9Ynq+fKv0nM5fBceFmo25LACgSV1RMQat5UVVU9pBe7EGCWHkD
X-Gm-Message-State: AOJu0YwJWmbqQzoXn560olJRjS7wraEQWXKev5Y8Q/JiFnXrEHA6I98q 7pppdRXr0A5tEB5jETpZUbpmj/de3AAu7cDsbA4FRpQ65JvUw3tcBth0Pi8C/BiF0DPr1EB+xlC 8Cdz3u0e8TKC5DnOvRGTgRKlhhFJkUDQyf0QJGFEclEHz1bFskN55aQ==
X-Google-Smtp-Source: AGHT+IHxIsYFz4j5Xve8rU7Vc+fRA/2t/zmUVSeGe7XBz36P0/8gie5szjR4IYvPbpheXDHPL5IN8fkoGyt02jj86H8=
X-Received: by 2002:a05:6a20:d38c:b0:1a3:6833:1ccb with SMTP id iq12-20020a056a20d38c00b001a368331ccbmr1646749pzb.40.1711152593753; Fri, 22 Mar 2024 17:09:53 -0700 (PDT)
MIME-Version: 1.0
References: <Zfa0cauyJ0n2uRkI@LK-Perkele-VII2.locald> <CAFWvErWGBVHJp5gDfTQdxSsQKpkFcnw34kbKiadgqXB6ewX==g@mail.gmail.com> <Zff4A40zh_--tIWr@LK-Perkele-VII2.locald> <CAFWvErUaa4hxNmM82HY9mU6TyvWsh-5zAtDXO4r4qoqEfvxwOA@mail.gmail.com> <3732594D-ECA8-4BA3-9CFC-4E4E6E88D13A@island-resort.com> <CAFWvErXkcV8prWVTF=VLRZtin9wA1Z8+DPkopQxvDzqTepZ1ZA@mail.gmail.com> <A1D2BF92-68FE-4E67-A420-D19D55AD6C99@island-resort.com> <CAFWvErWo11A--1Nkkv8p7JkF+xCPD66hVxJa8CTU+nO74cbCrA@mail.gmail.com> <2FC023C9-9091-4C9C-A2C7-350945C04B23@island-resort.com> <CAN8C-_KgZmFMkg_GsF0YgzgS+jCJKWAOZdytZKVwgbirrDUc_Q@mail.gmail.com> <Zf1jjGx2ZimgRqAD@LK-Perkele-VII2.locald> <CAFWvErVR6CSTd6bxRyTXWpib3jyjOWwdvDnprBOwPSed8GSDVA@mail.gmail.com> <B9B41D94-6708-491B-8551-5D504B8D8339@island-resort.com> <CAFWvErWKs0gzfvPymsOGfQXjMuAQRUJNaodvVfAbUWiwbuNMwg@mail.gmail.com>
In-Reply-To: <CAFWvErWKs0gzfvPymsOGfQXjMuAQRUJNaodvVfAbUWiwbuNMwg@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Sat, 23 Mar 2024 09:58:34 +1000
Message-ID: <CAN8C-_JhbNqZLO1ig9t2ShcWK1p7RbvHsuQw6hJQkJScfir29g@mail.gmail.com>
To: AJITOMI Daisuke <ajitomi@gmail.com>
Cc: "lgl island-resort.com" <lgl@island-resort.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000081f4d9061448c22b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/atNhD0s32QC9tlynmWTh6lh1o0Q>
Subject: Re: [COSE] [jose] HPKE PartyU / PartyV
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2024 00:09:59 -0000

One way to assure yourself of the attack is to implement it.

You don't need HPKE to convince yourself of it, at any point where you
decrypt a content encryption key, and then apply it to the enc structure at
layer 0, and you choose the algorithm from the layer 0 header or from
external information... Imagine the attacker has changed this, or a service
has misconfigured the algorithm that will be used.

The result of AES-CBC will be garbled, but it will contain information
about the CEK.

The solution to the attack is to cause decryption of the CEK to fail when
the next alg changes, or to cause a different CEK to be derived if the next
algorithm changes.

OS



On Sat, Mar 23, 2024, 9:35 AM AJITOMI Daisuke <ajitomi@gmail.com> wrote:

> Laurence, sorry, I just want to understand why next_alg can protect
> against the lamps attack to two-layer COSE-HPKE.
>
> Unfortunately, currently no algorithm that takes a key (as opposed to
>> giving a key) can protect the algorithm at next layer.
>
>
>
> Ilari, I interpreted what you said as meaning that there is no algorithm
> for encrypting (wrapping) the layer0 keys at layer1, including COSE-HPKE,
> that can prevent the lamps attack. Am I mistaken?
> If I was mistaken, could you tell me how the next_alg can specifically
> protect against the lamps attack to the algorithms that takes a key?
>
> > Could you tell me specific attack methods or threats?
>
> This is the question I posted previously, and I found a threat myself. I
> thought there might be a slight possibility for a lamps attack to succeed
> if the victim can accept both A128CBC and A128GCM as content encryption
> algorithms at Layer0 and uses the same CEK for both algorithms. However,
> the next_alg is only bound to the key wrapping the CEK and cannot affect
> the CEK itself. Therefore, it doesn't seem like a meaningful measure since
> it can't limit the reuse of the CEK.
>
> Am I missing something?
>
> Daisuke
>
> 2024年3月23日(土) 7:01 lgl island-resort.com <lgl@island-resort.com>:
>
>>
>> On Mar 22, 2024, at 6:44 AM, AJITOMI Daisuke <ajitomi@gmail.com> wrote:
>>
>> Unfortunately, currently no algorithm that takes a key (as opposed to
>>> giving a key) can protect the algorithm at next layer.
>>
>>
>> Ilari is talking about algorithms like AES Key Wrap, not what HPKE Seal()
>> provides and not ECDSA.
>>
>> I agree. The content_encryption_alg (next_alg) cannot be a countermeasure
>> to the lamps attack on KAwKW(-29, etc.) and two-layer COSE-HPKE.
>>
>>
>> next_alg (or better content_encryption_algorithm can be used to protect
>> COSE-HPKE and probably also protect -29 if applied correctly.
>>
>> Of course, it is effective against the attack on direct KeyAgreement
>> (-25, etc.) and I think it's much better than COSE_KDF_Context.
>>
>> I believe what we should consider is only whether non-AEAD algs should be
>> prohibited at layer0 or not.
>> I think it would be better to be prohibited if possible.
>>
>>
>> Daisuke, it looks to me that you are the only one that continues to argue
>> this. Also, nothing you’ve said has created any doubts for me.
>> Respectfully, I’m not going to respond to your arguments any more unless
>> something very substantially changes.
>>
>> LL
>>
>> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>

v2.23.0 | Report a Bug | By Email