IETF Logo Mail Archive

Re: [COSE] [jose] HPKE PartyU / PartyV

AJITOMI Daisuke <ajitomi@gmail.com> Sat, 23 March 2024 06:26 UTC

Return-Path: <ajitomi@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CEAFC14F60F for <cose@ietfa.amsl.com>; Fri, 22 Mar 2024 23:26:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JLsRwnJtVTb6 for <cose@ietfa.amsl.com>; Fri, 22 Mar 2024 23:26:44 -0700 (PDT)
Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 552C2C14F60E for <cose@ietf.org>; Fri, 22 Mar 2024 23:26:44 -0700 (PDT)
Received: by mail-yb1-xb30.google.com with SMTP id 3f1490d57ef6-dcbf82cdf05so2668450276.2 for <cose@ietf.org>; Fri, 22 Mar 2024 23:26:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711175203; x=1711780003; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=izSkojrOeEkOV55T7P9iSKb02QhvCGmlFLiHJ0Mdx5A=; b=O5oCV7XXta/b6E3xFgJAsAJr0cOb7TJjvmYUu/3GT+voDw/MsVZ4SKP+i1uvfId8XV kPfW9God5lulDVM/WIfyk3w62h9HXmAittpcqoOMe64C6fbjYegNAk/JunDg8U86/xhM SP2RCLsEkrVKbm01ozg+UckehHaaGKwZntGpCpcfVCO8z7AWHVNQJfe7kdV67Yj1gIr2 BfyW+Q7qHb9vTs1HnWShCysdoO7DRALWr8ChH7IcN4rwG8pGiV8vueHZ7cXtcp1y4VNT gM/RnxkQD3h4tWrXFuR9UQyj9dn4M2IbM15kipiKPBWiWPvfsC9Ny3J+PQbbPsmc9EP9 EL/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711175203; x=1711780003; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=izSkojrOeEkOV55T7P9iSKb02QhvCGmlFLiHJ0Mdx5A=; b=sVav/rmnI0MstK0ZESDmFidiZJt6EnG296LCzoiAcR5ErdP0ZpVLn/qe03KufCKDSH dbyBIcBBuHhHXQMJbR51QEK07hd70MjCyZ5ybgeWZPUaaNv9SxlHxFNEF3Ddr85XubrD 3SX0G8FcXlHSZSn4kU2Qi66bLpqulYaArUI/UbYuzC18MxfgGgnd/61OEI5XypPlOMcR 23ybBpXGsHnYisG1ElaFX12MM9yQOqXP6QvKl/JBkL5VPvTKJq0OSAQUQmsAbQLjhK3i 78aRvaPhN2XUC57xGMtyaQ8LMqevte4zzwgdGddU0a/7zt12hke3VWpKw3hgcUzZt9lX ig3A==
X-Gm-Message-State: AOJu0YwDiaZLwGsmVcW/IsegzqZBpuo+efzGJpDpErYQJ3qQKFkQtZsO 7RUuzX1V8c7+PwQwpRf7lanl86utdfqj5iEeoLNKliZCwbUp0nRln7//R2NzA3qJtX/p25Rkd/H U1FGDUP0g7lbIMPctb96Mms7uLpVaYvrgEg==
X-Google-Smtp-Source: AGHT+IFJm/ej0hc+VcRGrvLLZz6aa/J9IDsna2jTmFf46zeZXi43t2PAg1UyXIjaIcbXW/izY2E8iH3kUGqOh0LC158=
X-Received: by 2002:a25:874e:0:b0:dc6:dc58:8785 with SMTP id e14-20020a25874e000000b00dc6dc588785mr1102446ybn.62.1711175203091; Fri, 22 Mar 2024 23:26:43 -0700 (PDT)
MIME-Version: 1.0
References: <Zfa0cauyJ0n2uRkI@LK-Perkele-VII2.locald> <CAFWvErWGBVHJp5gDfTQdxSsQKpkFcnw34kbKiadgqXB6ewX==g@mail.gmail.com> <Zff4A40zh_--tIWr@LK-Perkele-VII2.locald> <CAFWvErUaa4hxNmM82HY9mU6TyvWsh-5zAtDXO4r4qoqEfvxwOA@mail.gmail.com> <3732594D-ECA8-4BA3-9CFC-4E4E6E88D13A@island-resort.com> <CAFWvErXkcV8prWVTF=VLRZtin9wA1Z8+DPkopQxvDzqTepZ1ZA@mail.gmail.com> <A1D2BF92-68FE-4E67-A420-D19D55AD6C99@island-resort.com> <CAFWvErWo11A--1Nkkv8p7JkF+xCPD66hVxJa8CTU+nO74cbCrA@mail.gmail.com> <2FC023C9-9091-4C9C-A2C7-350945C04B23@island-resort.com> <CAN8C-_KgZmFMkg_GsF0YgzgS+jCJKWAOZdytZKVwgbirrDUc_Q@mail.gmail.com> <Zf1jjGx2ZimgRqAD@LK-Perkele-VII2.locald> <CAFWvErVR6CSTd6bxRyTXWpib3jyjOWwdvDnprBOwPSed8GSDVA@mail.gmail.com> <B9B41D94-6708-491B-8551-5D504B8D8339@island-resort.com> <CAFWvErWKs0gzfvPymsOGfQXjMuAQRUJNaodvVfAbUWiwbuNMwg@mail.gmail.com> <CAN8C-_JhbNqZLO1ig9t2ShcWK1p7RbvHsuQw6hJQkJScfir29g@mail.gmail.com> <CAFWvErX5XR3n=wJ83EgZ3DzZmCwznaLVU1Qtre=Bq6Nu205_Gw@mail.gmail.com>
In-Reply-To: <CAFWvErX5XR3n=wJ83EgZ3DzZmCwznaLVU1Qtre=Bq6Nu205_Gw@mail.gmail.com>
From: AJITOMI Daisuke <ajitomi@gmail.com>
Date: Sat, 23 Mar 2024 15:26:32 +0900
Message-ID: <CAFWvErWeRJ5qSaVD4T=dhgE7-zEio3D1xS7OTAZ+3OMRoxgqbw@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Cc: cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000021031f06144e0607"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/efEOZe0Yk9d31cq1zOjQxSjjRhc>
Subject: Re: [COSE] [jose] HPKE PartyU / PartyV
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2024 06:26:49 -0000

>
> ... in that attack, an attacker is a legitimate sender/recipient.
> The attacker adds A128CBC to alg at layer0, and also adds A128CBC to
> next_alg at layer1, and sends a victim the ciphertext to reveal the target
> AEAD ciphertext block.
>

I've realized that this assumption is quite absurd. I'm starting to think
that, as I originally thought, we don't have to worry about the lamps
attack in the context of two-layer COSE-HPKE.
Anyway, I will stop discussing this topic on the mailing list.

Daisuke

2024年3月23日(土) 14:34 AJITOMI Daisuke <ajitomi@gmail.com>:

> The solution to the attack is ... to cause a different CEK to be derived
>> if the next algorithm changes.
>
>
> Agreed.
>
> The solution to the attack is to cause decryption of the CEK to fail when
>> the next alg changes, ....
>
>
> My understanding is that this cannot be a solution to the lamps attack,
> because in that attack, an attacker is a legitimate sender/recipient.
> The attacker adds A128CBC to alg at layer0, and also adds A128CBC to
> next_alg at layer1, and sends a victim the ciphertext to reveal the target
> AEAD ciphertext block.
>
> Hmm, am I making some big misunderstanding here?
>
> The discussion has become too complicated, so I would like to pause it on
> the mailing list for now. I also want to organize my thoughts a bit more
> and  write my ideas on the GitHub issue.
>
> Daisuke
>
>
>
>
> 2024年3月23日(土) 9:09 Orie Steele <orie@transmute.industries>:
>
>> One way to assure yourself of the attack is to implement it.
>>
>> You don't need HPKE to convince yourself of it, at any point where you
>> decrypt a content encryption key, and then apply it to the enc structure at
>> layer 0, and you choose the algorithm from the layer 0 header or from
>> external information... Imagine the attacker has changed this, or a service
>> has misconfigured the algorithm that will be used.
>>
>> The result of AES-CBC will be garbled, but it will contain information
>> about the CEK.
>>
>> The solution to the attack is to cause decryption of the CEK to fail when
>> the next alg changes, or to cause a different CEK to be derived if the next
>> algorithm changes.
>>
>> OS
>>
>>
>>
>> On Sat, Mar 23, 2024, 9:35 AM AJITOMI Daisuke <ajitomi@gmail.com> wrote:
>>
>>> Laurence, sorry, I just want to understand why next_alg can protect
>>> against the lamps attack to two-layer COSE-HPKE.
>>>
>>> Unfortunately, currently no algorithm that takes a key (as opposed to
>>>> giving a key) can protect the algorithm at next layer.
>>>
>>>
>>>
>>> Ilari, I interpreted what you said as meaning that there is no algorithm
>>> for encrypting (wrapping) the layer0 keys at layer1, including COSE-HPKE,
>>> that can prevent the lamps attack. Am I mistaken?
>>> If I was mistaken, could you tell me how the next_alg can specifically
>>> protect against the lamps attack to the algorithms that takes a key?
>>>
>>> > Could you tell me specific attack methods or threats?
>>>
>>> This is the question I posted previously, and I found a threat myself. I
>>> thought there might be a slight possibility for a lamps attack to succeed
>>> if the victim can accept both A128CBC and A128GCM as content encryption
>>> algorithms at Layer0 and uses the same CEK for both algorithms. However,
>>> the next_alg is only bound to the key wrapping the CEK and cannot affect
>>> the CEK itself. Therefore, it doesn't seem like a meaningful measure since
>>> it can't limit the reuse of the CEK.
>>>
>>> Am I missing something?
>>>
>>> Daisuke
>>>
>>> 2024年3月23日(土) 7:01 lgl island-resort.com <lgl@island-resort.com>:
>>>
>>>>
>>>> On Mar 22, 2024, at 6:44 AM, AJITOMI Daisuke <ajitomi@gmail.com> wrote:
>>>>
>>>> Unfortunately, currently no algorithm that takes a key (as opposed to
>>>>> giving a key) can protect the algorithm at next layer.
>>>>
>>>>
>>>> Ilari is talking about algorithms like AES Key Wrap, not what HPKE
>>>> Seal() provides and not ECDSA.
>>>>
>>>> I agree. The content_encryption_alg (next_alg) cannot be a
>>>> countermeasure to the lamps attack on KAwKW(-29, etc.) and two-layer
>>>> COSE-HPKE.
>>>>
>>>>
>>>> next_alg (or better content_encryption_algorithm can be used to protect
>>>> COSE-HPKE and probably also protect -29 if applied correctly.
>>>>
>>>> Of course, it is effective against the attack on direct KeyAgreement
>>>> (-25, etc.) and I think it's much better than COSE_KDF_Context.
>>>>
>>>> I believe what we should consider is only whether non-AEAD algs should
>>>> be prohibited at layer0 or not.
>>>> I think it would be better to be prohibited if possible.
>>>>
>>>>
>>>> Daisuke, it looks to me that you are the only one that continues to
>>>> argue this. Also, nothing you’ve said has created any doubts for me.
>>>> Respectfully, I’m not going to respond to your arguments any more unless
>>>> something very substantially changes.
>>>>
>>>> LL
>>>>
>>>> _______________________________________________
>>> COSE mailing list
>>> COSE@ietf.org
>>> https://www.ietf.org/mailman/listinfo/cose
>>>
>>

v2.23.0 | Report a Bug | By Email