Re: [COSE] [jose] HPKE PartyU / PartyV
AJITOMI Daisuke <ajitomi@gmail.com> Sat, 23 March 2024 06:26 UTC
Return-Path: <ajitomi@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CEAFC14F60F for <cose@ietfa.amsl.com>; Fri, 22 Mar 2024 23:26:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JLsRwnJtVTb6 for <cose@ietfa.amsl.com>; Fri, 22 Mar 2024 23:26:44 -0700 (PDT)
Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 552C2C14F60E for <cose@ietf.org>; Fri, 22 Mar 2024 23:26:44 -0700 (PDT)
Received: by mail-yb1-xb30.google.com with SMTP id 3f1490d57ef6-dcbf82cdf05so2668450276.2 for <cose@ietf.org>; Fri, 22 Mar 2024 23:26:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711175203; x=1711780003; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=izSkojrOeEkOV55T7P9iSKb02QhvCGmlFLiHJ0Mdx5A=; b=O5oCV7XXta/b6E3xFgJAsAJr0cOb7TJjvmYUu/3GT+voDw/MsVZ4SKP+i1uvfId8XV kPfW9God5lulDVM/WIfyk3w62h9HXmAittpcqoOMe64C6fbjYegNAk/JunDg8U86/xhM SP2RCLsEkrVKbm01ozg+UckehHaaGKwZntGpCpcfVCO8z7AWHVNQJfe7kdV67Yj1gIr2 BfyW+Q7qHb9vTs1HnWShCysdoO7DRALWr8ChH7IcN4rwG8pGiV8vueHZ7cXtcp1y4VNT gM/RnxkQD3h4tWrXFuR9UQyj9dn4M2IbM15kipiKPBWiWPvfsC9Ny3J+PQbbPsmc9EP9 EL/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711175203; x=1711780003; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=izSkojrOeEkOV55T7P9iSKb02QhvCGmlFLiHJ0Mdx5A=; b=sVav/rmnI0MstK0ZESDmFidiZJt6EnG296LCzoiAcR5ErdP0ZpVLn/qe03KufCKDSH dbyBIcBBuHhHXQMJbR51QEK07hd70MjCyZ5ybgeWZPUaaNv9SxlHxFNEF3Ddr85XubrD 3SX0G8FcXlHSZSn4kU2Qi66bLpqulYaArUI/UbYuzC18MxfgGgnd/61OEI5XypPlOMcR 23ybBpXGsHnYisG1ElaFX12MM9yQOqXP6QvKl/JBkL5VPvTKJq0OSAQUQmsAbQLjhK3i 78aRvaPhN2XUC57xGMtyaQ8LMqevte4zzwgdGddU0a/7zt12hke3VWpKw3hgcUzZt9lX ig3A==
X-Gm-Message-State: AOJu0YwDiaZLwGsmVcW/IsegzqZBpuo+efzGJpDpErYQJ3qQKFkQtZsO 7RUuzX1V8c7+PwQwpRf7lanl86utdfqj5iEeoLNKliZCwbUp0nRln7//R2NzA3qJtX/p25Rkd/H U1FGDUP0g7lbIMPctb96Mms7uLpVaYvrgEg==
X-Google-Smtp-Source: AGHT+IFJm/ej0hc+VcRGrvLLZz6aa/J9IDsna2jTmFf46zeZXi43t2PAg1UyXIjaIcbXW/izY2E8iH3kUGqOh0LC158=
X-Received: by 2002:a25:874e:0:b0:dc6:dc58:8785 with SMTP id e14-20020a25874e000000b00dc6dc588785mr1102446ybn.62.1711175203091; Fri, 22 Mar 2024 23:26:43 -0700 (PDT)
MIME-Version: 1.0
References: <Zfa0cauyJ0n2uRkI@LK-Perkele-VII2.locald> <CAFWvErWGBVHJp5gDfTQdxSsQKpkFcnw34kbKiadgqXB6ewX==g@mail.gmail.com> <Zff4A40zh_--tIWr@LK-Perkele-VII2.locald> <CAFWvErUaa4hxNmM82HY9mU6TyvWsh-5zAtDXO4r4qoqEfvxwOA@mail.gmail.com> <3732594D-ECA8-4BA3-9CFC-4E4E6E88D13A@island-resort.com> <CAFWvErXkcV8prWVTF=VLRZtin9wA1Z8+DPkopQxvDzqTepZ1ZA@mail.gmail.com> <A1D2BF92-68FE-4E67-A420-D19D55AD6C99@island-resort.com> <CAFWvErWo11A--1Nkkv8p7JkF+xCPD66hVxJa8CTU+nO74cbCrA@mail.gmail.com> <2FC023C9-9091-4C9C-A2C7-350945C04B23@island-resort.com> <CAN8C-_KgZmFMkg_GsF0YgzgS+jCJKWAOZdytZKVwgbirrDUc_Q@mail.gmail.com> <Zf1jjGx2ZimgRqAD@LK-Perkele-VII2.locald> <CAFWvErVR6CSTd6bxRyTXWpib3jyjOWwdvDnprBOwPSed8GSDVA@mail.gmail.com> <B9B41D94-6708-491B-8551-5D504B8D8339@island-resort.com> <CAFWvErWKs0gzfvPymsOGfQXjMuAQRUJNaodvVfAbUWiwbuNMwg@mail.gmail.com> <CAN8C-_JhbNqZLO1ig9t2ShcWK1p7RbvHsuQw6hJQkJScfir29g@mail.gmail.com> <CAFWvErX5XR3n=wJ83EgZ3DzZmCwznaLVU1Qtre=Bq6Nu205_Gw@mail.gmail.com>
In-Reply-To: <CAFWvErX5XR3n=wJ83EgZ3DzZmCwznaLVU1Qtre=Bq6Nu205_Gw@mail.gmail.com>
From: AJITOMI Daisuke <ajitomi@gmail.com>
Date: Sat, 23 Mar 2024 15:26:32 +0900
Message-ID: <CAFWvErWeRJ5qSaVD4T=dhgE7-zEio3D1xS7OTAZ+3OMRoxgqbw@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Cc: cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000021031f06144e0607"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/efEOZe0Yk9d31cq1zOjQxSjjRhc>
Subject: Re: [COSE] [jose] HPKE PartyU / PartyV
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2024 06:26:49 -0000
> > ... in that attack, an attacker is a legitimate sender/recipient. > The attacker adds A128CBC to alg at layer0, and also adds A128CBC to > next_alg at layer1, and sends a victim the ciphertext to reveal the target > AEAD ciphertext block. > I've realized that this assumption is quite absurd. I'm starting to think that, as I originally thought, we don't have to worry about the lamps attack in the context of two-layer COSE-HPKE. Anyway, I will stop discussing this topic on the mailing list. Daisuke 2024年3月23日(土) 14:34 AJITOMI Daisuke <ajitomi@gmail.com>: > The solution to the attack is ... to cause a different CEK to be derived >> if the next algorithm changes. > > > Agreed. > > The solution to the attack is to cause decryption of the CEK to fail when >> the next alg changes, .... > > > My understanding is that this cannot be a solution to the lamps attack, > because in that attack, an attacker is a legitimate sender/recipient. > The attacker adds A128CBC to alg at layer0, and also adds A128CBC to > next_alg at layer1, and sends a victim the ciphertext to reveal the target > AEAD ciphertext block. > > Hmm, am I making some big misunderstanding here? > > The discussion has become too complicated, so I would like to pause it on > the mailing list for now. I also want to organize my thoughts a bit more > and write my ideas on the GitHub issue. > > Daisuke > > > > > 2024年3月23日(土) 9:09 Orie Steele <orie@transmute.industries>: > >> One way to assure yourself of the attack is to implement it. >> >> You don't need HPKE to convince yourself of it, at any point where you >> decrypt a content encryption key, and then apply it to the enc structure at >> layer 0, and you choose the algorithm from the layer 0 header or from >> external information... Imagine the attacker has changed this, or a service >> has misconfigured the algorithm that will be used. >> >> The result of AES-CBC will be garbled, but it will contain information >> about the CEK. >> >> The solution to the attack is to cause decryption of the CEK to fail when >> the next alg changes, or to cause a different CEK to be derived if the next >> algorithm changes. >> >> OS >> >> >> >> On Sat, Mar 23, 2024, 9:35 AM AJITOMI Daisuke <ajitomi@gmail.com> wrote: >> >>> Laurence, sorry, I just want to understand why next_alg can protect >>> against the lamps attack to two-layer COSE-HPKE. >>> >>> Unfortunately, currently no algorithm that takes a key (as opposed to >>>> giving a key) can protect the algorithm at next layer. >>> >>> >>> >>> Ilari, I interpreted what you said as meaning that there is no algorithm >>> for encrypting (wrapping) the layer0 keys at layer1, including COSE-HPKE, >>> that can prevent the lamps attack. Am I mistaken? >>> If I was mistaken, could you tell me how the next_alg can specifically >>> protect against the lamps attack to the algorithms that takes a key? >>> >>> > Could you tell me specific attack methods or threats? >>> >>> This is the question I posted previously, and I found a threat myself. I >>> thought there might be a slight possibility for a lamps attack to succeed >>> if the victim can accept both A128CBC and A128GCM as content encryption >>> algorithms at Layer0 and uses the same CEK for both algorithms. However, >>> the next_alg is only bound to the key wrapping the CEK and cannot affect >>> the CEK itself. Therefore, it doesn't seem like a meaningful measure since >>> it can't limit the reuse of the CEK. >>> >>> Am I missing something? >>> >>> Daisuke >>> >>> 2024年3月23日(土) 7:01 lgl island-resort.com <lgl@island-resort.com>: >>> >>>> >>>> On Mar 22, 2024, at 6:44 AM, AJITOMI Daisuke <ajitomi@gmail.com> wrote: >>>> >>>> Unfortunately, currently no algorithm that takes a key (as opposed to >>>>> giving a key) can protect the algorithm at next layer. >>>> >>>> >>>> Ilari is talking about algorithms like AES Key Wrap, not what HPKE >>>> Seal() provides and not ECDSA. >>>> >>>> I agree. The content_encryption_alg (next_alg) cannot be a >>>> countermeasure to the lamps attack on KAwKW(-29, etc.) and two-layer >>>> COSE-HPKE. >>>> >>>> >>>> next_alg (or better content_encryption_algorithm can be used to protect >>>> COSE-HPKE and probably also protect -29 if applied correctly. >>>> >>>> Of course, it is effective against the attack on direct KeyAgreement >>>> (-25, etc.) and I think it's much better than COSE_KDF_Context. >>>> >>>> I believe what we should consider is only whether non-AEAD algs should >>>> be prohibited at layer0 or not. >>>> I think it would be better to be prohibited if possible. >>>> >>>> >>>> Daisuke, it looks to me that you are the only one that continues to >>>> argue this. Also, nothing you’ve said has created any doubts for me. >>>> Respectfully, I’m not going to respond to your arguments any more unless >>>> something very substantially changes. >>>> >>>> LL >>>> >>>> _______________________________________________ >>> COSE mailing list >>> COSE@ietf.org >>> https://www.ietf.org/mailman/listinfo/cose >>> >>
- Re: [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- [COSE] HPKE PartyU / PartyV Orie Steele
- Re: [COSE] HPKE PartyU / PartyV lgl island-resort.com
- Re: [COSE] [jose] HPKE PartyU / PartyV Orie Steele
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV Orie Steele
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV Neil Madden
- Re: [COSE] [jose] HPKE PartyU / PartyV Orie Steele
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV Orie Steele
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV Orie Steele
- Re: [COSE] [jose] HPKE PartyU / PartyV lgl island-resort.com
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [COSE] [jose] HPKE PartyU / PartyV lgl island-resort.com
- Re: [COSE] [jose] HPKE PartyU / PartyV Orie Steele
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV lgl island-resort.com
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [COSE] [jose] HPKE PartyU / PartyV lgl island-resort.com
- Re: [COSE] [jose] HPKE PartyU / PartyV lgl island-resort.com
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [COSE] [jose] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV lgl island-resort.com
- Re: [COSE] [jose] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [COSE] [jose] HPKE PartyU / PartyV Orie Steele
- Re: [COSE] [jose] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [COSE] [jose] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [COSE] [jose] HPKE PartyU / PartyV lgl island-resort.com
- Re: [COSE] [jose] HPKE PartyU / PartyV Orie Steele
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [COSE] [jose] HPKE PartyU / PartyV lgl island-resort.com
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [COSE] [jose] HPKE PartyU / PartyV lgl island-resort.com
- Re: [COSE] [jose] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [COSE] [jose] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [COSE] [jose] HPKE PartyU / PartyV Orie Steele
- Re: [COSE] [jose] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [COSE] [jose] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV lgl island-resort.com
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV lgl island-resort.com
- Re: [COSE] [jose] HPKE PartyU / PartyV lgl island-resort.com
- Re: [COSE] [jose] HPKE PartyU / PartyV Orie Steele
- Re: [COSE] [jose] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [COSE] [jose] HPKE PartyU / PartyV lgl island-resort.com
- Re: [COSE] [jose] HPKE PartyU / PartyV lgl island-resort.com
- Re: [COSE] [jose] HPKE PartyU / PartyV AJITOMI Daisuke