IETF Logo Mail Archive

Re: [COSE] [jose] HPKE PartyU / PartyV

Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 25 March 2024 09:42 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D53FAC14F6B8 for <cose@ietfa.amsl.com>; Mon, 25 Mar 2024 02:42:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qNHQBeG6FWZc for <cose@ietfa.amsl.com>; Mon, 25 Mar 2024 02:42:52 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62C1FC14F685 for <cose@ietf.org>; Mon, 25 Mar 2024 02:42:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id CB51843D96 for <cose@ietf.org>; Mon, 25 Mar 2024 11:42:42 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id n_yPgpWFl3tM for <cose@ietf.org>; Mon, 25 Mar 2024 11:42:42 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 9DC912309 for <cose@ietf.org>; Mon, 25 Mar 2024 11:42:41 +0200 (EET)
Date: Mon, 25 Mar 2024 11:42:41 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cose <cose@ietf.org>
Message-ID: <ZgFHETkHxGevTsY5@LK-Perkele-VII2.locald>
References: <CAN8C-_KgZmFMkg_GsF0YgzgS+jCJKWAOZdytZKVwgbirrDUc_Q@mail.gmail.com> <Zf1jjGx2ZimgRqAD@LK-Perkele-VII2.locald> <CAFWvErVR6CSTd6bxRyTXWpib3jyjOWwdvDnprBOwPSed8GSDVA@mail.gmail.com> <B9B41D94-6708-491B-8551-5D504B8D8339@island-resort.com> <CAFWvErWKs0gzfvPymsOGfQXjMuAQRUJNaodvVfAbUWiwbuNMwg@mail.gmail.com> <Zf8N0hhwhhFJuFlI@LK-Perkele-VII2.locald> <AF75EFD3-F7FF-4F64-830F-E69B1C250335@island-resort.com> <Zf_3ssDYfnEh1qIW@LK-Perkele-VII2.locald> <2EA56DC2-D0B4-4BCA-9149-0C348B16E4D0@island-resort.com> <CAN8C-_K4ndbbOUg6JShf5psgLwjJdAPnXsVTKVPvjGUenBEX4A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAN8C-_K4ndbbOUg6JShf5psgLwjJdAPnXsVTKVPvjGUenBEX4A@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/hRPFUITlEoAgxZwW_MWDJlOlOKg>
Subject: Re: [COSE] [jose] HPKE PartyU / PartyV
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2024 09:42:54 -0000

On Sun, Mar 24, 2024 at 05:49:37PM -0500, Orie Steele wrote:
> Essentially, every case where we use COSE KDF context to derive a key that
> does not commit to the content encryption algorithm, we would need to use a
> new context that did commit to the content encryption algorithm, and we
> would want to deprecate all the algorithms that were vulnerable to the
> cross mode attack at the same time.

Unfortunately, that would mean deprecating some algorithms with no
replacement (mainly Key Transport and Key Wrap class).


Doing what CMS did would work as well.

Basically, add new header parameter (I call it "pcm" for Per-Cipher
Material):

- Specifies a KDF to apply.
- Derives the key to use for symmetric algorithm from input key.
- If base iv is required, also derives that.
- There is no explicit key length, so recipient algorithm MUST NOT
  be Direct Key Agreement or Direct Key with KDF.
- The KDF context looks something like:

  * context: tstr
  * depth: uint/null (null for COSE_Encrypt0)
  * alg: int/tstr (from headers)
  * salt: bstr (from headers)
  * keyflag: bool (true for keys, false for iv)
  * length: uint (number of bytes of key material).


This would also be useful for using Direct Key for bulk encryption.
Currently, there is no great way to do that in COSE (all AEAD algorithms
are unsafe, AES-KW is very slow, and dir+KDF is another layer).


> We might as well fully specify the new entries at that rate as well.
> 
> ECDH-ES+A128KW+A128GCM
> ECDH-ES+HKDF-256+A128GCM
> 
> Or fully specified:
> 
> ECDH-ES-P384+A128KW+A128GCM
> ECDH-ES-P384+HKDF-256+A128GCM
> 
> That's a lot of work, and certainly belongs in a separate draft, which I
> would be happy to review, but probably don't have time to author at this
> point.

A fundamental assumption in COSE is that algorithms can be mixed and
matched in any way that has sensible keyflow.

This would break that assumption, making this extremely bad idea.




-Ilari

v2.23.0 | Report a Bug | By Email