IETF Logo Mail Archive

Re: [COSE] Wire-format ... was RE: Next steps with COSE-HPKE .... was RE: HPKE: Ephemeral public key encoding

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 15 September 2022 19:11 UTC

Return-Path: <prvs=7257ce7973=uri@ll.mit.edu>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CC95C14F73B for <cose@ietfa.amsl.com>; Thu, 15 Sep 2022 12:11:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PX6bScrSF3rB for <cose@ietfa.amsl.com>; Thu, 15 Sep 2022 12:11:04 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F07CC14F734 for <cose@ietf.org>; Thu, 15 Sep 2022 12:11:03 -0700 (PDT)
Received: from LLEX2019-2.mitll.ad.local (llex2019-2.llan.ll.mit.edu [172.25.4.124]) by MX3.LL.MIT.EDU (8.17.1.5/8.17.1.5) with ESMTPS id 28FJAZFs226964 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 15 Sep 2022 15:10:35 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=hmwmKqEjn+DaBBhffVhPG087VgnenQrqL3NeF4CtZzdbSg4ArqU8yH0ViDSPiP7FBVQLMBVO9lkStf00JRCmVmS4GoN1/EfP0BvbLgG6+UqiDcINiTf0P7mrfB+Cp+nsrcQEx2FF2pnSJj615aAqLYKgvs0G9x5kBUIaO5I1IziXhAdwHAqnryk2lANlAtx700MX9hmXmGhv+2GKZc7Bv5KlwnylF5Sl0UyvqGDneIRlR9t+XzF6uxpuNFnNa7KNGj0/d+iZA08TJVlNniWYMPSRb2YHMMQRt06Kdeho48tEUPXAFsMxxVO5R5PKQLnSlYgkafyWr7qvd8Wyt1ckQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QfavZ3SQCmRDnFBXQYsXQ3eEvdarrTDhIiQRsOu2/eU=; b=xmckmW7f95uV4RObwRKbGhGpj/CZHRClJEWloQnYFla4EVuLQeRFC84o4DiBnddVIKIRiilGiarQnuwxBA0Jn9Ngxfb/cCQOCcplYZ6EIHnPqgp473R/jYVkRPATSItPL8M0+aahyCM6BJ4F+Df49GK0qsiwJHHTAWUJiapzW1H60lGQaCf1ETCE5MpGonNoKs4neotRP6CXNzaxpatY3hKcXfUx6Qqk1kyWrNUVM6/1WtXvByBiiwrvrHM8sxakIodtipY7f8Yp7/q/3FVTp1UAXmWDclxhDLXhDkaomGEnMHmONP9Bja0wiXT/xizw5jUQCFE06X5k1Vahe38jQA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: AJITOMI Daisuke <ajitomi@gmail.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] Wire-format ... was RE: Next steps with COSE-HPKE .... was RE: HPKE: Ephemeral public key encoding
Thread-Index: Adi/rCZ61pKJiPGjRFC9TaiTEIEflwAC/hgAAlb9SwAAB1cvgP//x9MA
Date: Thu, 15 Sep 2022 19:10:57 +0000
Message-ID: <7FDCA4DE-04B8-44B2-93CD-8160D802214F@ll.mit.edu>
References: <AS8PR08MB5911655134AA35BC708058EBFA7D9@AS8PR08MB5911.eurprd08.prod.outlook.com> <CAFWvErWfAYnxYCUMRCOq_w507zS2bB1eQdMXoRkPkwM8q_Pfyg@mail.gmail.com> <DBBPR08MB5915772F9FC22182C4050029FA499@DBBPR08MB5915.eurprd08.prod.outlook.com> <CAFWvErVUDMOwaAhfXOYiSEZnTbYj=+s278gSvGuT06iCdVyD8Q@mail.gmail.com>
In-Reply-To: <CAFWvErVUDMOwaAhfXOYiSEZnTbYj=+s278gSvGuT06iCdVyD8Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.65.22091101
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN0P110MB1419:EE_|BN0P110MB1529:EE_
x-ms-office365-filtering-correlation-id: 54cb915a-0ff0-45b7-1542-08da974e054a
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +s2bPa2psRpINYZxG0LxHtyaFKiaH3G6ou1fdETiXvaWL890QWe/u0+jfRtdgXSK4LMOo55d6/+0dPpu1TSH32fmqIczY45uTacJnXrq0j7KbaO04sCm3ejZE9DEwVmX4CbHxIEL+lSHbRPf7Ta9oO5t5xlxs6mxHuLzpmUt2Wbg1qtbywOJms4ZAyy3OK/BgKBlsF5789Qsnbz6Es+0EeliRV1JcpYrIiJCItNQtlNkiUHmzPogqEmUyk0uUZyFQBFU8GW4CkQy7UaYqxzcfqLepujPrkyTaitw3wHAFAD7lZDYAdD1ub9CS2mOZCxPOhCXmnDZvQ2xEpFwwIs+iOVq0Xg6t/D9Ah039W1JxUqEeEQh6LoiuW5WZsCkBEC/ghjcCXkkOJgHXjozm5GgWa9QoT/viN176IkpNp43BRuo0f5ezSHBA8CPJ6EDST5J3aOp1s5hOI5aW4c/arRMMM8flgrJTKFJeqoo8AYlMO0NeUhvlAagJMtbvyAqgrBdmC79n8gkEQqs71fpZf2LpRIffxNFtsiGqBLI2JHGCpn5ykAUtRuuAYf9OlhbUQFXUtEoG+sE/MRs4V1Njin89xQ9c82eOSj2J7Z8PEucOje90Bn6TZKn3Ej/p3Oz9MM91J3UO+A91U1HH9sIW6SOi6Ar82/Q+ihRvb2xG6EJ8hNiDGvjgJ1BdcY4edj0SOaDf8X9DiKXVWZL9/CeWCNz+UFhKItmXjN2kogdFmMIQl7P2JmKsMO66nL6V+ImeUSy+Iv+ZIBpfs0TG6hWXwBJ7Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(166002)(99936003)(110136005)(122000001)(38100700002)(76116006)(66946007)(66476007)(66446008)(64756008)(66556008)(8936002)(8676002)(86362001)(38070700005)(2616005)(26005)(53546011)(83380400001)(6506007)(186003)(6512007)(966005)(6486002)(5660300002)(71200400001)(75432002)(33656002)(2906002)(498600001)(79850200001)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 5vpahwNZ5DM0kTpB3dvtQPjEebQYAI3s/xDYjdUrDeeSb1ZCgvBAzMzBrjdOalXoEXNUt7IVxVEEqrUshGTSPc0KQO2SExsV3q7gyO8+MTpp/f5AUqAJcW126yd+mq8W+Jpru9mOC39Z++uwQAE2xnEqHCSWXhHPVt5/xtQziwr2oBKx/K5hkUeHRAS6Os3Zm2wgj5Z6jlaW++JBfFZozU6lrqfNeMBVeRTh27iko0rKGAmeyzJknn+IBO+6z6R3rYK/dLUmSp9/+Vrdo8dqQZvf8KuVqyhvHoqjk9Pv9ngqT/y/EJ6njvR4NvH6OgWV79aUF3oiGXJ+00N4jd0JrKLU1VHfuwew5PF9SCXRailoX+oMVxpGRgfSPEzI7EhC+dWIfEODmVlfsjcuablU8Vzqdwg665j2HlgEdf47GCM=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3746099457_2442815306"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 54cb915a-0ff0-45b7-1542-08da974e054a
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Sep 2022 19:10:57.8174 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1529
X-Proofpoint-GUID: EBQQv75H4oDybjPm1LHJ8mchYvrigl_A
X-Proofpoint-ORIG-GUID: EBQQv75H4oDybjPm1LHJ8mchYvrigl_A
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1 definitions=2022-09-15_10,2022-09-14_04,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0 bulkscore=0 malwarescore=0 mlxscore=0 phishscore=0 mlxlogscore=999 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2209150116
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/iHn0GJQoiRjgO0_9Zs-raAoGrOg>
Subject: Re: [COSE] Wire-format ... was RE: Next steps with COSE-HPKE .... was RE: HPKE: Ephemeral public key encoding
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2022 19:11:08 -0000

I share Ajitomi-san’s opinion on COSE-HPKE.

 

--

V/R,

Uri

 

There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.

The other is to make it so complex there are no obvious deficiencies.

                                                                                                                                     -  C. A. R. Hoare

 

 

From: COSE <cose-bounces@ietf.org> on behalf of AJITOMI Daisuke <ajitomi@gmail.com>
Date: Thursday, September 15, 2022 at 14:33
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "cose@ietf.org" <cose@ietf.org>
Subject: Re: [COSE] Wire-format ... was RE: Next steps with COSE-HPKE .... was RE: HPKE: Ephemeral public key encoding

 

Hi Hannes

 

Thanks for the response.

your design goal is to avoid changes to your COSE code when adding new HPKE algorithms.

 

Not only code but also the COSE-HPKE specification in itself but yes. It is one of my design goals.

 

1) There is no guarantee that enc can be mapped to COSE_Key in the future, so if a new HPKE cipher suite is specified, it cannot be used on COSE immediately. Whenever a new cipher suite is added to HPKE, it is necessary to develop a mapping specification for COSE_Key (including alg/crv value registration to IANA) and implement an additional enc->COSE_Key conversion process in existing many COSE libraries. 2) When a recipient offers multiple candidates for the HPKE cipher suite, a sender needs to tell the recipient what the sender has chosen, and while AEAD and KEM are fine, there seems to be a lack of a way to tell the recipient about KDF in the current draft.
3) There is no point in specifying kty (and crv) as required parameters. It is a waste of bytes.
4) crv is used to put in KEM algorithm information, but this is not in line with the original definition of crv. Isn't this an abuse of crv?
5) This spec needs to clearly define how COSE_Key parameters are to be handled, and implementations need to support this. (For example, what to put in key_ops, and whether to allow "deriveKey" and/or "deriveBits"? etc.)

 

I have previously listed five problems above, each of which corresponds to my design goals as follows. I think not only 1) but also 2) and 3) are important.

 

1) The addition of a new HPKE algorithm does not cause any changes to the specifications and existing implementations on the COSE side.

2) HPKE cipher suites can be negotiated dynamically and flexibly between a recipient and a sender.

3) The information sent from a sender to a recipient is necessary and sufficient.

4) No abuse of existing specification definitions.

5) Easy implementation (compact specification).

 

The drawback is the definition of a 'HPKE sender information' structure, which carries all the information HPKE exposes.

 

I don't think it is a drawback, but if defining a new structure is a drawback in itself, so be it.

I believe that it is essential for the sender to have a way to inform the selected KDF and AEAD to the receiver in HPKE. This is related to the design goal 2) above.

My main interest is to reach a decision as soon as possible so that we can make progress with the spec. I will ask the chairs to run a consensus call on the design goal.


Okay. Sorry for bothering you with my proposal.

 

Regards,

Daisuke

 

2022年9月16日(金) 0:01 Hannes Tschofenig <Hannes.Tschofenig@arm.com>:

Hi Daisuke

 

your design goal is to avoid changes to your COSE code when adding new HPKE algorithms. The drawback is the definition of a 'HPKE sender information' structure, which carries all the information HPKE exposes.

 

I understand that design goal.

 

It is up to the group to decide whether they share this goal. 

 

My main interest is to reach a decision as soon as possible so that we can make progress with the spec. I will ask the chairs to run a consensus call on the design goal.

 

Ciao

Hannes

 

From: AJITOMI Daisuke <ajitomi@gmail.com> 
Sent: Saturday, September 3, 2022 7:11 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>; cose@ietf.org
Subject: Re: [COSE] Wire-format ... was RE: Next steps with COSE-HPKE .... was RE: HPKE: Ephemeral public key encoding

 

Hi Hannes,

 

 

 


> First, the HPKE RFC says that it does not specify a wire-format. In fact, Section 10 of RFC 9180 is very explicit about this fact by saying “This document does not specify a wire format encoding for HPKE messages.”

Yes, you are correct. There is not any wire format definition in the HPKE spec.
The wire format should be defined by a higher-level protocol, and indeed I know ECH, ODoH, and OHTTP define it.


However, the encapsulated key (sender's ephemeral public key) output by KEM is a byte string and it is evident in the definition of Nenc in the HPKE RFC as follows.

> Nenc: The length in bytes of an encoded encapsulated key produced by the algorithm


All HPKE implementations output enc as a sequence of bytes. How this is transmitted is left to the higher-level protocol, but it would normally be put directly into the wire format. Indeed, ECH, ODoH and OHTTP do just that.
I think the problem is that there is little necessity to convert enc as a byte string to COSE_Key structure. There are many disadvantages as I mentioned, but the reason to convert is just because there is already a field (ephemeral key) defined, right?
In my opinion, the ephemeral key (COSE_Key) is inadequate to represent HPKE sender information including enc, and in addition, there is no assurance that it can be converted to COSE_Key in the future.

I believe it is very important that when new HPKE cipher suites are defined in the future, this specification and existing COSE library implementations need not be changed. This is easily achievable as described in my proposal.

> I will read through your proposal.

Thanks for taking your time.

Regards,
Daisuke

 

 

2022年9月4日(日) 0:47 Hannes Tschofenig <Hannes.Tschofenig@arm.com>:

Hi Daisuke,

Let me give you a very quick response on one item. I will read through your proposal.

➢ One point of concern during the IETF 114 meeting was there were several erroneous comments that the fact that enc is an octet string is implementation-dependent.

We had discussed this earlier on the list and there are two data points:

First, the HPKE RFC says that it does not specify a wire-format. In fact, Section 10 of RFC 9180 is very explicit about this fact by saying “This document does not specify a wire format encoding for HPKE messages.”

Second, since Ilari did not believe me I reached out to Chris Wood, one of the authors, and ask him personally. He confirmed my observation.

The pseudo-programming language API defined in the HPKE RFC is not mandatory to implement by an HPKE library. In fact, there are implementations that do not implement that API and they are still compliant to the HPKE RFC. An example is the HappyKey implementation by Stephen Farrell. I used his implementation and used the PSA Crypto API rather than OpenSSL.

Ciao
Hannes
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
COSE mailing list
COSE@ietf.org
https://www.ietf.org/mailman/listinfo/cose

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email