IETF Logo Mail Archive

Re: [COSE] [jose] HPKE PartyU / PartyV

AJITOMI Daisuke <ajitomi@gmail.com> Fri, 22 March 2024 23:35 UTC

Return-Path: <ajitomi@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9030DC151083 for <cose@ietfa.amsl.com>; Fri, 22 Mar 2024 16:35:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jcDZIV8JLcEs for <cose@ietfa.amsl.com>; Fri, 22 Mar 2024 16:35:44 -0700 (PDT)
Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B13BC14CE51 for <cose@ietf.org>; Fri, 22 Mar 2024 16:35:44 -0700 (PDT)
Received: by mail-yb1-xb2d.google.com with SMTP id 3f1490d57ef6-dc6d8bd618eso2721692276.3 for <cose@ietf.org>; Fri, 22 Mar 2024 16:35:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711150544; x=1711755344; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ApcTvqq2eVoCBMJnBjTfWHOQ3mii/Ut/stsLFWkytkw=; b=BJZ+VO39SS1DqDdUc8j72wYLUvoOK5t7TY9e1ajPcozFXBwdbTbKNRQdCCUfby5Js7 9cSY40HgF3FfWzlhNvlqGyID026KjLGARp8EgdiSE7v5y7V95CpAWRrYWEhN4pt8WbX+ a9BidZA251NFauy8Cjl6JjCCmVTqilMBC4BEs5DNaU4LHei2VYOl2PayWULXINEaEAwq jMAiPxnnTzcmip4EVLRHGPG6BslgrmukLDvaPaILYUeSdA9UNVmdNnOXC4IpgLfvQ19n tcADO/IRvD28EBz++AygBwPCaoN7jD1ExuBpJ3gbQL7KyuSzYPNdE/OGdxVaddgxvoLv DXJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711150544; x=1711755344; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ApcTvqq2eVoCBMJnBjTfWHOQ3mii/Ut/stsLFWkytkw=; b=hmPENOxsEK5r2/H8iyVg0ACexD94SKlGQ+IHjMyMPviEa4K9fD0I5a2y5iYwOvY5QF WBtZJojqxlSSIx35Q/+0FyuNeRF1SqnEB7+y5lb5cCThsjcCf6lstm6z57H2fqetCCHq 2OFC8iMaIrULA5i+RBCXodaSB1cdSmhZejvyFuZuyrLfOhexdpl9VWBBL6nX18tb3m2D HnEn36M0h1MzWyGQe4dZNccLHbKrRwBFJ3Or8rtrWjLQtm/8+mCqEJUe7jei27gKXfQ9 7eK9K9NUKxdf9+bcj+ekd/af2CDpUHu3fAu5ykVwd/+V8x4q2FOLsKoujhtM9wsvF619 DFPA==
X-Gm-Message-State: AOJu0YyWkXounsNTxV0StjNqwBHjUlSJ0eWutYW/lm/9aP2qp00hCRFt mXTAVPatxSnDWOqypPbfRZY2YfLuO1XWCHWB1yBzKFdYqyDLyvyy0vSsglh11Ojed0OU/0kzwnS gv9ZM/KQejjtJDCg0hUUIZhXrKw==
X-Google-Smtp-Source: AGHT+IGKimWwsi4ff/BCd8epeYoSPj9jBNLyG+bxeoKjHyWs3yKj4lWMYmLRt1OVngRv1X/tgR13+SwRvFdsfUZsPJE=
X-Received: by 2002:a25:2fc2:0:b0:dc7:48d7:9ed8 with SMTP id v185-20020a252fc2000000b00dc748d79ed8mr795331ybv.20.1711150543611; Fri, 22 Mar 2024 16:35:43 -0700 (PDT)
MIME-Version: 1.0
References: <Zfa0cauyJ0n2uRkI@LK-Perkele-VII2.locald> <CAFWvErWGBVHJp5gDfTQdxSsQKpkFcnw34kbKiadgqXB6ewX==g@mail.gmail.com> <Zff4A40zh_--tIWr@LK-Perkele-VII2.locald> <CAFWvErUaa4hxNmM82HY9mU6TyvWsh-5zAtDXO4r4qoqEfvxwOA@mail.gmail.com> <3732594D-ECA8-4BA3-9CFC-4E4E6E88D13A@island-resort.com> <CAFWvErXkcV8prWVTF=VLRZtin9wA1Z8+DPkopQxvDzqTepZ1ZA@mail.gmail.com> <A1D2BF92-68FE-4E67-A420-D19D55AD6C99@island-resort.com> <CAFWvErWo11A--1Nkkv8p7JkF+xCPD66hVxJa8CTU+nO74cbCrA@mail.gmail.com> <2FC023C9-9091-4C9C-A2C7-350945C04B23@island-resort.com> <CAN8C-_KgZmFMkg_GsF0YgzgS+jCJKWAOZdytZKVwgbirrDUc_Q@mail.gmail.com> <Zf1jjGx2ZimgRqAD@LK-Perkele-VII2.locald> <CAFWvErVR6CSTd6bxRyTXWpib3jyjOWwdvDnprBOwPSed8GSDVA@mail.gmail.com> <B9B41D94-6708-491B-8551-5D504B8D8339@island-resort.com>
In-Reply-To: <B9B41D94-6708-491B-8551-5D504B8D8339@island-resort.com>
From: AJITOMI Daisuke <ajitomi@gmail.com>
Date: Sat, 23 Mar 2024 08:35:32 +0900
Message-ID: <CAFWvErWKs0gzfvPymsOGfQXjMuAQRUJNaodvVfAbUWiwbuNMwg@mail.gmail.com>
To: "lgl island-resort.com" <lgl@island-resort.com>, Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004f338d06144848f3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/jP71wj0UVjyw4JRIE9-X0Fagqxw>
Subject: Re: [COSE] [jose] HPKE PartyU / PartyV
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2024 23:35:48 -0000

Laurence, sorry, I just want to understand why next_alg can protect against
the lamps attack to two-layer COSE-HPKE.

Unfortunately, currently no algorithm that takes a key (as opposed to
> giving a key) can protect the algorithm at next layer.



Ilari, I interpreted what you said as meaning that there is no algorithm
for encrypting (wrapping) the layer0 keys at layer1, including COSE-HPKE,
that can prevent the lamps attack. Am I mistaken?
If I was mistaken, could you tell me how the next_alg can specifically
protect against the lamps attack to the algorithms that takes a key?

> Could you tell me specific attack methods or threats?

This is the question I posted previously, and I found a threat myself. I
thought there might be a slight possibility for a lamps attack to succeed
if the victim can accept both A128CBC and A128GCM as content encryption
algorithms at Layer0 and uses the same CEK for both algorithms. However,
the next_alg is only bound to the key wrapping the CEK and cannot affect
the CEK itself. Therefore, it doesn't seem like a meaningful measure since
it can't limit the reuse of the CEK.

Am I missing something?

Daisuke

2024年3月23日(土) 7:01 lgl island-resort.com <lgl@island-resort.com>:

>
> On Mar 22, 2024, at 6:44 AM, AJITOMI Daisuke <ajitomi@gmail.com> wrote:
>
> Unfortunately, currently no algorithm that takes a key (as opposed to
>> giving a key) can protect the algorithm at next layer.
>
>
> Ilari is talking about algorithms like AES Key Wrap, not what HPKE Seal()
> provides and not ECDSA.
>
> I agree. The content_encryption_alg (next_alg) cannot be a countermeasure
> to the lamps attack on KAwKW(-29, etc.) and two-layer COSE-HPKE.
>
>
> next_alg (or better content_encryption_algorithm can be used to protect
> COSE-HPKE and probably also protect -29 if applied correctly.
>
> Of course, it is effective against the attack on direct KeyAgreement (-25,
> etc.) and I think it's much better than COSE_KDF_Context.
>
> I believe what we should consider is only whether non-AEAD algs should be
> prohibited at layer0 or not.
> I think it would be better to be prohibited if possible.
>
>
> Daisuke, it looks to me that you are the only one that continues to argue
> this. Also, nothing you’ve said has created any doubts for me.
> Respectfully, I’m not going to respond to your arguments any more unless
> something very substantially changes.
>
> LL
>
>

v2.23.0 | Report a Bug | By Email