IETF Logo Mail Archive

Re: [COSE] [jose] HPKE PartyU / PartyV

Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 24 March 2024 09:51 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A7E1C151536 for <cose@ietfa.amsl.com>; Sun, 24 Mar 2024 02:51:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8muvL0YZiStd for <cose@ietfa.amsl.com>; Sun, 24 Mar 2024 02:51:53 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFDC9C151062 for <cose@ietf.org>; Sun, 24 Mar 2024 02:51:51 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 8C92621E46 for <cose@ietf.org>; Sun, 24 Mar 2024 11:51:48 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id 26aYRbkCPifF for <cose@ietf.org>; Sun, 24 Mar 2024 11:51:48 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 3B7C22309 for <cose@ietf.org>; Sun, 24 Mar 2024 11:51:47 +0200 (EET)
Date: Sun, 24 Mar 2024 11:51:46 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cose <cose@ietf.org>
Message-ID: <Zf_3ssDYfnEh1qIW@LK-Perkele-VII2.locald>
References: <A1D2BF92-68FE-4E67-A420-D19D55AD6C99@island-resort.com> <CAFWvErWo11A--1Nkkv8p7JkF+xCPD66hVxJa8CTU+nO74cbCrA@mail.gmail.com> <2FC023C9-9091-4C9C-A2C7-350945C04B23@island-resort.com> <CAN8C-_KgZmFMkg_GsF0YgzgS+jCJKWAOZdytZKVwgbirrDUc_Q@mail.gmail.com> <Zf1jjGx2ZimgRqAD@LK-Perkele-VII2.locald> <CAFWvErVR6CSTd6bxRyTXWpib3jyjOWwdvDnprBOwPSed8GSDVA@mail.gmail.com> <B9B41D94-6708-491B-8551-5D504B8D8339@island-resort.com> <CAFWvErWKs0gzfvPymsOGfQXjMuAQRUJNaodvVfAbUWiwbuNMwg@mail.gmail.com> <Zf8N0hhwhhFJuFlI@LK-Perkele-VII2.locald> <AF75EFD3-F7FF-4F64-830F-E69B1C250335@island-resort.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <AF75EFD3-F7FF-4F64-830F-E69B1C250335@island-resort.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/klcwCmeyXpGO6miL-bmIu7QTkfY>
Subject: Re: [COSE] [jose] HPKE PartyU / PartyV
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2024 09:51:57 -0000

On Sat, Mar 23, 2024 at 08:37:58PM +0000, lgl island-resort.com wrote:
> 
> On Mar 23, 2024, at 10:13 AM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> 
> _If_ key management algorithm is aad-capable, adding next_alg to aad is
> an easy way to make decryption fail if attacker alters algorithms.
> 
>  COSE -25 and for COSE-HPKE key management is aad-capable. With a
> little extra work I think content_encryption_algorithm (formerly
> next_alg) can work for COSE -29.

Sure -29 can be hacked to work. And fully-specified-encryption would
redo it anyway. The main problem is Key Wrap and Key Transport.

And next_alg and content_encryption_algorithm are not the same thing.
next_alg is the algorithm with what the unwrapped key will be used with,
while content_encryption_algorithm can be something else if there is
intermediate step (even if I do not know why anyone would do that).


> I’m starting to think about a new draft to define the -29 replacement.
> Probably not a large document. It would not use COSE_KDF_Context. It
> would use a new Enc_structure with content_encryption_algorithm.

There should still be something close to COSE_KDF_Context, because it
is driven by ECDH (or KEM), and thus there should be KDF step.


> It could define a -25 replacement too, one without COSE_KDF_Context.

Uh, the whole purpose of -25 is to have ECDH driving a KDF.


> However, the problem is that COSE explicitly allows aad-incapable key
> management algorithms (e.g., Key Transport or the whole section 5.4
> stuff). And often there isn't even hacks around that.
> 
> You are talking about 6.1.1 and 6.2 from 9053 used with the non-AEADs
> in 5.4, right?  The others in section 6 of 9053 have a KDF, so they
> are OK (except for -29 which gets tripped up by key wrap).

Out of 9053, Mainly section 6.2.

But also RFC8230 section 3.


AES-GCM (or Chacha20-Poly1305) is not good for Key Wrap. However,
combining those with Direct Key with KDF (9053 section 6.1.2.) makes a
decent key wrap.


> I suppose errata might be issued with additional security
> considerations.

Yes. This whole mess started from insufficient security considerations.




-Ilari

v2.23.0 | Report a Bug | By Email