Re: [COSE] Update to the COSE-HPKE draft and new use case (?)
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 22 April 2022 16:48 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C10DD3A18E9 for <cose@ietfa.amsl.com>; Fri, 22 Apr 2022 09:48:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20wlxFqpc9Th for <cose@ietfa.amsl.com>; Fri, 22 Apr 2022 09:48:49 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 182ED3A18E8 for <cose@ietf.org>; Fri, 22 Apr 2022 09:48:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id D41A317173 for <cose@ietf.org>; Fri, 22 Apr 2022 19:48:45 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id WC7qPQsFX154 for <cose@ietf.org>; Fri, 22 Apr 2022 19:48:45 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 92D8C2323 for <cose@ietf.org>; Fri, 22 Apr 2022 19:48:44 +0300 (EEST)
Date: Fri, 22 Apr 2022 19:48:44 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "cose@ietf.org" <cose@ietf.org>
Message-ID: <YmLcbAWZRrllV0Gj@LK-Perkele-VII2.locald>
References: <DBBPR08MB5915DBF46D50E44049EEEB72FA019@DBBPR08MB5915.eurprd08.prod.outlook.com> <DBBPR08MB59156170634FE8A6899F7323FAF79@DBBPR08MB5915.eurprd08.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <DBBPR08MB59156170634FE8A6899F7323FAF79@DBBPR08MB5915.eurprd08.prod.outlook.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/rHRIX9CYG0zOrOBWlN51RaKY-lc>
Subject: Re: [COSE] Update to the COSE-HPKE draft and new use case (?)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2022 16:48:52 -0000
On Fri, Apr 22, 2022 at 11:54:59AM +0000, Hannes Tschofenig wrote: > Hi all > > I have created a PR to add the use case described below into the > COSE-HPKE draft: > https://github.com/cose-wg/HPKE/pull/5 > > I briefly talked about this topic at the IETF meeting in Vienna. > Comments welcome! For this change specifically: 1) In section titled "HPKE Encryption with SealBase", there is this text: "IMPORTANT: For use in this specification, the plaintext "pt" passed into the SealBase is the CEK." While this is true in multi-recipient cose_encrypt case, it is not true in the single-recipient cose_encrypt0 case. Then the plaintext is the raw message. It seems this was forgotten to be changed to deal with the cose_encrypt0 case. Maybe something like: ----------------------- IMPORTANT: For use in cose_encrypt, the plaintext "pt" passed into the SealBase is the CEK. The CEK is a random byte sequence of length appropriate for the encryption algorithm selected in layer 0. For example, AES-128-GCM requires a 16 byte key and the CEK would therefore be 16 bytes long. In case of cose_encrypt0, the plaintext "pt" passed into the SealBase is the raw plaintext. ----------------------- 2) In section titled "HPKE Decryption with OpenBase", there is this text: "When decrypted, the result will be the CEK. The CK is the symmetric key used to decrypt the ciphertext in layer 0 of the COSE_Encrypt structure." Which again is not the case when using cose_encrypt0. Then the result will be the raw message. This seems to be similar text that has been forgotten to be changed to deal with cose_encrypt0 case. Maybe something like: ----------------------- When decrypted, the result will be either the CEK (if using cose_encrypt), or the raw plaintext (if using cose_encrypt0). The CEK is the symmetric key used to decrypt the ciphertext in layer 0 of the COSE_Encrypt structure. ----------------------- 3) The sections "Examples" -> "One Layer" and "Examples" -> Two Layer" both seem to have duplicate anchor "{#one-layer-example}". I think the anchor for the two layer example should be "{#two-layer-example}". 4) The one layer example expands the ephremeral key, but the two layer example does not. One would expect the two examples to be stylistically consistent. 5) The text about cose_encrypt0 says: "The sender MUST place the kid and ephemeral public key into the unprotected header." However, RFC8152 says: "If a key needs to be identified to the recipient, the enveloped structure ought to be used." While these two are not in normative conflict (MUST vs. ought), this still seems inconsistent. And then some comments on the spec in general: 6) The encoding of the encapsulated key produced by HPKE seems to be under-specified. HPKE gives octet string as encapsulted key. This apparently is placed into the ephremeral public key field in unprotected header. However, RFC8152 specifies this field to be cose_key, and it is not at all clear how to encode the octet string as cose_key. Especially what to fill as the kty field, which is mandatory in cose_key. Searching for existing RFC8152 construct to abuse, there is the "Symmetric" kty. Then the encapsulated key would look like: -1: { /* kty => Symmetric */ 1:4, /* The raw encapsulated ciphertext. */ -1:h'04ca591f4b1139c1c325be3265a6ce4dcc79a5895e9ef12a0726406bc72282697c8d12f18230208ebaa769f903917d59284526fd65a27ab5898913af10ed334398' } 7) I think that combining all the HPKE algorithms into one ciphersuite is a bad idea. While the KEM and KDF could be combined, trying to combine AEAD would lead into combinatorial explosion, or worse, into broken combinatorics, which are nasty to handle in any sort of sane way (see TLS 1.0-1.2 ciphersuites). Even with KEM and KDF combined, present HKDF would give 15 different ciphersuites. What I think should be done is just registering the HPKE AEADs as alg values (there are 3 of those currently), and then having OKP crv's for the combined KEM and KDF (there are 5 of those currently) in the key. That is, alg's like: - HPKE_AES_128_GCM (HPKE AEAD 1) - HPKE_AES_256_GCM (HPKE AEAD 2) - HPKE_ChaCha20Poly1305 (HPKE AEAD 3) And crv's like: - HPKE_P_256_HKDF_SHA256 (HPKE KEM 16 KDF 1) - HPKE_P_384_HKDF_SHA384 (HPKE KEM 17 KDF 2) - HPKE_P_521_HKDF_SHA512 (HPKE KEM 18 KDF 3) - HPKE_X25519_HKDF_SHA256 (HPKE KEM 32 KDF 1) - HPKE_X448_HKDF_SHA512 (HPKE KEM 33 KDF 3) This also mirrors the internal structure of HPKE: Mixing and matching AEADs is cryptographically kosher, while mxing and matching KDFs is not (and it is not possible to fix this due to shortcomings of the standard KEM interface). -Ilari
- [COSE] Update to the COSE-HPKE draft and new use … Hannes Tschofenig
- Re: [COSE] Update to the COSE-HPKE draft and new … Ilari Liusvaara
- Re: [COSE] Update to the COSE-HPKE draft and new … Hannes Tschofenig
- Re: [COSE] Update to the COSE-HPKE draft and new … Ilari Liusvaara
- Re: [COSE] Update to the COSE-HPKE draft and new … Russ Housley
- Re: [COSE] Update to the COSE-HPKE draft and new … Hannes Tschofenig