IETF Logo Mail Archive

Re: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Mon, 24 January 2022 10:27 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF6BF3A0A9B for <cose@ietfa.amsl.com>; Mon, 24 Jan 2022 02:27:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=DcEZl8Hu; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=DcEZl8Hu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eneYg-oKLyW0 for <cose@ietfa.amsl.com>; Mon, 24 Jan 2022 02:27:30 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00047.outbound.protection.outlook.com [40.107.0.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E4203A0A97 for <cose@ietf.org>; Mon, 24 Jan 2022 02:27:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TA/lMr+uH0Gf+HBJCWfqIpElg4f5Nddoy5VUTGMYCRo=; b=DcEZl8Hu3eSyebRO8KAXCUhubBU1z2nHworWuEMt4kEt3ILk8VWFQJhUsqDIRbEJOspdumYx8xxyWgxkYtF9mbkshYoseoc1QKCQoOdaY3pGCw1hWQKoe9TKm30d6K32T4SoqVGjqmO9lATgyJqi1JYz2N4MGT9IkTRQa9XgQ8Y=
Received: from DU2PR04CA0076.eurprd04.prod.outlook.com (2603:10a6:10:232::21) by AM5PR0802MB2498.eurprd08.prod.outlook.com (2603:10a6:203:98::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4909.11; Mon, 24 Jan 2022 10:27:26 +0000
Received: from DB5EUR03FT053.eop-EUR03.prod.protection.outlook.com (2603:10a6:10:232:cafe::79) by DU2PR04CA0076.outlook.office365.com (2603:10a6:10:232::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4909.17 via Frontend Transport; Mon, 24 Jan 2022 10:27:26 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT053.mail.protection.outlook.com (10.152.21.119) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4909.7 via Frontend Transport; Mon, 24 Jan 2022 10:27:25 +0000
Received: ("Tessian outbound 1f399c739551:v113"); Mon, 24 Jan 2022 10:27:25 +0000
X-CR-MTA-TID: 64aa7808
Received: from 1a633192e328.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id DF3CA8ED-44C9-46A4-A216-6E48A09DF0D1.1; Mon, 24 Jan 2022 10:27:19 +0000
Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 1a633192e328.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 24 Jan 2022 10:27:19 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WOEWHeL0An1WCGutkPtYnm0v8Dvi/UTnH2UIPCAsyP7/3iUcCDSkuT/2qnzAY/FPzNAkpOOZ7Ddbw9lhZo5HRpyprdKdoKSSUc2VHDhKkRTaZV1iISi6UNUvcF1Xr6jQxVAW1DcyAUWCvSSjOnX+MJiyiz+WyqHlyK9hipJdN/rRLuQsOaPpwsH0VFgk0fJna8CdDLiFdCIgjjQKBh12r/hN/X8mxl9hudtnYg0JquRaJUe74xWATnu/mGMUmtqYJ0KZ+xPXsviLNhwi4lVRFDRkZa+mOvu5zWhlWaacvrCPfX6A8LdrMAfUPXLdCpu1QFyaipur+ODDVL4upENxcA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TA/lMr+uH0Gf+HBJCWfqIpElg4f5Nddoy5VUTGMYCRo=; b=Tekr7w0NMfu735Ozeo5N/9n8d2TN3Nnm3RbFivLp+7vt87OS+BhTl+24xd8vkNvo4fH81VjiIUaS7hBe1ICqLDoh1ZxnZYXFj6aip1SJj9xUX4h4B85JvAkmK3cPjWG6a6fMKAVEkYB69FpyVl/wQVQxfzPlh6nDZXja22m+ylNPhsN5CrbmzrLcRMauV9049Z6GrY98+EYpty2Tr2Bm/fJhe+2mwzNUmLvjm64zcjnA/OuL/6wHtVZuvskTN3KQzp77Zs4xG2dbgXkMUgpAGCPhgXCztYoQIaHEcUC0m83it/xp/0FGbKV7YihZVUZ8j1YTSrLOR+LKyaZP4mJ6WA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TA/lMr+uH0Gf+HBJCWfqIpElg4f5Nddoy5VUTGMYCRo=; b=DcEZl8Hu3eSyebRO8KAXCUhubBU1z2nHworWuEMt4kEt3ILk8VWFQJhUsqDIRbEJOspdumYx8xxyWgxkYtF9mbkshYoseoc1QKCQoOdaY3pGCw1hWQKoe9TKm30d6K32T4SoqVGjqmO9lATgyJqi1JYz2N4MGT9IkTRQa9XgQ8Y=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by VI1PR08MB2973.eurprd08.prod.outlook.com (2603:10a6:803:4d::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4909.14; Mon, 24 Jan 2022 10:27:17 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::ec71:ec1b:a356:3ccb]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::ec71:ec1b:a356:3ccb%7]) with mapi id 15.20.4909.017; Mon, 24 Jan 2022 10:27:16 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>
CC: "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01
Thread-Index: AdgLhM0SJ9GR/pH8Rn+twyj8D7yFcgADzhAAAAbPMOAABE/7gAAm0yMgAHKOnYAAKGWQwAACgq6AAI1i+pA=
Date: Mon, 24 Jan 2022 10:27:16 +0000
Message-ID: <DBBPR08MB59153CE8720AB4EEDFF876FEFA5E9@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <DBBPR08MB5915C899B9EF8122898057BDFA579@DBBPR08MB5915.eurprd08.prod.outlook.com> <YeVQooQEGzfjFeE9@LK-Perkele-VII2.locald> <DBBPR08MB5915C7AFF11B55A8AA8CBBEEFA579@DBBPR08MB5915.eurprd08.prod.outlook.com> <YeWbRYe13Mk+IV+2@LK-Perkele-VII2.locald> <DBBPR08MB591586D6CB6BAF7B5354F517FA589@DBBPR08MB5915.eurprd08.prod.outlook.com> <YemgmVX/zsWFQfA/@LK-Perkele-VII2.locald> <DBBPR08MB59153905223EB68CD94F44E0FA5B9@DBBPR08MB5915.eurprd08.prod.outlook.com> <YerAi7tqgY075EoM@LK-Perkele-VII2.locald>
In-Reply-To: <YerAi7tqgY075EoM@LK-Perkele-VII2.locald>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 32A9B879C7E4AE40B95D7FAECEAB598E.0
x-checkrecipientchecked: true
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-MS-Office365-Filtering-Correlation-Id: 1eb7d0e4-b6c9-4b17-25bc-08d9df241d6b
x-ms-traffictypediagnostic: VI1PR08MB2973:EE_|DB5EUR03FT053:EE_|AM5PR0802MB2498:EE_
X-Microsoft-Antispam-PRVS: <AM5PR0802MB2498DBDDB728DA7CF0409CD3FA5E9@AM5PR0802MB2498.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: jYzqU8nEph3pCBaIGFFJWXY3hDc0jgClipd1w7VjSpmZzfMkAJNx6XtTeewAmkydqfW4gLCUWF6kaT1JtuENq/x4UY0/mLABxcs7iVWSYVRVYhRhWrLgb690KS7PmZsf5UnB0WlUVH17qrALvKCV2KA6j3pT0TWVbu8E9gWr+q+dCM8PYuaObvB6tlZKjVAOchlRtVIQi05IaYFCl9nE21COP0lNm46PzZSa47SAsxH4/TgR64T6/pEvuU0Vhxfdj37gmAb77UA8N5w04c+xJPGuu1Q/4OKjYpVeGFpTmaaRSs5UCi8BuUEMrogTU17Mf8AkR2fby0BMzRgyWJZWyBqRTEnYIS7IbDOrfexjNdv1uoycmnoqbzpe1zkSzKnOdxnbZVV6cABcdMr6OAZ4GtbNGWfiK73diBakbh9xKvD5V8YcwjEo+abluxcT2x3AYUFf687RYr0uxb38KfZnHqXNJ7rvS9iivOFBCRfmJlBY0nY8RA6cX5ostMtuNREqd8f2xk69u9bum0VsBwnOPFWN0uury7p5I3Wf/5QFhLYs8FAAxKvo2X5cCwW8zdynS7NeegXLntLKoe1vm2mT3FkF001bKzE3UhoJH7ZD8HldmlhDvI/1X1KMKxlHGDWCwTEYKMsOFmJ14W0rmbBRjfslubt4J3gsQ0byEqWdQVdzN/5znGLn3ynFXHCeUdQ1fYTDC4FVEtDaLIjKo2v8Bg==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(53546011)(186003)(66476007)(5660300002)(6506007)(26005)(55016003)(8936002)(38070700005)(6916009)(66446008)(33656002)(7696005)(86362001)(4326008)(8676002)(52536014)(76116006)(38100700002)(122000001)(83380400001)(9686003)(2906002)(508600001)(66556008)(71200400001)(64756008)(66946007)(316002); DIR:OUT; SFP:1101;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB2973
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT053.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: a959a304-88e0-4ed9-4404-08d9df241829
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 8Qyr9Hf7EO3vKahSoGEV2Q58OyA6KonQ6PzhPWrdq4cyKwD4n7EH+cPHotoKwja74Sy6jfYpmFK1z0ZsUxqmyOFoN8s59J0aV1KhRhTS6pLkBwQ2w62SSnxtmukejWbD5XvsrYMB4pHKq9xz9uQhRaAE2raHGf0FyR3uy7eZskGJkpLS/m9A5I5y6ZohZ8orTHyScqp9VXEVl2UjAhDoWd0RUHjTp2NEy/LLPCr9Dsl24whZWLwGauttW0aqOU4RiNMZXS/GSTp23lvBnnufbZIVC9BNmMjr09XFq28CtkK7t3DI5d5w4ueaGHb5YINx+I42pUQibPCo68wndVrEAXeLL/utDQ9imwJ9JHkaFBTOOdW9RT3HFdNMtD7BkPRMmFWnFfUfASplylLdWRrD9HlxkKUF3U89FXHfN8FSHzUMEW1R1LszkpMPS6QjWk4lTIao+30LCK4SOXFLLRP2KF/F+bqukFwJTdBQyO5sj1Wtlg9OD5LjFhe9E3zfsonvzLpy969SysYBo3k7he6XiNz6w+8rOb2ASjfpNkJUBXKXwwS5nfAWR0TbL1iCCr5Cx3v0Y1fhlHdeYC1Z84MCuzlaQSHwexwL603VpBiZB0omEVoet7u1SdFwz1QrGX1nJeAz3MxGaGJ4I5pUPQO7wFfuVV37hRq1JU9SYJdp6g5eeLZZvJT0QAgGsMH4w5u389xU6ooAuoul0U2MWmhSoF5QTSPeEIv2OeQ01/A4G20o1IKDUH1s4yuR31M2jJxDAwrNtKN2lIdJ6tSUAJZwzA==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(40470700004)(36840700001)(46966006)(70586007)(82310400004)(70206006)(55016003)(86362001)(316002)(336012)(81166007)(53546011)(6506007)(186003)(40460700003)(26005)(33656002)(6862004)(47076005)(8936002)(2906002)(36860700001)(7696005)(83380400001)(9686003)(8676002)(356005)(4326008)(52536014)(508600001)(5660300002); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jan 2022 10:27:25.5013 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 1eb7d0e4-b6c9-4b17-25bc-08d9df241d6b
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT053.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0802MB2498
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/wBTc8NJg_gPkok5UZxr7ihnvd1c>
Subject: Re: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jan 2022 10:27:35 -0000

Hi Ilari,

Thanks again for your input. A few responses below:

-----Original Message-----
From: ilariliusvaara@welho.com <ilariliusvaara@welho.com>
Sent: Friday, January 21, 2022 3:18 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: cose@ietf.org
Subject: Re: [COSE] draft-ietf-cose-hpke-00 and proposed changes for -01

On Fri, Jan 21, 2022 at 01:15:50PM +0000, Hannes Tschofenig wrote:
> Hi Ilari,
>
> You are again raising good points, namely
>
> 1) Should we convey the KEM ID, and KDF ID explicitly? I think so.

Well, I think that all HPKE algorithms should be supported in generic way, so that COSE does not have to deal with registering HPKE algorithms the second time.

[Hannes] I checked the TLS ESNI spec and there, if I understand correctly, the KEM ID is not explicitly communicated. The KDF ID is.

> 2) If we do, where should this information go? You suggest to put them
> into the COSE key (ephemeral key) structure. I would have thought that
> the unprotected header would be more appropriate but I do not really
> have a strong preference.

Well, for KDF id, one could stick it either inside ephemeral key structure, or the main headers.

[Hannes] What would be your preference?

However, I think that one will run into cases where:

- KDF is implicit from KEM. E.g. KEM 17 is probably combined with
  KDF 2.
- KDF is not implicit from KEM. E.g. KEM 48 goes with KDF ???.


[Hannes] In the ESNI spec, the KDF is explicitly communicated in the HpkeSymmetricCipherSuite structure.
Regardless of whether some parameters can be communicated implicitly or explicitly, there is still the question about where the information has to go.

(What is KEM 48?)

> 3) Should we define a new kty id? If we place the KEM ID and the KDF
> ID into the COSE key structure then I think it would be a good idea to
> define a new kty id.

Well, there are not just HPKE encapsulated keys, HPKE also has public and private keys.

While reusing OKP for generic case would be possible (at cost of a few bytes, since crv will be pushed to 5 byte territory), I think new kty would be cleaner.

[Hannes] Having a new kty id parameter is OK for me. I am not sure what you mean by "HPKE also has public and private keys". The newly defined structure is supposed to communicate only the ephemeral public key

> I am curious what others in the group think about this idea.
>
> I lost you when you are were talking about the "size issues" and tried
> to solve the issues. Maybe you could elaborate a bit what problem you
> see.

The size issue is that HPKE currently uses uncompressed P-256/P-384/ P-521. This makes public keys and ephemeral keys a few dozen bytes larger than they should be if one uses NIST curves.

And I came up with two ways of representing compressed ephemeral key (and public key).

[Hannes] Thanks for the clarification.

> IMHO we cannot use COSE_Encrypt0 because we need the recipient
> structure, which is not present with the COSE_Encrypt0.

HPKE itself does not seem to need the recipient.

[Hannes] Here is how I understand COSE: " COSE_Encrypt0 is  used when a recipient structure is not needed because the key to be used is known implicitly." So, the "recipient" structure is really only the name of the place where certain information is supposed to go. In my understanding we have to put the HPKE related info into the recipient structure.


> You also seem to define new key formats. What prevents us from
> re-using the existing COSE key formats? Section 13 of RFC 8152 defines
> various ECC key formats and those could be re-used.
> Since there is no compressed point format, we could add it.

One of the ideas I had for key compression was reusing the existing formats. And these are the cases where there is an obvious KDF to use.

Then there is question how generic HPKE keys should be presented.

[Hannes] If you also want to introduce support for compressed ECC keys then it makes sense to introduce a new kty id.

> I am also not sure why you talk about PQC algorithms. Neither COSE nor
> HPKE define PQC algorithms. Do you think we should define them in this
> document?

I am expecting that once NIST comes with PQC algorithm recommendations, those will be added to HPKE. And with generic HPKE algorithm support, those would be immediately usable in COSE.

[Hannes] To have them immediately usable the COSE fields have to exist where they should be placed. Why is the immediate usage so important? Most likely specification work will be needed by the HPKE authors as well since it is not just about adding an entry to the IANA registry.


Ciao
Hannes


-Ilari
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.8.7 | Report a Bug | By Email