[COSE] Consensus on cryptographic agility in modern COSE & JOSE
Orie Steele <orie@transmute.industries> Sat, 25 March 2023 22:33 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28B71C151B0B for <cose@ietfa.amsl.com>; Sat, 25 Mar 2023 15:33:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level:
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MAZlW64ZQDJj for <cose@ietfa.amsl.com>; Sat, 25 Mar 2023 15:33:24 -0700 (PDT)
Received: from mail-ed1-x543.google.com (mail-ed1-x543.google.com [IPv6:2a00:1450:4864:20::543]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00DCBC151B0A for <cose@ietf.org>; Sat, 25 Mar 2023 15:33:23 -0700 (PDT)
Received: by mail-ed1-x543.google.com with SMTP id y4so21663071edo.2 for <cose@ietf.org>; Sat, 25 Mar 2023 15:33:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1679783602; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=fOsGnlWZCAq0QsMpsZQgdpar6c3hgAQhrpIr7cFnfic=; b=HSwTxeMflQskdQaHzBUPUHJFm86OcljCSZtFQDFDVYpt1LgX2Tsi6w12JndjCeJ5Fp +wmLbobppI5quII2wneq7rcm03ONMZuwTz49NoQ5BQNaaaVvbecNHQ9NcBqbAd5bcnf+ 6duYcwzMP1i7RnzxeoOJ1MP+b1S50UGYCVMgUc493ol4o3leLAqNGI9j9n71i9pP8q1n nwKK5/KJnWYQfoQjoI9WK+wVOkeb6CqkYxQ82yV+bHmvAh/NEXTDO7I+HLiysKBlIPRH +QFVuESpNxnAlh1ieBvcL0E+JuB4fCUbtzNOCE1aQDQG80JCaaHlfqx37Et+5ZqC1Zll e1Xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679783602; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=fOsGnlWZCAq0QsMpsZQgdpar6c3hgAQhrpIr7cFnfic=; b=Wcm8U5qtTDbbCATQqIoWLtvMn2vS9gv2PGD2JbeNRJolz2XcnsUGWFTP0dvV9kG9pr 6L6x8rfcf7VxKUVDa+/geAVBS9RYF2AUNVdC+al2F9GYKtrKDCI2MFFs0gCu9bGWLtYY NlDZTE1U1FhtvcLA3nYPTNHDDf2tNkV2jTeHyN2CPX4ovmrxerHB1L69Nai/1DvGrmD2 /O8jXA4Kk5v4NeF5p74dZvIgf/aM+AkJ5pOtkrmXtko1Mxd88PRY6Kv/238x+3kj7al7 7wzofpVKmSgSw4nr8vTffdfiSykYaPuDoBDgvpfP9uAh40KOPLvjP6/ooEdEoHMH/wgP ev8A==
X-Gm-Message-State: AAQBX9fqOFH+eul1sd1cwxvdAk1YKnpHsad5np6ddNutRaqYwAck7zvu wiH9UuNb9TQZ8AxZBgU5jAxazy0Cut3zJaTcwOphfESjc+5a28084BqfDjW7YSs=
X-Google-Smtp-Source: AKy350Z7QDl9Es2I7yvQwLYmpupkxzd/L3BIy1FNdEX2y3JF0mH2A3Bggr4tdxAfdz5cJQR46eGd/crTNBC3xlFxGkE=
X-Received: by 2002:a17:907:1002:b0:931:ce20:db96 with SMTP id ox2-20020a170907100200b00931ce20db96mr3157709ejb.5.1679783601574; Sat, 25 Mar 2023 15:33:21 -0700 (PDT)
MIME-Version: 1.0
From: Orie Steele <orie@transmute.industries>
Date: Sun, 26 Mar 2023 07:33:10 +0900
Message-ID: <CAN8C-_KqEbX10mE=3sNWAJoWUkb8OSG9mDJ82XNaZHBwKNtrYg@mail.gmail.com>
To: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000df2a3d05f7c11846"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/wk2GnQp53zCefRDllDEbSX_LCUI>
Subject: [COSE] Consensus on cryptographic agility in modern COSE & JOSE
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Mar 2023 22:33:28 -0000
Friends, Recently I have had a lot of conversations regarding cryptographic agility. My goal in sending this message to the list is to attempt to gather what consensus may exist within IETF on the subject. The topic is difficult, because many people think certain forms of agility are "good" and others are "bad"... and the answers are often inconsistent across subject matter experts. So far, I have learned of basically 2 camps. The "low agility, named cipher suite" camp, where primitives, parameters and algorithm are all combined into a named algorithm, such as ES256, which uses ECDSA on secp256r1 with sha256, or ECDH-ES+A256KW, which internalizes a KDF The "high agility, parameterized algorithm" camp, where the algorithm is fixed, but all its parameters and primitives are exposed, typically in registries dedicated to the "fixed algorithm", they are not meant to be "used with other algorithms". HPKE is an example of this, kem, kdf, aead, each are bound to "HPKE", they are not meant to be used by other algorithms, and unlike ES256, ECDH-ES+A256KW, HPKE is only a meaningful name when these parameters are supplied along with it. Because time is a factor in all cryptography and standards work, it is easy to generalize these 2 camps as "the old way" and "the new way"... but I wonder if that is wise to do, or if there is something special about HPKE or encryption that implies "the new way" is not meant to be taken for other "new work", such as digital signatures. It is worth noting that if the KDF or hash function is broken and you picked "the old way"... you might end up needing to do a lot more work than simply moving to a new registry entry for KDF or hash function... During that time, bad stuff could be happening in all the places where the broken cipher suite was deployed... You might also be forced to do this work because of the regular lifetime of cryptographic primitives... This could be interpreted as a "higher maintenance" cost for "the old way", you are forced to throw out the whole car, because 1 part is no longer safe to use. The main motivation for this question comes from work I have collaborated on regarding post quantum key and signature representations for JOSE and COSE. - https://datatracker.ietf.org/doc/draft-ietf-cose-dilithium/ - https://datatracker.ietf.org/doc/draft-ietf-cose-falcon/ - https://datatracker.ietf.org/doc/draft-ietf-cose-sphincs-plus/ I also explored applying the same approach to kyber: - https://datatracker.ietf.org/doc/draft-steele-cose-kyber/ ^ these are all in the style of "the old way"... they try to make use of "alg" and internalize parameters and primitives into a single useful name, for example "CRYDI5" uses dilithiums's parameter set 5, "SPHINCS+256f" uses sphincs's parameter set 256f. Perhaps an example of "the new way", can be found in: - https://datatracker.ietf.org/doc/draft-ajitomi-cose-cose-key-jwk-hpke-kem/ In section 4.1, the kty is "HPKE-KEM", but this is meaningless without "hkc", which is the key configuration, which defines the parameters that are allowed for the key, a single kem id, and an array of kdf and aead identifiers. It is a bit awkward to compare key design for kems and digital signatures, and yet, I think developers will hope for some consistency in the post quantum key representations, even if there are no examples like P256 that is used for both ECDSA and ECDH-ES. Just for the sake of argument, let us imagine an HPKE inspired Dilithium key with hash before sign (a made up additional agility parameter): { kty: "HPKS", // similar to HPKE, useless without parameters / configuration hkc: { // like HPKE Key Configuration, but for "Hybrid Public Key Signature Key Configuration" parameter_set: CRYSTALS-Dilithium parameter set 5 // like kem id, bound to pub / priv. ... REQUIRED digests: [ shake256, sha256 ] // like kdfs, aeads not bound to pub / priv ... OPTIONAL // are there other parameters that are internalized in "the old way", that you can think of that would go here? } pub: ..., // public key, but more obvious than x priv: ... // private key, but more obvious than d } Similar to EdDSA with Ed25519, it would be annoying to use sha256 here, since dilithium uses shake256 internally, (EdDSA uses sha512 internally). Do we need to make something like HPKE, but for keys for signatures, something like HPKS? What happens to the old registry entries and old key formats if we fully embrace "the new way"? Should post quantum keys use "the old way" or "the new way" or "both / it depends" ? As an author on the post quantum signatures work, what else should I be doing to make sure the drafts reflect the "best path forward"? Regards, OS -- *ORIE STEELE* Chief Technical Officer www.transmute.industries <https://www.transmute.industries>
- [COSE] Consensus on cryptographic agility in mode… Orie Steele
- Re: [COSE] Consensus on cryptographic agility in … Laurence Lundblade
- Re: [COSE] [jose] Consensus on cryptographic agil… Ilari Liusvaara
- Re: [COSE] [jose] Consensus on cryptographic agil… AJITOMI Daisuke
- Re: [COSE] [jose] Consensus on cryptographic agil… Manu Sporny
- Re: [COSE] [jose] Consensus on cryptographic agil… Ilari Liusvaara
- Re: [COSE] [jose] Consensus on cryptographic agil… AJITOMI Daisuke
- Re: [COSE] [jose] Consensus on cryptographic agil… Manu Sporny
- Re: [COSE] [jose] Consensus on cryptographic agil… Manu Sporny
- Re: [COSE] [jose] Consensus on cryptographic agil… Orie Steele
- Re: [COSE] [jose] Consensus on cryptographic agil… Ilari Liusvaara
- Re: [COSE] [jose] Consensus on cryptographic agil… Ilari Liusvaara
- Re: [COSE] [jose] Consensus on cryptographic agil… Tobias Looker