IETF Logo Mail Archive

Re: [COSE] [jose] HPKE PartyU / PartyV

AJITOMI Daisuke <ajitomi@gmail.com> Sat, 23 March 2024 05:34 UTC

Return-Path: <ajitomi@gmail.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD0ECC14F5F2 for <cose@ietfa.amsl.com>; Fri, 22 Mar 2024 22:34:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XpbHKwEolWXp for <cose@ietfa.amsl.com>; Fri, 22 Mar 2024 22:34:29 -0700 (PDT)
Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F8EAC14F684 for <cose@ietf.org>; Fri, 22 Mar 2024 22:34:29 -0700 (PDT)
Received: by mail-yb1-xb33.google.com with SMTP id 3f1490d57ef6-d9b9adaf291so2629332276.1 for <cose@ietf.org>; Fri, 22 Mar 2024 22:34:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711172068; x=1711776868; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rjRpuxHwpyZxUD/dorUrUgSCiWn8qVM9mqlx5wMiF0g=; b=Nf0b8pbUJoQ8fDqWemDzw5C9BW+ZIfmm+bs85kEjM1mchuCo/OJ6AublUwLvvy7yTH Dvf1MBs61ZHbL/VqVdb5UfIbWbDgGQe+jEeAchHS3JqUfrupqR/ysZg/llHDGm0Xj/14 431VGzEvhMb7LpiTIzduBxyr1yO2FchR0dFNQ9gomzISI3U7IrPRwK7+M/cAMnqbiWgX RZCw/eJPonurFp4z+4mzjQgMcziXyr8OEp/obgeXwiPOr6ZmUGr5Egp3jnmPb+cd15JP By1qBlv4LCcBI4tzn8YT+tRC5U9TNqaJ7MQQGiMDAJYRMsSg0bzH/COnQbxl6kU5aW8d hswQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711172068; x=1711776868; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rjRpuxHwpyZxUD/dorUrUgSCiWn8qVM9mqlx5wMiF0g=; b=s3+89peegduD8FuW24Uwb9UgDIAM8JpLWHns0ASqDo8Tpg/ZMEfuXn97uL2vcJlljo MjBKL5+Vy+ePGVcN6bK/W429LDwP0+IKovaV+9f5vwtPnudp8ZDpkeDl2LQjwV6yDmxq EIhS1diQ8n9GCmGVShoT38Sb3uA29JuqLJW0+c9nl2dUZbQOz2SKll4v3Qcjd7dCh2D0 wuGJ47Jb0wq9zR3ccDQZg/TkGZixEA59KdS3+ezsKvc2LGxcTngQkC22kDfmv7WuaVn7 j9RsMFBjZVaY2HdPTwbydwjw1yUbrK311JCYGK7yxCeapDGN2MqQGEKkS0X+QBxbz7s3 8OXw==
X-Forwarded-Encrypted: i=1; AJvYcCWBLx/yyEPnwbDF+51gsGPPM78rVKhkshzNW/DDr+o3xzqZH3QpeyqYJdEaKhX+um4Lh7V4eoEpl5cxw68j
X-Gm-Message-State: AOJu0YzIyjCNXeu6hvJf6OaKLhbVI0lcmYLhbK0rIp3eNFWqIFYCEVzo 2//cPCJeWiiJTLjsfsjTkL3/bM9OUcYpe55gSTDeY/8SpQ0nmNUC4akSXD4f5CyyzJ6Q0OKP/E0 WCLbg8G6yI8/1Lx1DYuCxDBTB0fxk9+sOBQ==
X-Google-Smtp-Source: AGHT+IGXpU+iEBxy7nZ1chBmx1zDyiiSllWAepEtpnYtKfNH+LQzc2NcoDA7HhOml23nX0XcwmgxI4B6ORYkadSjVBU=
X-Received: by 2002:a25:c787:0:b0:dc2:279f:f7e with SMTP id w129-20020a25c787000000b00dc2279f0f7emr1140162ybe.10.1711172068049; Fri, 22 Mar 2024 22:34:28 -0700 (PDT)
MIME-Version: 1.0
References: <Zfa0cauyJ0n2uRkI@LK-Perkele-VII2.locald> <CAFWvErWGBVHJp5gDfTQdxSsQKpkFcnw34kbKiadgqXB6ewX==g@mail.gmail.com> <Zff4A40zh_--tIWr@LK-Perkele-VII2.locald> <CAFWvErUaa4hxNmM82HY9mU6TyvWsh-5zAtDXO4r4qoqEfvxwOA@mail.gmail.com> <3732594D-ECA8-4BA3-9CFC-4E4E6E88D13A@island-resort.com> <CAFWvErXkcV8prWVTF=VLRZtin9wA1Z8+DPkopQxvDzqTepZ1ZA@mail.gmail.com> <A1D2BF92-68FE-4E67-A420-D19D55AD6C99@island-resort.com> <CAFWvErWo11A--1Nkkv8p7JkF+xCPD66hVxJa8CTU+nO74cbCrA@mail.gmail.com> <2FC023C9-9091-4C9C-A2C7-350945C04B23@island-resort.com> <CAN8C-_KgZmFMkg_GsF0YgzgS+jCJKWAOZdytZKVwgbirrDUc_Q@mail.gmail.com> <Zf1jjGx2ZimgRqAD@LK-Perkele-VII2.locald> <CAFWvErVR6CSTd6bxRyTXWpib3jyjOWwdvDnprBOwPSed8GSDVA@mail.gmail.com> <B9B41D94-6708-491B-8551-5D504B8D8339@island-resort.com> <CAFWvErWKs0gzfvPymsOGfQXjMuAQRUJNaodvVfAbUWiwbuNMwg@mail.gmail.com> <CAN8C-_JhbNqZLO1ig9t2ShcWK1p7RbvHsuQw6hJQkJScfir29g@mail.gmail.com>
In-Reply-To: <CAN8C-_JhbNqZLO1ig9t2ShcWK1p7RbvHsuQw6hJQkJScfir29g@mail.gmail.com>
From: AJITOMI Daisuke <ajitomi@gmail.com>
Date: Sat, 23 Mar 2024 14:34:17 +0900
Message-ID: <CAFWvErX5XR3n=wJ83EgZ3DzZmCwznaLVU1Qtre=Bq6Nu205_Gw@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Cc: "lgl island-resort.com" <lgl@island-resort.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000440cb606144d4bef"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/zCohgUrbxzx69ss0ZCb_ulOtZxc>
Subject: Re: [COSE] [jose] HPKE PartyU / PartyV
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Mar 2024 05:34:32 -0000

>
> The solution to the attack is ... to cause a different CEK to be derived
> if the next algorithm changes.


Agreed.

The solution to the attack is to cause decryption of the CEK to fail when
> the next alg changes, ....


My understanding is that this cannot be a solution to the lamps attack,
because in that attack, an attacker is a legitimate sender/recipient.
The attacker adds A128CBC to alg at layer0, and also adds A128CBC to
next_alg at layer1, and sends a victim the ciphertext to reveal the target
AEAD ciphertext block.

Hmm, am I making some big misunderstanding here?

The discussion has become too complicated, so I would like to pause it on
the mailing list for now. I also want to organize my thoughts a bit more
and  write my ideas on the GitHub issue.

Daisuke




2024年3月23日(土) 9:09 Orie Steele <orie@transmute.industries>:

> One way to assure yourself of the attack is to implement it.
>
> You don't need HPKE to convince yourself of it, at any point where you
> decrypt a content encryption key, and then apply it to the enc structure at
> layer 0, and you choose the algorithm from the layer 0 header or from
> external information... Imagine the attacker has changed this, or a service
> has misconfigured the algorithm that will be used.
>
> The result of AES-CBC will be garbled, but it will contain information
> about the CEK.
>
> The solution to the attack is to cause decryption of the CEK to fail when
> the next alg changes, or to cause a different CEK to be derived if the next
> algorithm changes.
>
> OS
>
>
>
> On Sat, Mar 23, 2024, 9:35 AM AJITOMI Daisuke <ajitomi@gmail.com> wrote:
>
>> Laurence, sorry, I just want to understand why next_alg can protect
>> against the lamps attack to two-layer COSE-HPKE.
>>
>> Unfortunately, currently no algorithm that takes a key (as opposed to
>>> giving a key) can protect the algorithm at next layer.
>>
>>
>>
>> Ilari, I interpreted what you said as meaning that there is no algorithm
>> for encrypting (wrapping) the layer0 keys at layer1, including COSE-HPKE,
>> that can prevent the lamps attack. Am I mistaken?
>> If I was mistaken, could you tell me how the next_alg can specifically
>> protect against the lamps attack to the algorithms that takes a key?
>>
>> > Could you tell me specific attack methods or threats?
>>
>> This is the question I posted previously, and I found a threat myself. I
>> thought there might be a slight possibility for a lamps attack to succeed
>> if the victim can accept both A128CBC and A128GCM as content encryption
>> algorithms at Layer0 and uses the same CEK for both algorithms. However,
>> the next_alg is only bound to the key wrapping the CEK and cannot affect
>> the CEK itself. Therefore, it doesn't seem like a meaningful measure since
>> it can't limit the reuse of the CEK.
>>
>> Am I missing something?
>>
>> Daisuke
>>
>> 2024年3月23日(土) 7:01 lgl island-resort.com <lgl@island-resort.com>:
>>
>>>
>>> On Mar 22, 2024, at 6:44 AM, AJITOMI Daisuke <ajitomi@gmail.com> wrote:
>>>
>>> Unfortunately, currently no algorithm that takes a key (as opposed to
>>>> giving a key) can protect the algorithm at next layer.
>>>
>>>
>>> Ilari is talking about algorithms like AES Key Wrap, not what HPKE
>>> Seal() provides and not ECDSA.
>>>
>>> I agree. The content_encryption_alg (next_alg) cannot be a
>>> countermeasure to the lamps attack on KAwKW(-29, etc.) and two-layer
>>> COSE-HPKE.
>>>
>>>
>>> next_alg (or better content_encryption_algorithm can be used to protect
>>> COSE-HPKE and probably also protect -29 if applied correctly.
>>>
>>> Of course, it is effective against the attack on direct KeyAgreement
>>> (-25, etc.) and I think it's much better than COSE_KDF_Context.
>>>
>>> I believe what we should consider is only whether non-AEAD algs should
>>> be prohibited at layer0 or not.
>>> I think it would be better to be prohibited if possible.
>>>
>>>
>>> Daisuke, it looks to me that you are the only one that continues to
>>> argue this. Also, nothing you’ve said has created any doubts for me.
>>> Respectfully, I’m not going to respond to your arguments any more unless
>>> something very substantially changes.
>>>
>>> LL
>>>
>>> _______________________________________________
>> COSE mailing list
>> COSE@ietf.org
>> https://www.ietf.org/mailman/listinfo/cose
>>
>

v2.23.0 | Report a Bug | By Email