[jose] Re: draft-ietf-jose-hpke-encrypt-01

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 09 July 2024 06:23 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B382C1CAE93 for <jose@ietfa.amsl.com>; Mon, 8 Jul 2024 23:23:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B-vUWFdIu9BD for <jose@ietfa.amsl.com>; Mon, 8 Jul 2024 23:23:09 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F2C6C18DBA4 for <jose@ietf.org>; Mon, 8 Jul 2024 23:23:08 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id DE0CC12F89 for <jose@ietf.org>; Tue, 9 Jul 2024 09:23:04 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id Bk91qaAlDcJh for <jose@ietf.org>; Tue, 9 Jul 2024 09:23:04 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id AD2832309 for <jose@ietf.org>; Tue, 9 Jul 2024 09:23:03 +0300 (EEST)
Date: Tue, 09 Jul 2024 09:23:03 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: JOSE WG <jose@ietf.org>
Message-ID: <ZozXR_gL6GhPQ2X1@LK-Perkele-VII2.locald>
References: <CAN8C-_KMx_M9vL3kwoohkiVrndU_MohxdGC_vLkBo7R_+-6T2g@mail.gmail.com> <CACVbtYOsf7MkHPOzFgE14JhKrSzAd8EkZ0Sr4X0XRMzdCUtbkA@mail.gmail.com> <CACVbtYOOpwTKZt7dH7JV983SmU7gRbsaXY8ru4Ty-+S081oTEQ@mail.gmail.com> <CAN8C-_Kb9ZOec8SXUkqqd3P7VnEYSDukVm56kpdx+fVEw4KHag@mail.gmail.com> <CACVbtYPauBzeSmXPr8Fyb7Jh3u7ydJgX632B0Fwdn4UPgAfQBg@mail.gmail.com> <CACVbtYOKCrqs_tf2QUqJ1P-WWd7WeKw_VMzqgCyCvaaXmqTppA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CACVbtYOKCrqs_tf2QUqJ1P-WWd7WeKw_VMzqgCyCvaaXmqTppA@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: GETZMK5OPQW5TNYBGT4TX5YEQMBLHBSG
X-Message-ID-Hash: GETZMK5OPQW5TNYBGT4TX5YEQMBLHBSG
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: draft-ietf-jose-hpke-encrypt-01
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/-1qknTu_nwP05n3olrW6NGFbpLY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

On Mon, Jul 08, 2024 at 07:11:22PM -0700, Les Hazlewood wrote:
> >
> > Why is JWE HPKE Key Encryption necessary at all?  Since HPKE requires
> > asymmetric keys to be used, what is the use case for encrypting a
> > direct/shared symmetric key when the recipient must decrypt with their
> > private key anyway?
> >
> 
> Trying to answer my own question:
> 
> "alg": "HPKE-P256-SHA256",
> "enc": "A256GCM"
> 
> would mean a JWE content encryption key would be obtained by executing the
> KEM to derive a shared secret which is then made uniform by HKDF-SHA256.
> The output of the HKDF Expand function would be the content encryption key
> used to directly encrypt the payload using AES 256 GCM.
> This would imply that the HKDF's `Expand(prk, info, L)` function's `L`
> input length must be equal to the `enc` required key length (in this
> example, `256`).

Right. And doing that with HPKE requires secret export API (RFC 9180
section 6.2.).

 
> Whereas
> 
> "alg": "HPKE-P256-SHA256-A256GCM",
> "enc": "A128GCM"
> 
> would mean
>   a) an ephemeral AEAD secret key (the CEK) would be generated for the
> `enc` algorithm (e.g. AES 128 GCM)
>   b) this ephemeral AES 128-bit CEK would itself be encrypted using HPKE
> P256-SHA256-A256GCM
>   b) the ephemeral AES 128-bit CEK would be used to encrypt the recipient
> payload, and the CEK ciphertext would be included in the recipient header.
> 
> Then the recipient uses HPKE P256-SHA256-A256GCM to decrypt the CEK
> ciphertext, producing the CEK, which is then used to decrypt the payload.

Right.




-Ilari