[jose] Re: draft-ietf-jose-hpke-encrypt-01

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 09 July 2024 15:57 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93847C16940A for <jose@ietfa.amsl.com>; Tue, 9 Jul 2024 08:57:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ei5ynBCOv7Gc for <jose@ietfa.amsl.com>; Tue, 9 Jul 2024 08:57:19 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4b.welho.com [83.102.41.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4BAAC169413 for <jose@ietf.org>; Tue, 9 Jul 2024 08:57:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id C5F2868298 for <jose@ietf.org>; Tue, 9 Jul 2024 18:57:16 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id INFkc00u8MSp for <jose@ietf.org>; Tue, 9 Jul 2024 18:57:15 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id DA32228B for <jose@ietf.org>; Tue, 9 Jul 2024 18:57:14 +0300 (EEST)
Date: Tue, 09 Jul 2024 18:57:14 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: JOSE WG <jose@ietf.org>
Message-ID: <Zo1d2jNRtAjCGC4N@LK-Perkele-VII2.locald>
References: <CAN8C-_KMx_M9vL3kwoohkiVrndU_MohxdGC_vLkBo7R_+-6T2g@mail.gmail.com> <CACVbtYOsf7MkHPOzFgE14JhKrSzAd8EkZ0Sr4X0XRMzdCUtbkA@mail.gmail.com> <CACVbtYOOpwTKZt7dH7JV983SmU7gRbsaXY8ru4Ty-+S081oTEQ@mail.gmail.com> <CAN8C-_Kb9ZOec8SXUkqqd3P7VnEYSDukVm56kpdx+fVEw4KHag@mail.gmail.com> <CACVbtYPauBzeSmXPr8Fyb7Jh3u7ydJgX632B0Fwdn4UPgAfQBg@mail.gmail.com> <CAN8C-_JyHsr07FcTMwA01+QTkzjxxqvv0fNpFthytSyyP+MgKQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAN8C-_JyHsr07FcTMwA01+QTkzjxxqvv0fNpFthytSyyP+MgKQ@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: RAIGSZKM7V43PUAZ4XWUJVYIFCUOHQHQ
X-Message-ID-Hash: RAIGSZKM7V43PUAZ4XWUJVYIFCUOHQHQ
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: draft-ietf-jose-hpke-encrypt-01
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/2B3Xq85kZx0vcGYS9fW1FpV3kk4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

On Mon, Jul 08, 2024 at 09:05:58PM -0500, Orie Steele wrote:
> 
> I'd love to learn the history of why ECDH-ES+A128KW is not ECDH-ES+A128GCM
> ... but this ship has sailed, "ECDH-ES+A128KW" is mixed into the concat kdf.
> ... the logical equivalent of that happens internally to HPKE, here:
> https://datatracker.ietf.org/doc/html/rfc9180#section-5.1-9

That is because AES-GCM requires a nonce and breaks badly if it is reused,
making it not great for key wrapping. Whereas AES-KW does not even need an
IV.

JOSE does have the (rather broken) A*GCMKW algorithms, which perform Key
Wrapping using AES-GCM.

The easiest way to get around the GCM nonce issue is to generate both key
and nonce together using KDF.


> The difference is that HPKE doesn't give a different algorithm name for
> A128KW and A128GCM... it treats them as both 0x0001 see
> https://www.iana.org/assignments/hpke/hpke.xhtml#hpke-aead-ids

HPKE never uses AES-KW. HPKE always uses AES in GCM mode. It gets around
the problem with nonce as said above.


> HPKE doesn't know if it's encrypting a content encryption key or not...
> If you want to ensure that in higher order systems this distinction is
> authenticated, you need to use setup info or aead aad, see
> https://datatracker.ietf.org/doc/html/rfc9180#name-auxiliary-authenticated-app
> 
> This leads us back to the current proposal...
> 
> - alg: HPKE-P256-SHA256-A128GCM ... enc: A128GCM // in separate headers ->
> key encryption
> - alg: HPKE-P256-SHA256-A128GCM,  enc: A128GCM   // in the same header  ->
> integrated encryption

This does not work because JWE unions recipient headers.

 
> hpke-info = empty
> hpke-aad = protected (.aad) // how the distinction is authenticated

... And this does the wrong thing with Key Encryption (and causes
implementation problems).


> An alternative proposal:
> 
> - alg: HPKE-P256-SHA256+A128KW ... enc: A128GCM // -> key encryption
> - alg: HPKE-P256-SHA256,  enc: A128GCM          // -> integrated encryption
> 
> This doubles the registrations and does not appear to do anything useful.
> ... unless these different alg values are used as hpke-info to force
> different key schedules:
> https://datatracker.ietf.org/doc/html/rfc9180#section-5.1-10
> ... similar to how ECDH-ES and ECDH-ES+A128KW work in concat kdf today.

This is also prohibited by draft-ietf-jose-fully-specified-algorithms
(It requires what alg to be independent of enc).




-Ilari