IETF Logo Mail Archive

Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE?

Orie Steele <orie@transmute.industries> Mon, 12 February 2024 23:17 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06A10C1519BB for <jose@ietfa.amsl.com>; Mon, 12 Feb 2024 15:17:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cdWAPwVoRJzC for <jose@ietfa.amsl.com>; Mon, 12 Feb 2024 15:17:40 -0800 (PST)
Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5310C15155B for <jose@ietf.org>; Mon, 12 Feb 2024 15:17:40 -0800 (PST)
Received: by mail-pg1-x52a.google.com with SMTP id 41be03b00d2f7-5c6bd3100fcso2285285a12.3 for <jose@ietf.org>; Mon, 12 Feb 2024 15:17:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1707779860; x=1708384660; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Xsh3GRZWyI2LCwgAFezTB/S8dGRFJ4NfLQn+KKLLNkI=; b=dO48ahhGBdAEyUU61sFWpg0JZMdcNyvH4Kz9qymucAcs+Vbya6OfPwL02Vm0QqC9qw wNd9cJzyfZ58LDlRZPja4/81i68lODtRDRrYx3ln/Y3wEe6rPAzm35CzkJyve2L6CQaM dihJpNiTN8tgdy5je7bRaZBcEbIfGWwPV0DwXUwsTM1UotkA2yVoT8YQvgMwDvqunKVN ah/fLzehrvYary1zwOEXs/r33Fj/fgS821ZNWVYHnFBlX5wJ8CIbzzhMZmapIO0l/2To MfvsQepaRhkgkHGo42Z4Aac+5WMLMYe8w5Y4KpF/BCKKKLsRYEyky6jAhkikykEGFPAS Y/yw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707779860; x=1708384660; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Xsh3GRZWyI2LCwgAFezTB/S8dGRFJ4NfLQn+KKLLNkI=; b=SiIsQkeCogXeyDpBjqToERiM11Ebkwd+zbije0ZJrjxjSp8aFgSHxWkf82dCId5GT3 Y76wMM+mAP1MdO7uvPECiXAef29KQet45/dyCvGQPVPr5FlKmyiY98NJ0CuMz0wEwFQt Fe/V4RczvDFvSx9fEez9VTe1YXUN1g5F+f+gIcuTDSbBWMDDIw0RRrtgWa53+IHt61j8 zqzNhJTL8+DW9V/JwhldJrKkEo+NtpwIBjLYFtDoNzo/0vFHqEWMklh5zpZu0gXCVbne 8o3kt/1/OIUULjlm5xfa0eP1lrSerJFQqq1a5x8k1BAGGfLbIWVWOCpl2RCOlzaz3bBz gF7w==
X-Forwarded-Encrypted: i=1; AJvYcCXOHw3K/PoVhFCVTS4uXLTa+iBn/6yM7eAEyM5ufw5FMTzXc0Z/QQ24XXaF6HdQZznfaP5nw+DE+IgO3yQ8
X-Gm-Message-State: AOJu0YwtYfRNgu7ocruO/I4Qgfq3SPztedpBnxk3rdY/1pMlRjYnNyz1 VrfZponE7H43XOlR3HylAmu3P0snLvDDHG9TzDb7V1h9IB3VoedFJz2M9liQ44mJL1Yk5gKi+AK 9ZuvU2BqsF36w3Tmflgt3JGnAA/fGtuovJKq0gQ==
X-Google-Smtp-Source: AGHT+IHRRY+yUDOrIRVUSTW6jKSrI+slzsn+bE1w4Ju3ZfdXIeXMWY27+kstmC4fVFBhV7AFv8ZQVjHo9Wr9JoUWZCc=
X-Received: by 2002:a17:90b:1d09:b0:296:fef2:6e20 with SMTP id on9-20020a17090b1d0900b00296fef26e20mr4350302pjb.25.1707779860172; Mon, 12 Feb 2024 15:17:40 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_LgRdZ-vXFDQJSghKBfJ_gGZWaUE2+qX63faLdnTHSGGg@mail.gmail.com> <ZcqJEVmDxo0YZ6qi@LK-Perkele-VII2.locald> <CAN8C-_+5+rfseHqv2KBV4A0GOy7pvWqKwL8ycC+U9w+wm91P0Q@mail.gmail.com>
In-Reply-To: <CAN8C-_+5+rfseHqv2KBV4A0GOy7pvWqKwL8ycC+U9w+wm91P0Q@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 12 Feb 2024 17:17:28 -0600
Message-ID: <CAN8C-_L02Q9JUC9ESa==0KwYGKWj254rEOgDUhZEhe2knKF+Tg@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000eba4de0611377bd7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/A4c14nm1ygEK-LIN5g6pIKdB-oc>
Subject: Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Feb 2024 23:17:45 -0000

I tried to capture some of the comments from Ilari on KEMs here:
https://github.com/selfissued/draft-ietf-jose-fully-specified-algorithms/pull/4

Before the registry experts get flooded with Kems, Hybrid Kems, and Hybrid
Composites, we should at least get some guidance in place on what makes a
KEM "fully specified".

I think the KDF part is the main piece, in other words a KEM algorithm is
fully specified, if it implies the use of a single KDF.

But we have a similar situation with ECDH-ES, and it seems the convention
at least from HPKE is to name the KEM after the curve and KDF, for example
"DHKEM(P-384, HKDF-SHA384)"...
https://www.iana.org/assignments/hpke/hpke.xhtml#hpke-kem-ids

I assume RSA Kem would look sorta similar if it were added to the HPKE
registry... It is surprising we don't see RSA KEM including some indication
of strength in the algorithm identifier, in the examples we see "RSA-KEM
with a 3072-bit key and KDF3 with SHA-256;" ... and I see ASN.1 with
"CMS-RSA-KEM-2023".

What would a "fully specified RSA Kem algorithm ID" look like?

I'd imagine something like "RSA-KEM-3072-KDF3-SHA-256" ?

OS

On Mon, Feb 12, 2024 at 4:55 PM Orie Steele <orie@transmute.industries>
wrote:

> Inline:
>
> On Mon, Feb 12, 2024 at 3:09 PM Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
>
>> On Mon, Feb 12, 2024 at 12:41:52PM -0600, Orie Steele wrote:
>> > See https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc5990bis/
>> >
>> > Do we expect to see RSA Kem support in JOSE and COSE without the use of
>> > HPKE?
>> >
>> > If so, how do we identify RSA keys for use with KEMS? How do we
>> transport
>> > KEM CT ?
>>
>> I would imagine keys specify which KEM those keys use.
>>
>> And then there would be KEM algorithms analogous to ECDH-ES ones (there
>> are a few details about ECDH-ES algorithms that need tweaking for
>> things to work with KEMs).
>>
>> IIRC, only three differences are needed:
>>
>> - KEM shared secret goes where ECDH result used to go.
>> - Where one sticks the KEM ciphertext.
>> - Some trivial encaps/decaps process stuff.
>>
>> Things like KDFs can just be reused as-is.
>>
>>
>> > One option would be to reuse what we have in the JOSE HPKE draft, to
>> > transport the KEM CT as an ephemeral encapsulated key:
>>
>> If HPKE uses a header, I would imagine it uses the same one. KEM CT
>> can be assumed to be a byte string.
>>
>>
>> > Similar to the discussions we have had for ECDH-ES+A128KW vs HPKE, let
>> us
>> > start a discussion for
>> >
>> > RSAES-OAEP w/ SHA-256 vs HPKE or Plain RSA Kem (TBD)
>> >
>> > - https://www.rfc-editor.org/rfc/rfc7518.html#section-4.3
>> > - https://www.rfc-editor.org/rfc/rfc8230.html#section-3
>>
>> Well, there is already RSA support.
>>
>> However, stuff like this might be more interesting:
>>
>> https://github.com/lamps-wg/draft-composite-kem/pull/11
>>
>>
> Yes, this is another reason to ask... will we see composite kems as
> standalone building blocks (like RSA Kem)
> Or will we see HPKE Suites that pair those building blocks with specific
> choices of KDF and AEAD.
>
>
>
>>
>> > The reason I raise this, is that Ilari mentioned wanting to use JOSE
>> HPKE's
>> > Integrated Encryption and Key Encryption modes, without HPKE but with
>> other
>> > KEMs, so considering how RSA Kem might be supported in JOSE and COSE
>> seems
>> > worth discussing.
>>
>> Integrated Encryption can not work with KEMs.
>>
>
> Of course, you are correct.
>
>
>>
>> In JWE and COSE, KEMs act similarly to ECDH-ES and have the same types
>> (Direct Key Agreement, Key Agreement with Key Wrap(ping)).
>>
>> Anything one can use ECDH-ES for, one should be able to use KEM for.
>>
>
> epk is already used for this case, the ES part, is what pairs with the
> "epk" part.
>
>
>>
>> > Is it ok if JOSE uses "epk" and JWK, COSE uses a new header
>> > parameter instead of using "epk" and COSE Key?
>>
>> Well, I think using new header parameter is easier for implementations
>> than using a JWK (or COSE_Key). The JWK seems just pointless wrapping
>> of a byte string.
>>
>
> It's not pointless.
> It uses the existing code points for headers, which reduces the burden on
> applications that will have to keep processing those headers.
> The applications only need to switch on "alg", and then process the
> associated epk.... which is what they are already doing for
> "ECDH-ES" and "epk" today.
>
> If we didn't have these existing application processing considerations, it
> would be easier to say adding a new header param is the correct solution in
> my opinion, but we are probably headed for testing RSAES-OAEP, ECDH-ES, and
> HPKE recipients for the same encrypted messages.... if we add
> RSA-KEM+A128KW to that mix, it's better to consider the design cost of that
> now... before the drafts become standards... I think either path will work,
> but we should force the API design to align, for the sake of developers...
> I would call it a win if JOSE and COSE handle this in a similar way, and a
> loss if they decide to handle it differently... I am not attached to the
> design using epk, but I do think it is easier for implementations that have
> to keep supporting ECDH-ES alongside HPKE and RSA Kem.
>
>
>
>>
>>
>>
>>
>> -Ilari
>>
>> _______________________________________________
>> COSE mailing list
>> COSE@ietf.org
>> https://www.ietf.org/mailman/listinfo/cose
>>
>
>
> --
>
>
> ORIE STEELE
> Chief Technology Officer
> www.transmute.industries
>
> <https://transmute.industries>
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

v2.23.0 | Report a Bug | By Email