Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE?

[Russ Housley <housley@vigilsec.com>]

Orie:

I do not know if people see a need for KEM outside of HPKE in COSE and/or JOSE.  However, if they do, we want to specify it in a way that allows a crypto library to support it and CMS KEMRecipientInfo with the same API.

Russ


> On Feb 12, 2024, at 1:41 PM, Orie Steele <orie@transmute.industries> wrote:
> 
> See https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc5990bis/
> 
> Do we expect to see RSA Kem support in JOSE and COSE without the use of HPKE?
> 
> If so, how do we identify RSA keys for use with KEMS? How do we transport KEM CT ?
> 
> One option would be to reuse what we have in the JOSE HPKE draft, to transport the KEM CT as an ephemeral encapsulated key:
> 
> {
>   "protected": "eyJlbmMiOiJBMTI4R0NNIn0",
>   "encrypted_key": "W0nlNK0VztBrVSJo23vNEPcUKbSgRWYaisRpeAqHw5M",
>   "iv": "BvmzuI3ign3WgUVs",
>   "ciphertext": "1iqtwexTYT9lsxppkWVs...Udc0KgLXGvD4l8q_LVvodF",
>   "tag": "fJ1Mq0pP1j_ZrNP2kXDUsw",
>   "aad": "8J-SgCBhYWQ",
>   "recipients": [
>     {
>       "encrypted_key": "W0nlNK0VztBrVSJo23vNEPcUKbSgRWYaisRpeAqHw5M",
>       "header": {
>         "kid": "urn:ietf:params:oauth:jwk-thumbprint:sha-256:iCUZEezL_1kx3t3y9i_AW0LIOmojwr2tBgih7RCy-kE",
>         "alg": "HPKE-Base-P256-SHA256-AES128GCM",
>         "epk": {
>           "kty": "EK", // encapsulated key type
>           "ek": "BN1YNlivxeS3DayvCt...3HDoa1Orh1wqPmw3Pp6Y" // encapsulated key
>         }
>       }
>     },
>     // RSA KEM example goes here... looks like HPKE example above?
>     {
>       "encrypted_key": "B9X-TifYXbA0fKHpASFT4N1_sLMf1...VmWjVhkfgaOvS9VCOzepEM02jFA",
>       "header": {
>         "alg": "RSA-OAEP-384"
>       }
>     },
>     {
>       "encrypted_key": "MRtJFqzpSDoLwS2AW13dbuGcPWrnRl-r",
>       "header": {
>         "kid": "urn:ietf:params:oauth:jwk-thumbprint:sha-256:qXy7xVrE0xm3tS9ilK74GadeD9HF1wnQUzY5ml4pWuY",
>         "alg": "ECDH-ES+A128KW",
>         "epk": {
>           "kty": "EC",
>           "crv": "P-256",
>           "x": "YzBl6tEBdqvkDxcGS7SWePD-oI4J9jMQX6qh3k7lGTw",
>           "y": "s8D6l21rlSCH5IZZF4kjPwGhcoHg3ENGSup3VpE7o_8"
>         }
>       }
>     }
>   ]
> }
> 
> or:
> 
> {
>         / kid /
>         4: h'3031',
>         / encapsulated_key /
>         -4: h'045df...73e', // new cose header, since cose does not support transporting encapsulated keys as "epk" (-1).
> },
> 
> 
> Similar to the discussions we have had for ECDH-ES+A128KW vs HPKE, let us start a discussion for
> 
> RSAES-OAEP w/ SHA-256 vs HPKE or Plain RSA Kem (TBD)
> 
> - https://www.rfc-editor.org/rfc/rfc7518.html#section-4.3
> - https://www.rfc-editor.org/rfc/rfc8230.html#section-3
> 
> The reason I raise this, is that Ilari mentioned wanting to use JOSE HPKE's Integrated Encryption and Key Encryption modes, without HPKE but with other KEMs, so considering how RSA Kem might be supported in JOSE and COSE seems worth discussing.
> 
> Is it ok if JOSE uses "epk" and JWK, COSE uses a new header parameter instead of using "epk" and COSE Key?
> 
> Should JOSE do as COSE is doing? or vice versa?
> 
> Regards,
> 
> OS
> 
> -- 
> 
> ORIE STEELE
> Chief Technology Officer
> www.transmute.industries
>  <https://transmute.industries/>
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose