[jose] Re: draft-ietf-jose-hpke-encrypt-01
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 10 July 2024 07:36 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8624C16941D for <jose@ietfa.amsl.com>; Wed, 10 Jul 2024 00:36:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iuRRHTFDomCb for <jose@ietfa.amsl.com>; Wed, 10 Jul 2024 00:36:22 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4b.welho.com [83.102.41.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7990C16941F for <jose@ietf.org>; Wed, 10 Jul 2024 00:36:20 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id BD91767EB4 for <jose@ietf.org>; Wed, 10 Jul 2024 10:36:18 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id 3YUnolvFOTrF for <jose@ietf.org>; Wed, 10 Jul 2024 10:36:18 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 383AC28B for <jose@ietf.org>; Wed, 10 Jul 2024 10:36:17 +0300 (EEST)
Date: Wed, 10 Jul 2024 10:36:16 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: JOSE WG <jose@ietf.org>
Message-ID: <Zo458Mu_-f_nnYbe@LK-Perkele-VII2.locald>
References: <CAN8C-_KMx_M9vL3kwoohkiVrndU_MohxdGC_vLkBo7R_+-6T2g@mail.gmail.com> <CACVbtYOsf7MkHPOzFgE14JhKrSzAd8EkZ0Sr4X0XRMzdCUtbkA@mail.gmail.com> <CACVbtYOOpwTKZt7dH7JV983SmU7gRbsaXY8ru4Ty-+S081oTEQ@mail.gmail.com> <CAN8C-_Kb9ZOec8SXUkqqd3P7VnEYSDukVm56kpdx+fVEw4KHag@mail.gmail.com> <CACVbtYPauBzeSmXPr8Fyb7Jh3u7ydJgX632B0Fwdn4UPgAfQBg@mail.gmail.com> <CAN8C-_JyHsr07FcTMwA01+QTkzjxxqvv0fNpFthytSyyP+MgKQ@mail.gmail.com> <Zo1d2jNRtAjCGC4N@LK-Perkele-VII2.locald> <CAN8C-_JtWT=mG++9khv7H5Vb4uDoEqNjwhtozTEFFp-XGOuq1g@mail.gmail.com> <CACVbtYMY61mQWhROeeDobHZvkzCeTDKw1DCNOqJEmKepE1vOoA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CACVbtYMY61mQWhROeeDobHZvkzCeTDKw1DCNOqJEmKepE1vOoA@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: JNVMU265FQ2EZT5PA6SCRCOGPFRGYTSL
X-Message-ID-Hash: JNVMU265FQ2EZT5PA6SCRCOGPFRGYTSL
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: draft-ietf-jose-hpke-encrypt-01
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/EOIRcmAeH_a8RC348n12o6rVbH8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
On Tue, Jul 09, 2024 at 02:02:01PM -0700, Les Hazlewood wrote: > I agree, `alg` and `enc` (when present) have always been related: other > than "alg": "dir", `alg` must always produce a key compatible with `enc`, > and therefore it must 'know about' things relevant to `enc. It doesn't > make any sense to me to claim `alg` must be independent of `enc`. Since "enc" is required to be symmetric AEAD, the only compatibility requirement is key being of correct length. As consequence, currently the only ways in JWE where value of "enc" affects what "alg" does in any way are (both related to Direct Key Agreement): 1) For DKA, the AlgorithmID in KDF context is "enc" value. 2) For DKA, the KDF output length is "enc" key length. > This feels a whole lot like trying to force-fit existing 10-year > well-defined headers to support entirely new concepts that were never > intended to be used in such headers (`alg` has never required anything > about *content* encryption, only key encryption); see my preceding response > in this thread. That is pretty much what is going on. JWE was always intended to perform bulk encryption itself, it was never intended to delegate that task to anything else. > Anyway, conceptually at the highest level HPKE is a 3 phase process: (key > encapsulation) --> (key derivation) --> (content encryption), so the `alg` > value should contain all the (key encapsulation) -> (key derivation) parts > first because that's the 'key management' stuff. Separating key managment and bulk encryption in HPKE requires using the Secret Export interface. It is possible to use HPKE Secret Export as Direct Key Agreeement in JWE. > But for JOSE, the first two phases aren't just KEM-->KDF. It's KEM-->KDF > optionally followed by a key encryption/wrap algorithm. In other words, the > JOSE CEK is still derived - it's just derived using both the RFC 9180 > KEM->KDF phase, potentially followed by a key encryption/wrap phase. It's > all still "key derivation", but just a potential extra step beyond what RFC > 9180 defines. That is not correct: - JOSE requires key encryption to be the first step. - HPKE does not allow adding any extra steps beyond RFC9180. One can construct JWE Key Encryption by just calling the single-shot HPKE encrypt/decrypt interfaces to encrypt/decrypt the CEK. > This implies the only way to really represent a polymorphic KDF identifier > for JOSE would be either: > - a standard HKDF identifier for integrated encryption e.g. "$hkdf_id" > - a standard HKDF identifier concatenated with the `+` character followed > by the key encryption algorithm identifier, e.g. "$hkdf_id+$kealg_id" > > This is all still part of the JOSE 'key derivation' phase and identifier > strings should be tightly associated as such (combined) before any content > encryption identifier. The whole point of Integrated Encryption is to erase the distinction between 'key derivation' and 'bulk encryption'. > There doesn't seem to be a good way to avoid the explosion of registrations > Orie is hoping to avoid. Based on > https://www.iana.org/assignments/hpke/hpke.xhtml and the existing JWA RFC, > there are (currently): > - 10 KEM algs > - 3 KDF algs > - 6 key encryption algs (A128KW...A256GCMKW) > - 6 JOSE content AEAD algorithms > > implying a whopping 1080 permutations! > > Removing the content AEAD algorithm from the alg identifier (and keeping it > only in `enc`) drops the permutations to 180. Still quite large. Even registering absolutely everything HPKE has would only be 90 permutations (10 KEMs, 3 KDFs, 3 AEADs). Dropping combos that make little sense reduces that to 20, and dropping "non-standard" stuff reduces that to 10. -Ilari
- [jose] draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Michael Jones
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 tirumal reddy
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Simo Sorce
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Matt Chanda
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Matt Chanda
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Matt Chanda
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Matt Chanda
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Brian Campbell
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Brian Campbell
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Matt Chanda