IETF Logo Mail Archive

Re: [jose] [COSE] HPKE PartyU / PartyV

AJITOMI Daisuke <ajitomi@gmail.com> Mon, 04 March 2024 03:05 UTC

Return-Path: <ajitomi@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B79BEC14F61D; Sun, 3 Mar 2024 19:05:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SsfBJCF3_F5E; Sun, 3 Mar 2024 19:05:18 -0800 (PST)
Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80575C14F5F4; Sun, 3 Mar 2024 19:05:18 -0800 (PST)
Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-609408d4b31so38684937b3.0; Sun, 03 Mar 2024 19:05:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709521517; x=1710126317; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=zn4cVOEV5qtySi26Hv1CwYtgtRwPq97oBBZUC6RMmTo=; b=dF8TUBwRycRPwC0vFQ9LddFcc8Jk3Uc2qo5bBI4n5QHVziui1g/RFG15/Nk2HsQP5y 0nfSZSikyEnT5E7MElB7mJnc2q37TF8cGg7bo70cB9iV0Ao12aHCo5k4eC+tP4TT8NLh O+ZBvuTur/2qF12NAChH3QmPOa6FoRPQEcWQ0332M+8HuVg36/HPDaa1D/gbex8MXsOB bGARjUOuOXyaP5Vcy3ioPSdtmjgKCrkqtKL7ZD8QhS8mo51GKHcZY58BmNu+nv7e05/g s2AGoIBxELyVvyVxvxb1KXRlL2NNTSPmoF4c7FF/UVbRMk0LK+mCU7bKt76rD+XOfd5i 19dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709521517; x=1710126317; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zn4cVOEV5qtySi26Hv1CwYtgtRwPq97oBBZUC6RMmTo=; b=I4/FuXcVYHqxr+gPbo3uZNditK0tphkM/C6CK0Kg9FqKJKTfDVS3CJL36zNzuTssXg LMnqBs4XzLsui9F6y/x6KdzdH2slxUXHL3lXq4rYGquY2a1ALh7dbpySpWQU14+XxzDY 8DMK154Qa562pOIM3Fg//4FlpuNDJnZCKrvfcAwxX//m3NHOj3k8+tL6AlIijLoT3vIa kLCZhDiOjUsu4OIQafv0KC/DjgSzvwCL3CYoz2gwcIV9kaeOdcytuYuqFFdWoM67uwTC sfsMlf6QtK41rpnM7eXYFUc3T9SzbiTLOgY8Gn85qWnz2eL+lEGNxKCZaSfcWTb5Ux9L G7sw==
X-Forwarded-Encrypted: i=1; AJvYcCV/AnpbwdDes99s45HFvQvA5mCkiLVkpHX17CUu/cS67sBzrGpoUCqLxmSAkSUlr2ets35KyZQCp4/UUR6J4cCF0045ZcKbbCPsb66a
X-Gm-Message-State: AOJu0Yxi61Re0WseyADOjEBgUPohZRsUkO9nZ+f29m5TNZDzWo4ZsPmX 7mbbwEJGGpg6JiQJRpcjVQNPntxTo58EPAkVwl4mIOBXnBwtnL9a5CGcG8vytBjm2crTsv05R4k 2riYv3AKoh/3/IiZxjSbEMihBpZ1/S4We5e3QEdE=
X-Google-Smtp-Source: AGHT+IF+VixNO59SNe1KoGtREStwuxjDK7KHDF34vZEwVrSAgJMB9ezfVLl1PtCbe7sCKSDMn2Lh9uMYEurvgDvXyIU=
X-Received: by 2002:a25:880b:0:b0:dcb:aa26:50f9 with SMTP id c11-20020a25880b000000b00dcbaa2650f9mr5193758ybl.46.1709521517204; Sun, 03 Mar 2024 19:05:17 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_LUMe09=WbkwT-RckhR8+LYCQMw8XWnwmDLE5riYjd7pg@mail.gmail.com> <Zd749IrwWC2hI6yX@LK-Perkele-VII2.locald> <CAN8C-_J+mMABCa2HPWv5zJ=u1HSb+saq_mn5kB0Wq5upWUyM9Q@mail.gmail.com> <Zd-NRA2kH4fc_d-X@LK-Perkele-VII2.locald> <CAN8C-_+tG9845bn986Anr89ObNpUCzOAuiEJMPh4KGK3ixB+uQ@mail.gmail.com> <Zd-colj_jF47gLQP@LK-Perkele-VII2.locald> <CAN8C-_Jw2J6OY6N7gRVepVuHiC5NqgH36dXQ6krZ1U-Spqq7fQ@mail.gmail.com> <ZeCZJK76cQNZp7q9@LK-Perkele-VII2.locald> <CAN8C-_+_nzGCWV6zNny1j_9TTikW8rBtw9388YB7UGzSwEzoTw@mail.gmail.com> <ZeDih4he5eZ1y3PO@LK-Perkele-VII2.locald> <729F40F3-B0EC-41EF-A0D2-FD8EDEA39D56@island-resort.com> <CAFWvErWwfkT7cz4R-jMt+3-54ywyVwBjE=Lita7TwsQEi04TTw@mail.gmail.com> <2CDCCF72-F32D-410D-8BB3-7984D38104D3@island-resort.com>
In-Reply-To: <2CDCCF72-F32D-410D-8BB3-7984D38104D3@island-resort.com>
From: AJITOMI Daisuke <ajitomi@gmail.com>
Date: Mon, 04 Mar 2024 12:05:06 +0900
Message-ID: <CAFWvErXvz_Uib-wiQhcJ0DxRE0pbPmyrSO2Asn=dgf6fnJgniA@mail.gmail.com>
To: "lgl island-resort.com" <lgl@island-resort.com>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>, JOSE WG <jose@ietf.org>, cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c4d7c30612ccfe4c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/EeIW_4MrNfKXKSaPZ0Ql2JM9KGo>
Subject: Re: [jose] [COSE] HPKE PartyU / PartyV
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2024 03:05:22 -0000

> Seems more like efficiency / economy trade-off. You don’t really need
both. There’s no security reason for one or the other.

That's right. Thank you for clarifying what I wanted to say.

Daisuke

2024年3月4日(月) 3:42 lgl island-resort.com <lgl@island-resort.com>:

> That’s helpful.
>
> If you read the paragraph before you get more context and more
> understanding why there’s both. Seems more like efficiency / economy
> trade-off. You don’t really need both. There’s no security reason for one
> or the other.
>
> Using aad like Ilari said, seems good to me.
>
> LL
>
>
> On Mar 3, 2024, at 1:33 AM, AJITOMI Daisuke <ajitomi@gmail.com> wrote:
>
>
> I haven't been able to read through all of the long discussions so far,
> but ...
>
> Ilari, even if you can’t say why, can you tell us where the text that
>> prohibits use of both INFO and AAD is?
>
>
> I think this is about the following in Section 8.1 of RFC9180:
>
> Applications that only use the single-shot APIs described in Section 6
>> should use the Setup info parameter for specifying auxiliary authenticated
>> information. Implementations which only expose single-shot APIs *should
>> not* allow applications to use both Setup info and Context aad or
>> exporter_context auxiliary information parameters.
>
>
> It's not prohibited, but it says "should not''.
>
> This essentially means that, in HPKE, In HPKE, both INFO and AAD serve the
> same role of binding information from the application layer to the HPKE
> process and the difference between INFO and AAD only comes down to whether
> the same can be used across multiple EncryptionContexts (INFO) or not (AAD).
>
> I believe that at least the authors of HPKE regard both in this way.
>
> Best,
> Daisuke
>
> 2024年3月2日(土) 4:23 lgl island-resort.com <lgl@island-resort.com>:
>
>>
>> On Feb 29, 2024, at 1:01 PM, Ilari Liusvaara <ilariliusvaara@welho.com>
>> wrote:
>>
>> On Thu, Feb 29, 2024 at 11:04:57AM -0600, Orie Steele wrote:
>>
>> I think we actually agree here.
>>
>> The remaining point is just what to do in HPKE.
>>
>> 1. New header parameters, mandatory processing rules, mix
>> content encryption algorithm into the KDF (via HPKE INFO).
>>
>>
>> HPKE does not allow using both INFO and AAD for one message (I do not
>> know why), and INFO has a short length limit (because it is used in
>> ways that pretty much require buffering).
>>
>> So only AAD can be used.
>>
>>
>> Illari, even if you can’t say why, can you tell us where the text that
>> prohibits use of both INFO and AAD is?
>>
>> Note that COSE -25 and -29 allow the input of a salt into the KDF outside
>> of COSE_KDF_Context. If we wanted to do similar in COSE-HPKE, use of the
>> info parameter is the obvious place.
>>
>> I can’t see any technical reason that both couldn’t be used and I wonder
>> if there is some reason we might want to allow COSE-HPKE users to be able
>> to supply inputs to the KDF function.
>>
>> Or asked another way, what are the security trade-offs between AAD and
>> INFO? There’s lots of security considerations in RFC 9180, but none seem to
>> discuss this.
>>
>> I don’t see an issue here, but it would be nice to understand.
>>
>> Thx!
>>
>> (RFC 9180 is impossible to search because the variable names used in the
>> Python code are so short. “info” occurs almost 200 times)
>>
>> LL
>> _______________________________________________
>> COSE mailing list
>> COSE@ietf.org
>> https://www.ietf.org/mailman/listinfo/cose
>>
>
>

v2.23.0 | Report a Bug | By Email