Re: [jose] [COSE] HPKE PartyU / PartyV
Orie Steele <orie@transmute.industries> Wed, 28 February 2024 21:31 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2666C14F708 for <jose@ietfa.amsl.com>; Wed, 28 Feb 2024 13:31:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.084
X-Spam-Level:
X-Spam-Status: No, score=-2.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 74paSpTunk8n for <jose@ietfa.amsl.com>; Wed, 28 Feb 2024 13:31:39 -0800 (PST)
Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38C8FC14F61E for <jose@ietf.org>; Wed, 28 Feb 2024 13:31:39 -0800 (PST)
Received: by mail-yb1-xb2e.google.com with SMTP id 3f1490d57ef6-dc25e12cc63so1402589276.0 for <jose@ietf.org>; Wed, 28 Feb 2024 13:31:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1709155898; x=1709760698; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vLv/evqX8B3zj+/J+QrNfM5qnjFwdW+Yd2kH1AXMkDw=; b=bno6ORhRVJAT+AXqgBT9jHAaw5/5J1JA3WPzFs+yCajZF0XUg3BV3ljt1Na+A2Bjty k6gmLk1td2s28jhDUKDp0M77vj+ezh6VFJLsrf0apJXQxpSPHCBZ/EdhJZGtIZEakOwR GfM8aBPNoS7bP/nQ28p4ESqcPtyIoGsJ/5gXUpGTc8HpfhMRxH4Nz+lRWrcYn3If7vAW 5IvYMCFUKaJ3Tn2yrIPoEI0umNyWbiUA/Sdv2Y/Iov8SyoSF3aXXuyqwMgg/jtVxFWpF BbhwQH5buuVDA7nlCXFyxXMd6nTXy9AT01IchH/jswplcUPRn4CcXrzPzXy37kJTrWsV uLpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709155898; x=1709760698; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vLv/evqX8B3zj+/J+QrNfM5qnjFwdW+Yd2kH1AXMkDw=; b=p0YOrGEY3W6umb27ofg5mrWhDd3OL2Pz9JAodBdz3BGRxjw9CWO4b/HgT5z8KQP3Lw 2bKc0X0xaF3jACMl/pHxYMPMUfO6qZaL88x9UfiXklVCYZDqsdjLIE03jz7Wx/jijc+D szMCSFbOL+WR33D6Xsg5qwf1zvyPT3yJGKR7/8mi7o9LOIkeLbre6lYx3o1py/WiUdZh b2zhBUYpCWmO/4Mm+lUbFqb+i55ds/FLbiSfxQxufoZrSWGh8gvLThRLpuY3YhMY24k5 6suowPTxiQ1w3FKuq9cNoopfIgGJueaLY24y0EI9ViwnE1GGb3I2eEzKmS4xjdfznmt0 yA/A==
X-Gm-Message-State: AOJu0YywjM/Bu3f1PXPkNJZVYUkbkX6WTm8R1db0h0QHl+4AcnHxvxp3 3RNPifpQnHMqsaK7H1QtlE0TptJ4hcPdmKG1KZ51cuJ4SAYvNJzzTZdcyEPMvyb9qT/C8t10P0W HWfjfxuwlAXNu2xNa07xfTonAYYNbueXnACt+Aw==
X-Google-Smtp-Source: AGHT+IHtEysC7zRLEwNXDxrleHdQI5TFePmkwGsYAl7elVUh/YD93SgaHnDr1VIqP20APARcT0RZ8I3WttnvxFtRRrw=
X-Received: by 2002:a25:aa0f:0:b0:dcc:4b05:8ed5 with SMTP id s15-20020a25aa0f000000b00dcc4b058ed5mr381843ybi.16.1709155898154; Wed, 28 Feb 2024 13:31:38 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_LUMe09=WbkwT-RckhR8+LYCQMw8XWnwmDLE5riYjd7pg@mail.gmail.com> <Zd749IrwWC2hI6yX@LK-Perkele-VII2.locald> <CAN8C-_J+mMABCa2HPWv5zJ=u1HSb+saq_mn5kB0Wq5upWUyM9Q@mail.gmail.com> <Zd-NRA2kH4fc_d-X@LK-Perkele-VII2.locald> <CAN8C-_+tG9845bn986Anr89ObNpUCzOAuiEJMPh4KGK3ixB+uQ@mail.gmail.com> <Zd-colj_jF47gLQP@LK-Perkele-VII2.locald>
In-Reply-To: <Zd-colj_jF47gLQP@LK-Perkele-VII2.locald>
From: Orie Steele <orie@transmute.industries>
Date: Wed, 28 Feb 2024 15:31:26 -0600
Message-ID: <CAN8C-_Jw2J6OY6N7gRVepVuHiC5NqgH36dXQ6krZ1U-Spqq7fQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: JOSE WG <jose@ietf.org>, cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002cf43e061277de59"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/Hg2vVEbM6W1qNQgIXOklZKZiBoE>
Subject: Re: [jose] [COSE] HPKE PartyU / PartyV
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 21:31:42 -0000
>
>
> <snip>
>
> JWE requirements imply that if { alg: dir, enc: HPKE...A128GCM } is
> legal, then { alg:ECDH-ES, enc: HPKE...A128GCM } is also legal. But
> the latter tries to derive HPKE key from Direct Key Agreement, which is
> absurd. Contradiction. Therefore { alg: dir, enc: HPKE...A128GCM } can
> not be legal. Q.E.D.
>
JOSE HPKE can say:
When using direct encryption, set the protected header "alg" to "dir", set
the "enc" value to "HPKE...A128GCM".
Values other than "dir" MUST NOT be used when "enc: HPKE...A128GCM" is
present in protected headers.
Direct encryption with HPKE MUST NOT be used with more than one recipient.
That being said, we could add new values for integrated encryption, and the
same argument would apply:
{ alg: hpke-ik, enc: HPKE...A128GCM } or { alg: HPKE...A128GCM, enc:
hpke-ik }
{ alg: hpke-ik, enc: A128GCM } or { alg: ECDH-ES, enc: hpke-ik }
Arguing a contradiction from a false (absurd) premis, is invalid.
>
> > * COSE: HPKE AAD is CDE of Enc_Structure, just like for symmetric AEAD.
> >
> > ^ I do not understand how this proposal secures both the recipient
> > protected header, and the top level protected header, while addressing
> the
> > oracle attack.
>
> It does not. Because the only way to address oracle attack without
> breaking changes are via totally different kind of mechanism.
>
LAMPs draft addresses it by mixing the content encryption AlgorithmID used
into the KDF.
https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-cek-hkdf-sha256-00#section-5.1
That's a layer violation in traditional COSE, but because there is no
COSE-HPKE,
that can be the default behavior if we write text that makes it so.
This is why I pointed at COSE_KDF_CONTEXT... we could try solving this
problem using it.
but since it's mostly redundant to HPKE, that seems like a bad idea.
That leaves only HPKE INFO and HPKE AAD as the possible places to address
this.
Overload an existing Enc_Structure (since none has ever been used for HPKE,
this can be done in HPKE draft text).
Or define a new Enc_Structure.
Or set top layer protected header as HPKE info, and Enc_Structure as
HPKE AAD.
I'd be happy to review your alternative proposals.
>
>
> > Since HPKE is new, we don't have to forward the vulnerable 2 layer
> behavior
> > for the case where all algorithms in a 2 layer are HPKE algs.
> >
> > We cannot fix the oracle attack in a "mixed alg" 2 layer cose structure,
> > because it would require breaking changes.
>
> Just fixing it for HPKE would already require breaking changes (by
> introducing layer-mixing)
>
This is false, because there is no JOSE or COSE HPKE.
By default, any new HPKE algorithm will be new functionality for libraries,
and can therefore not be called a breaking change... since there is nothing
to break.
It will be a breaking change to come back and fix it later, after
publishing COSE HPKE with the same layer vulnerability.
>
>
>
>
> -Ilari
>
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
<https://transmute.industries>
- [jose] HPKE PartyU / PartyV Orie Steele
- Re: [jose] [COSE] HPKE PartyU / PartyV lgl island-resort.com
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV Orie Steele
- Re: [jose] HPKE PartyU / PartyV Neil Madden
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV Orie Steele
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV Orie Steele
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV Orie Steele
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV Orie Steele
- Re: [jose] [COSE] HPKE PartyU / PartyV lgl island-resort.com
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV lgl island-resort.com
- Re: [jose] [COSE] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [jose] [COSE] HPKE PartyU / PartyV lgl island-resort.com
- Re: [jose] [COSE] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV Orie Steele