Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE?
Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 12 February 2024 21:09 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F7D9C151081; Mon, 12 Feb 2024 13:09:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMDjQ9pSRL6C; Mon, 12 Feb 2024 13:09:45 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4E7CC14F71D; Mon, 12 Feb 2024 13:09:42 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id C25C663C4A; Mon, 12 Feb 2024 23:09:39 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id 3bPvwHM-4792; Mon, 12 Feb 2024 23:09:39 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 628467A; Mon, 12 Feb 2024 23:09:37 +0200 (EET)
Date: Mon, 12 Feb 2024 23:09:37 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Message-ID: <ZcqJEVmDxo0YZ6qi@LK-Perkele-VII2.locald>
References: <CAN8C-_LgRdZ-vXFDQJSghKBfJ_gGZWaUE2+qX63faLdnTHSGGg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAN8C-_LgRdZ-vXFDQJSghKBfJ_gGZWaUE2+qX63faLdnTHSGGg@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/IhSLYaaGbB2XWuVpoW_FyuUFTc0>
Subject: Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Feb 2024 21:09:49 -0000
On Mon, Feb 12, 2024 at 12:41:52PM -0600, Orie Steele wrote: > See https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc5990bis/ > > Do we expect to see RSA Kem support in JOSE and COSE without the use of > HPKE? > > If so, how do we identify RSA keys for use with KEMS? How do we transport > KEM CT ? I would imagine keys specify which KEM those keys use. And then there would be KEM algorithms analogous to ECDH-ES ones (there are a few details about ECDH-ES algorithms that need tweaking for things to work with KEMs). IIRC, only three differences are needed: - KEM shared secret goes where ECDH result used to go. - Where one sticks the KEM ciphertext. - Some trivial encaps/decaps process stuff. Things like KDFs can just be reused as-is. > One option would be to reuse what we have in the JOSE HPKE draft, to > transport the KEM CT as an ephemeral encapsulated key: If HPKE uses a header, I would imagine it uses the same one. KEM CT can be assumed to be a byte string. > Similar to the discussions we have had for ECDH-ES+A128KW vs HPKE, let us > start a discussion for > > RSAES-OAEP w/ SHA-256 vs HPKE or Plain RSA Kem (TBD) > > - https://www.rfc-editor.org/rfc/rfc7518.html#section-4.3 > - https://www.rfc-editor.org/rfc/rfc8230.html#section-3 Well, there is already RSA support. However, stuff like this might be more interesting: https://github.com/lamps-wg/draft-composite-kem/pull/11 > The reason I raise this, is that Ilari mentioned wanting to use JOSE HPKE's > Integrated Encryption and Key Encryption modes, without HPKE but with other > KEMs, so considering how RSA Kem might be supported in JOSE and COSE seems > worth discussing. Integrated Encryption can not work with KEMs. In JWE and COSE, KEMs act similarly to ECDH-ES and have the same types (Direct Key Agreement, Key Agreement with Key Wrap(ping)). Anything one can use ECDH-ES for, one should be able to use KEM for. > Is it ok if JOSE uses "epk" and JWK, COSE uses a new header > parameter instead of using "epk" and COSE Key? Well, I think using new header parameter is easier for implementations than using a JWK (or COSE_Key). The JWK seems just pointless wrapping of a byte string. -Ilari
- [jose] JOSE/COSE RSA Kem without HPKE? Orie Steele
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Russ Housley
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Ilari Liusvaara
- Re: [jose] JOSE/COSE RSA Kem without HPKE? Neil Madden
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Ilari Liusvaara
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Orie Steele
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Orie Steele
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Ilari Liusvaara
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Ilari Liusvaara
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Ilari Liusvaara