IETF Logo Mail Archive

Re: [jose] [COSE] HPKE PartyU / PartyV

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 28 February 2024 20:50 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 413ECC14F5F9; Wed, 28 Feb 2024 12:50:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mt_Y86C2cZ0H; Wed, 28 Feb 2024 12:50:47 -0800 (PST)
Received: from welho-filter4.welho.com (welho-filter4b.welho.com [83.102.41.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82C70C14F5EF; Wed, 28 Feb 2024 12:50:46 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 75B5968671; Wed, 28 Feb 2024 22:50:44 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id lZD1T2LExy9T; Wed, 28 Feb 2024 22:50:44 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 2D6C12309; Wed, 28 Feb 2024 22:50:42 +0200 (EET)
Date: Wed, 28 Feb 2024 22:50:42 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: JOSE WG <jose@ietf.org>, cose <cose@ietf.org>
Message-ID: <Zd-colj_jF47gLQP@LK-Perkele-VII2.locald>
References: <CAN8C-_LUMe09=WbkwT-RckhR8+LYCQMw8XWnwmDLE5riYjd7pg@mail.gmail.com> <Zd749IrwWC2hI6yX@LK-Perkele-VII2.locald> <CAN8C-_J+mMABCa2HPWv5zJ=u1HSb+saq_mn5kB0Wq5upWUyM9Q@mail.gmail.com> <Zd-NRA2kH4fc_d-X@LK-Perkele-VII2.locald> <CAN8C-_+tG9845bn986Anr89ObNpUCzOAuiEJMPh4KGK3ixB+uQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAN8C-_+tG9845bn986Anr89ObNpUCzOAuiEJMPh4KGK3ixB+uQ@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/LOf2JaSddgTjJ0w2Iv3wm2Hx0Zw>
Subject: Re: [jose] [COSE] HPKE PartyU / PartyV
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 20:50:49 -0000

On Wed, Feb 28, 2024 at 02:08:50PM -0600, Orie Steele wrote:
> * JOSE/KE: HPKE AAD is fixed string "Key Encryption".
> 
> ^ This seems less good than using the protected header,
> which already includes the "alg" for which you are encrypting the key,
> which implies and specifies more precisely that you are indeed doing key
> encryption.
> It also keeps JOSE IE and JOSE KE relying on similar AAD structures.

- that might be unsafe.
- that is a breaking change (by introducing layer-mixing).
- "enc" is not necessarily protected, because it does not need to be.

 
> I also think it's a mistake to invent a new and confusing mode "called JOSE
> IE", when it's really just "direct encryption" for HPKE.
> 
> ```
> { alg: dir, enc: HPKE...A128GCM }
> ```

That has very specific meaning in JWE. And it is definitely not of the
correct kind.

JWE requirements imply that if { alg: dir, enc: HPKE...A128GCM } is
legal, then { alg:ECDH-ES, enc: HPKE...A128GCM } is also legal. But
the latter tries to derive HPKE key from Direct Key Agreement, which is
absurd. Contradiction. Therefore { alg: dir, enc: HPKE...A128GCM } can
not be legal. Q.E.D.


> * COSE: HPKE AAD is CDE of Enc_Structure, just like for symmetric AEAD.
> 
> ^ I do not understand how this proposal secures both the recipient
> protected header, and the top level protected header, while addressing the
> oracle attack.

It does not. Because the only way to address oracle attack without
breaking changes are via totally different kind of mechanism.


> Since HPKE is new, we don't have to forward the vulnerable 2 layer behavior
> for the case where all algorithms in a 2 layer are HPKE algs.
>
> We cannot fix the oracle attack in a "mixed alg" 2 layer cose structure,
> because it would require breaking changes.

Just fixing it for HPKE would already require breaking changes (by
introducing layer-mixing)




-Ilari

v2.23.0 | Report a Bug | By Email