Re: [jose] [COSE] HPKE PartyU / PartyV
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 28 February 2024 19:45 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60BB4C14F5E3; Wed, 28 Feb 2024 11:45:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iwlcP-bfNLsg; Wed, 28 Feb 2024 11:45:14 -0800 (PST)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5933EC14F6F1; Wed, 28 Feb 2024 11:45:13 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id ACE8217F47; Wed, 28 Feb 2024 21:45:10 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id YRfnKur4oFa2; Wed, 28 Feb 2024 21:45:10 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 6D99C2320; Wed, 28 Feb 2024 21:45:08 +0200 (EET)
Date: Wed, 28 Feb 2024 21:45:08 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: JOSE WG <jose@ietf.org>, cose <cose@ietf.org>
Message-ID: <Zd-NRA2kH4fc_d-X@LK-Perkele-VII2.locald>
References: <CAN8C-_LUMe09=WbkwT-RckhR8+LYCQMw8XWnwmDLE5riYjd7pg@mail.gmail.com> <Zd749IrwWC2hI6yX@LK-Perkele-VII2.locald> <CAN8C-_J+mMABCa2HPWv5zJ=u1HSb+saq_mn5kB0Wq5upWUyM9Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAN8C-_J+mMABCa2HPWv5zJ=u1HSb+saq_mn5kB0Wq5upWUyM9Q@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/Nx7155KzP1j3RlCdlM3ZoNz16IY>
Subject: Re: [jose] [COSE] HPKE PartyU / PartyV
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 19:45:17 -0000
On Wed, Feb 28, 2024 at 07:55:24AM -0600, Orie Steele wrote:
> For HPKE, we can simplify things and protected against the attack by:
<snip stuff that does not work>
> What do you think?
What you are proposing does not work.
1) HPKE already mixes in enc, there is no reason to do it again, that
just breaks some HPKE libraries for no good reason.
IE and KE are so massively different that aligning the two is not
a good reason.
2) Mixing anything between levels will lead to severe implementation
problems.
The best way to break existing implmentations is to throw an
unexpected curveball. And this is one.
3) ?OSE-HPKE can do nothing with the oracle attack.
a) In JOSE, no action is needed, JWE already blocks the attack.
b) In COSE, it needs separate document to fix.
The "fix" you gave just does not work.
4) Crossmode attack is easy to solve.
a) In JOSE-HPKE, HPKE AAD needs to be fixed by KE to some value that
can not happen in IE.
b) In COSE, it is already solved by Enc_structure context field.
Doing that with JOSE-HPKE will also solve the more severe cross-layer
mixing issue.
The simplest HPKE AAD stuff that actually works is:
* JOSE/IE: HPKE AAD constructed as in JWE section 5.1. step 14.
* JOSE/KE: HPKE AAD is fixed string "Key Encryption".
* COSE: HPKE AAD is CDE of Enc_Structure, just like for symmeric AEAD.
External_aad only applies to layer 0.
Just ignore the oracle (AES-CTR/AES-CBC) attack for this. Fixing that
(in COSE) is separate issue.
-Ilari
- [jose] HPKE PartyU / PartyV Orie Steele
- Re: [jose] [COSE] HPKE PartyU / PartyV lgl island-resort.com
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV Orie Steele
- Re: [jose] HPKE PartyU / PartyV Neil Madden
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV Orie Steele
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV Orie Steele
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV Orie Steele
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV Orie Steele
- Re: [jose] [COSE] HPKE PartyU / PartyV lgl island-resort.com
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV lgl island-resort.com
- Re: [jose] [COSE] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [jose] [COSE] HPKE PartyU / PartyV lgl island-resort.com
- Re: [jose] [COSE] HPKE PartyU / PartyV AJITOMI Daisuke
- Re: [jose] [COSE] HPKE PartyU / PartyV Ilari Liusvaara
- Re: [jose] [COSE] HPKE PartyU / PartyV Orie Steele