Re: [jose] HPKE Single Shot for Compact JWE
Orie Steele <orie@transmute.industries> Sun, 11 February 2024 14:04 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A638AC14F685 for <jose@ietfa.amsl.com>; Sun, 11 Feb 2024 06:04:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level:
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eNej13gUR18L for <jose@ietfa.amsl.com>; Sun, 11 Feb 2024 06:04:32 -0800 (PST)
Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E32EC14F5E8 for <jose@ietf.org>; Sun, 11 Feb 2024 06:04:32 -0800 (PST)
Received: by mail-pl1-x62c.google.com with SMTP id d9443c01a7336-1d9bd8fa49eso17327165ad.1 for <jose@ietf.org>; Sun, 11 Feb 2024 06:04:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1707660271; x=1708265071; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1rxP6qL0yrjvfHsws/uLJlv7MxaAb2FlE82+XcvJhj4=; b=B+apM8WffpORfDS0xPltRp9qS+o8rT/9jBuxDzseQSegcS/CFhDEfuVNZ4LVImyezD xp0S1EM3tu2FrqoenumMfL9YYr3CEl5nZ39xvwcKK0utHUeFzETRPiEvbbf+FWfs6JiF SlmB2KngLi4IS7NGQZVS9nuWgNtckK4cy3GB5FqsmDTRKzcGenmlA8Gj5oEsCjfdIbOP DOsU7eVAqylbIfuQs7VJ2/CcRk8BQ11nkoJ1ro1mLxXZ5Rkh6FOGD+7xJgnVmM7zimkv jtQQCy7h2YH1uFpJIOTyIQNDN9HtiC32K5I9hvH/wF9UyUSaL7Y5T7TalXyBGWh65+Zx XyfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707660271; x=1708265071; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1rxP6qL0yrjvfHsws/uLJlv7MxaAb2FlE82+XcvJhj4=; b=Mwui5zmTKGbjGO2nFgiumIakjioIoBcUTo0kAVpVvK3IIgFUJCmeJLmDHJKatNgT6e fC9MuUYTf7GMqejKpI3ZglnhNMkyfVyU2nVTkbOnk1sLM5ClFymryQLbfPkmERJaBqfb LqVntkuZHwnK+T7Gju6ZwvwI3Oz4S0ENTC7ZxO2Vby441gADYfxsbhc3xOMLJDVvs5QP OaN6rAY8iCTCd6Vhf6ucyW274ULTE8TDYvwJun/xp7iAt8HD56WSILTR98Huf7cQSO/z mn72m6kEzXGhh3pBZvmVHTuS0J49yfVNg6b8ptO/7X/VVGqL5AhDdNqDd4GJ7Wtf7QcA vFfQ==
X-Gm-Message-State: AOJu0Yz+RpXox6QVOoVUFlP0+R9MW0gJEQypGVsIs2xB4RQMP97KedBO eHdLXHhitzmVOxqsgKA0nZYssVY0kJn0a2zQQKJASI0aS1zHutYx1dkRXP+avIlQYJAaCe4EPaH g9tggrp83LiuKVZLnsZTu2PhbhF6k4bS2FvKZlrM4Z1UZ5xvj2ao=
X-Google-Smtp-Source: AGHT+IGWlg5nCoOBUEK6jsniTC87zWkSRgTtcHRHTMtRtITZGRv4s/bJqJ+db61ixfdpBr+JFDu/FVt9AmWkcKATpaw=
X-Received: by 2002:a17:902:d487:b0:1da:1dbc:bf9e with SMTP id c7-20020a170902d48700b001da1dbcbf9emr4520237plg.47.1707660271214; Sun, 11 Feb 2024 06:04:31 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_LCB33RocisCO21_kgt=vUN3VterUf88HS+mswn4w1fUQ@mail.gmail.com>
In-Reply-To: <CAN8C-_LCB33RocisCO21_kgt=vUN3VterUf88HS+mswn4w1fUQ@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Sun, 11 Feb 2024 08:04:20 -0600
Message-ID: <CAN8C-_Lyir--FwCqBGOEMuAAs_4WhGB-n=ozMJoTqEo7vYyU5Q@mail.gmail.com>
To: JOSE WG <jose@ietf.org>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="000000000000dcf5de06111ba31c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/ObDgiliTdnA0VENGT0WJiZNptaI>
Subject: Re: [jose] HPKE Single Shot for Compact JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Feb 2024 14:04:36 -0000
Sorry for 2 messages, I hit send early on the last one. I was just adding the comment about validated enc, see https://datatracker.ietf.org/doc/html/rfc8725#name-validate-cryptographic-inpu > The JWS/JWE library itself must validate these inputs before using them, or it must use underlying cryptographic libraries that do so (or both!). It could be cool to trust the HPKE implementation to validate the "enc" value, or you might validate it before even invoking a single shot API. I like the design of transported "encapsulated keys" in protected headers when possible. Even if it's redundant to the internals of HPKE, as the JWT BCP notes, redundant security checks are ok. Regards, OS On Sun, Feb 11, 2024 at 7:58 AM Orie Steele <orie@transmute.industries> wrote: > Section 5 defines - > https://datatracker.ietf.org/doc/html/rfc9180#section-5.1 : > > def SetupBaseS(pkR, info): > shared_secret, enc = Encap(pkR) > return enc, KeyScheduleS(mode_base, shared_secret, info, > default_psk, default_psk_id) > > def SetupBaseR(enc, skR, info): > shared_secret = Decap(enc, skR) > return KeyScheduleR(mode_base, shared_secret, info, > default_psk, default_psk_id) > > Section 6 of defines "Single-Shot" APIs for HPKE - > https://datatracker.ietf.org/doc/html/rfc9180#name-single-shot-apis : > > def Seal<MODE>(pkR, info, aad, pt, ...): > enc, ctx = Setup<MODE>S(pkR, info, ...) > ct = ctx.Seal(aad, pt) > return enc, ct > > def Open<MODE>(enc, skR, info, aad, ct, ...): > ctx = Setup<MODE>R(enc, skR, info, ...) > return ctx.Open(aad, ct) > > With "Single-Shot", you cannot place the "encapsulated key (enc)" in JWE > Protected Headers. > > Given the original design of JWE in > https://datatracker.ietf.org/doc/html/rfc7516#section-3.1 > > Compact: > > BASE64URL(UTF8(JWE Protected Header)) || '.' || > BASE64URL(JWE Encrypted Key) || '.' || > BASE64URL(JWE Initialization Vector) || '.' || > BASE64URL(JWE Ciphertext) || '.' || > BASE64URL(JWE Authentication Tag) > > JSON: > > "protected", with the value BASE64URL(UTF8(JWE Protected Header)) > "unprotected", with the value JWE Shared Unprotected Header > "header", with the value JWE Per-Recipient Unprotected Header > "encrypted_key", with the value BASE64URL(JWE Encrypted Key) > "iv", with the value BASE64URL(JWE Initialization Vector) > "ciphertext", with the value BASE64URL(JWE Ciphertext) > "tag", with the value BASE64URL(JWE Authentication Tag) > "aad", with the value BASE64URL(JWE AAD) > > In https://mailarchive.ietf.org/arch/msg/jose/0ODZ_2TTjrOOwv1JwvYuv0OuZ0s/ > > Ilari proposed, concatenating "HPKE enc" with "HPKE ct", and calling the > result "JWE Ciphertext". > > This would enable "HPKE Single Shot", but at a cost of needing to slice > the "JWE Ciphertext" string to recover enc (which will change in size with > use of different kems). > > In draft-rha-jose-hpke-encrypt current design for single recipient JWE > messages, we defined a new JWA approach called "Integrated Encryption", > which leverages HPKE to encrypt a plaintext message to a single recipient, > without the need to include: JWE Encrypted Key, JWE Initialization Vector, > JWE Authentication Tag. > > For example: > eyJhbGciOiJIUEtFLUJhc2UtUDI1Ni1TSEEyNTYtQUVTMTI4R0NNIiwiZXBrIjp7Imt0eSI6IkVLIiwiZWsiOiJCQ0lrQ2Nka1hHS2VhaEhpMFdFRnFMbm9VREFtdnpJd0t2SVF3TFNXWjVpTHc3ZDFSMXdDRTRpVUVyV1NKZnlueGwtTmltQVdhSkNfWFVjY2lwOEhZeTAifX0 > ... > vtwAfUY4SP2loyqJDht2r824r1a0tTi-0Cr_u0GunXCMxvKbZQaZFFjEMBTffJRf6FBaJMao2Trm5QZBxLr_w7f75ZPA99VdY7YMwRNkfftRW97BPEn0x0SM3inNaESQGuPqNZM > . > > It does this, by using the "epk" parameter of the JWE Protected Header to > transport the "HPKE enc". > > This means that in order for a recipient to decrypt a message, they must > pass the JWE Protected Header to HPKE Open as aad. > > I have adjusted the pythonish examples from HPKE to make this clearer to > readers: > > def Seal<MODE>(pkR, info, aad="JWE Protected Header", pt, ...): > enc, ctx = Setup<MODE>S(pkR, info, ...) > ct = ctx.Seal(aad, pt) > return enc, ct > > // desirable, but not possible because "enc" was not in "JWE Protected > Header". > /// enc = decode(decode("JWE Protected Header").epk.ek) > > [enc, ct] = slice("JWE Ciphertext") > > validate_enc(enc) // because in DHKems enc is a public key made of points > on a curve > > def Open<MODE>(enc=enc, skR, info, aad="JWE Protected Header", ct=ct, ...): > ctx = Setup<MODE>R(enc, skR, info, ...) > return ctx.Open(aad, ct) > > I see no reason to comment on Single Shot APIs directly in > "draft-rha-jose-hpke-encrypt". > > These HPKE internals are implementation details, similar to how JWE does > not comment on deriveBits / deriveSecretKey, and yet implementations of JWE > might use those APIs from web crypto internally. > > > > > > > > > -- > > > ORIE STEELE > Chief Technology Officer > www.transmute.industries > > <https://transmute.industries> > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- Re: [jose] HPKE Single Shot for Compact JWE Orie Steele
- [jose] HPKE Single Shot for Compact JWE Orie Steele
- Re: [jose] HPKE Single Shot for Compact JWE Ilari Liusvaara