IETF Logo Mail Archive

Re: [jose] [COSE] HPKE PartyU / PartyV

Orie Steele <orie@transmute.industries> Wed, 28 February 2024 13:55 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74E47C14F61C for <jose@ietfa.amsl.com>; Wed, 28 Feb 2024 05:55:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.085
X-Spam-Level:
X-Spam-Status: No, score=-7.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lIkpO1_70Vwq for <jose@ietfa.amsl.com>; Wed, 28 Feb 2024 05:55:37 -0800 (PST)
Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0ED20C14F60C for <jose@ietf.org>; Wed, 28 Feb 2024 05:55:36 -0800 (PST)
Received: by mail-pf1-x42a.google.com with SMTP id d2e1a72fcca58-6e558a67f70so1031625b3a.0 for <jose@ietf.org>; Wed, 28 Feb 2024 05:55:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1709128536; x=1709733336; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=dj97xe66kh0LQ4caneDsA7c5OlViJV0El+MIocnM4LI=; b=TmQKduJ97uNyWPfbGpfhRa32tJdaJLJe0VeWIUHj6DSSTI/vE2hzwfuCpG2kikNCaj /gQhBFpxntb5J3tOK8tCJspQ9dLCL0qqLduwLLSWgWe8K8FyD7MD3oKW5xXqJh+Q2aPG ZJ/uoK6ZIQvLXM1oa2ddimgdOOic+mVW2CmLXcdshNZBkQV8EzZqQCGmuO4BFEGUGK2H SWBUqPe4WVS5hENGxpWB1x9qiTWIaCt5jwrPzB3DiuwTGqc9Eq8N8E9C6YiTy0PljcBE 7O0RrcshyWIyjZwh1zI9Q6onL2J0agQt49lLKI9k7e46q+fF9QWgBWlFbrr3tXvv2FaQ cHFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709128536; x=1709733336; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dj97xe66kh0LQ4caneDsA7c5OlViJV0El+MIocnM4LI=; b=myjGAjife0GOQP+dnNFkq/o5msLDkkG4KBCE+mzNN2C48LIaDUefgdLa2TppSuEZGj IL9g7J2a/o1bQikpahCQC3q9GJVcAwQUMLhhLun5OndGpuihX3403CwO6cmSiyU3jmT5 v3mpfp01WcqbLL1HXkd6B2WGyX/dNh6GZ1XhE5AigQsgf2nKycL9m8sPfxsC68izlT0S WtTNbb07c30bgndMqC0EsXYpSWZUWAYetpGIgoM7ivw1WclU8Xt/sUQUtXgIBwaxLHxQ q/Q00H6P+Yoxt9w5JyMApzCnqWrfLltIa1Gq3C5LE5ZtJU1qzlwrp859BoH7isNuYi9U gI6w==
X-Gm-Message-State: AOJu0YxsdKwBGEChOGkAXhAfOxRBkLVD1tNd588HlafZKfQTfgA1Rl6v Zf6qpNSyZLCQOt6Q7QaBsNsZcDyUCf0ZPD0YDkzS1fFOmSTwq0bNx2iSj62TCRQJKPxtYaHIp2m jCEyLzuosbTdTbAzSrtcTT+ltlVPOeD+FZys4SyIkgftgHS+vbAgkrg==
X-Google-Smtp-Source: AGHT+IHkadUvIdo+JkRvyI/oYXMA+frn7HTtrInYHEObmfEYNYAZTWATeeaZdduxArR8NrBBEtQ/gSdvMLQVoMyT4Fk=
X-Received: by 2002:a05:6a20:9c8f:b0:19e:9cc9:1bef with SMTP id mj15-20020a056a209c8f00b0019e9cc91befmr6356174pzb.22.1709128536068; Wed, 28 Feb 2024 05:55:36 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_LUMe09=WbkwT-RckhR8+LYCQMw8XWnwmDLE5riYjd7pg@mail.gmail.com> <Zd749IrwWC2hI6yX@LK-Perkele-VII2.locald>
In-Reply-To: <Zd749IrwWC2hI6yX@LK-Perkele-VII2.locald>
From: Orie Steele <orie@transmute.industries>
Date: Wed, 28 Feb 2024 07:55:24 -0600
Message-ID: <CAN8C-_J+mMABCa2HPWv5zJ=u1HSb+saq_mn5kB0Wq5upWUyM9Q@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: JOSE WG <jose@ietf.org>, cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000044b7bb0612717f39"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/Qc6DID1MSed9cyX9zush5aJmpOI>
Subject: Re: [jose] [COSE] HPKE PartyU / PartyV
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 13:55:41 -0000

I like where this is heading, but just to be extra sure it doesn't come
back.

https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-header-parameters
https://www.iana.org/assignments/cose/cose.xhtml#header-algorithm-parameters

Option 0:

hpkeAAD = hpkeEncStructureAsAAD | hpkeJOSEAAD

const plaintextOrPublicKeyBytes = suite
  .createRecipientContext({
    recipientKey: ...,
    enc: encapsulatedKeyBytes
  })
.open(recipientCipherTextBytes, hpkeAAD)

Option 1:

hpkeContextInfo = from headers when present / MUST be understood.
hpkeAAD = hpkeEncStructureAsAAD | hpkeJOSEAAD

const plaintextOrPublicKeyBytes = suite
  .createRecipientContext({
    info: hpkeContextInfo,
    recipientKey: ...,
    enc: encapsulatedKeyBytes
  })
.open(recipientCipherTextBytes, hpkeAAD)

...

Both JOSE and COSE should use option 0.

In JOSE, hpkeAAD needs to account for JWE AAD, and needs to leverage the
protected header.

Based on https://www.rfc-editor.org/rfc/rfc7520#section-5.10.4

In COSE, hpkeEncStructureAsAAD needs to account for external_aad, recipient
protected header, and top level protected header.

I have never needed to use "Enc_Recipient"  / "Rec_Recipient" in COSE, I
would appreciate comments on their possible relevance to HPKE.

Based on https://datatracker.ietf.org/doc/html/rfc9052#section-5.3-4

For Tag 16 (single recipient) based HPKE:

Enc_structure = [
    context : "Encrypt0",
    protected : empty_or_serialized_map, // top layer protected header
    external_aad : bstr // like JWE AAD
]

For Tag 96 (multiple recipient) based HPKE:

At the encrypt content encryption key with HPKE step:

Enc_structure = [
    context : "Encrypt0",
    protected : empty_or_serialized_map, // recipient protected header
    external_aad : bstr // cbor([top level protected header, external aad])
]

^ this would match how JOSE handles JWE AAD, and it protects both the
protected header at layer 0, and the recipient protected header at layer 1
by using the AEAD AAD, instead of by using a KDF context.

This would also address the issues with AES-CBC & AES-CTR -
https://www.rfc-editor.org/rfc/rfc9459.html#section-8

If HPKE Seal and Open do not include the top level protected header, AND
HPKE has no context for the top level algorithm mixed into the KDF via
info, then the cross mode attack that has been discussed on these lists is
possible.

I do not think we should put fixing the cross mode attack in the general
case, as a blocker for HPKE, we should fix the cross mode attack in a
separate document, that is only focused on addressing COSE KDF Context...
but we cannot design JOSE and COSE HPKE in such a way that they are already
vulnerable to the attack.

For HPKE, we can simplify things and protected against the attack by:

1. Not requiring COSE KDF Context or its JOSE Contact KDF cousin, in HPKE
Info.
2. Ensuring that HPKE AAD contains all protected headers in a message.

The first bullet is accomplished the same way in both JOSE and COSE HPKE
(just don't compute info or set it).

The second bullet is accomplished slightly differently in JOSE and COSE,
because of recipient protected headers, which JOSE does not have.

In JOSE:

hpkeAAD = top level protected header + "." + base64url ( JWE AAD bytes ) //
no recipient related stuff

In COSE:

At the encrypt content encryption key with HPKE step:

hpkeEncStructureAsAAD = cbor (  [ "Encrypt0",
recipientProtectedHeaderBytes, cbor([protectedHeaderBytes, external_aad])])

or Alternatively, with a new context string and an extra parameter:

hpkeEncStructureAsAAD = cbor (  [ "Encrypt-Multiple-With-AEAD-KW",
recipientProtectedHeaderBytes, protectedHeaderBytes,  external_aad)])

... In both solutions PartyU / PartyV if present in protected headers, are
ignored.

What do you think?

OS



On Wed, Feb 28, 2024 at 3:12 AM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Tue, Feb 27, 2024 at 02:02:16PM -0600, Orie Steele wrote:
> > Hello OSE-Enthusiasts,
> >
> > As we align JOSE and COSE drafts for adding support for HPKE, we've
> > encountered our old friends:
> >
> > PartyU and PartyV...
>
> Those two only really make sense for ECDH-SS. JOSE does not support
> that at all, nor does HPKE (auth mode is not ECDH-SS).
>
>
> > JOSE has this to say:
> > https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.1.2
> >
> > """
> >    The "apv" (agreement PartyVInfo) value for key agreement algorithms
> >    using it (such as "ECDH-ES"), represented as a base64url encoded
> >    string.  When used, the PartyVInfo value contains information about
> >    the recipient.  Use of this Header Parameter is OPTIONAL.  This
> >    Header Parameter MUST be understood and processed by implementations
> >    when these algorithms are used.
> > """
>
> Note that is only for key agreement algorithms. HPKE is not a key
> agreement algorithm.
>
> Now, native KEM support would be key agreement algorithm and would
> process "apv" just like ECDH-ES does.
>
>
> > COSE has this to say:
> >
> https://datatracker.ietf.org/doc/html/rfc9053#name-context-information-structu
> >
> > (TLDR... No MUST).
>
> Every field in that structure seems to be at least one of:
>
> - Redundant (e.g., AlgorithmID)
> - Absurd (e.g., keyDataLength)
> - Unsafe (e.g., PartyUInfo.identity)
> - Non-interoperable (e.g., Party*Info.other)
>
>
> The design philosophies of JOSE and COSE are rather different. JOSE is
> designed to be interoperable and implementable without profiling. COSE
> is designed to be heavily profiled down for application, and is not in
> general meant to be interoperable nor implementable.
>
> This already shows in KDF context structures. The JOSE one is
> interoperable, the COSE one is explicitly not interoperable.
>
> Then there is plenty of stuff in COSE that is in theory interoperable,
> but no implementation implements it. E.g., ECDH-ES with AES-GCM key
> wrapping (bonus points for also using iv-generation).
>
>
> > We have an opportunity to maintain parity here, and essentially
> > repeat the support for behavior we have in JOSE and COSE for
> > "ECDH-ES+A128KW", when PartyU and PartyV are present.
>
> As stated above, PartyU and PartyV don't really make sense here.
>
>
> > I've always found this part of encryption in JOSE troublesome, why is it
> > necessary for HPKE to support this?
>
> I don't think there is any good reason to support it. Especially with
> the HPKE limitations on parameters.
>
>
> > Are we passing up an opportunity to simplify things and remove an
> > unused/underutilized feature from being required in a new, and currently
> > not used encryption scheme (HPKE).
>
> The simplest thing to do is to just ignore that stuff.
>
>
> > Is it time for apu and apv to be ignored when present and not
> > understood?
>
> As explained above, the MUST is inapplicable. Thus "apu" and "apv"
> are ignored for HPKE.
>
>
>
>
> -Ilari
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

v2.23.0 | Report a Bug | By Email