IETF Logo Mail Archive

Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE?

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 13 February 2024 14:24 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D890C14F603; Tue, 13 Feb 2024 06:24:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xZ1M3cDompwZ; Tue, 13 Feb 2024 06:24:31 -0800 (PST)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41314C15198B; Tue, 13 Feb 2024 06:24:06 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 4B00014B80; Tue, 13 Feb 2024 16:24:04 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id f-gdf7-ivFuJ; Tue, 13 Feb 2024 16:24:03 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 9A78E7A; Tue, 13 Feb 2024 16:24:01 +0200 (EET)
Date: Tue, 13 Feb 2024 16:24:01 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Message-ID: <Zct7gWFGVseo-5zr@LK-Perkele-VII2.locald>
References: <CAN8C-_LgRdZ-vXFDQJSghKBfJ_gGZWaUE2+qX63faLdnTHSGGg@mail.gmail.com> <ZcqJEVmDxo0YZ6qi@LK-Perkele-VII2.locald> <CAN8C-_+5+rfseHqv2KBV4A0GOy7pvWqKwL8ycC+U9w+wm91P0Q@mail.gmail.com> <CAN8C-_L02Q9JUC9ESa==0KwYGKWj254rEOgDUhZEhe2knKF+Tg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAN8C-_L02Q9JUC9ESa==0KwYGKWj254rEOgDUhZEhe2knKF+Tg@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/UB6DuHu_61zXQSDfed1DeqPybdQ>
Subject: Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2024 14:24:35 -0000

On Mon, Feb 12, 2024 at 05:17:28PM -0600, Orie Steele wrote:
> I tried to capture some of the comments from Ilari on KEMs here:
> https://github.com/selfissued/draft-ietf-jose-fully-specified-algorithms/pull/4
> 
> Before the registry experts get flooded with Kems, Hybrid Kems, and Hybrid
> Composites, we should at least get some guidance in place on what makes a
> KEM "fully specified".

I think that:

"Fully specified" KEM <=> KEM with all parameters fixed.

 
> I think the KDF part is the main piece, in other words a KEM algorithm is
> fully specified, if it implies the use of a single KDF.

ML-KEM-1024 fixes all parameters, but does not imply any KDF.

The only hit in FIPS 203 for "key derivation" makes it very clear that
key derivation is something external to the KEM.

Now, some KDFs might be easier to implement as some code gets shared
with ML-KEM.


> But we have a similar situation with ECDH-ES, and it seems the convention
> at least from HPKE is to name the KEM after the curve and KDF, for example
> "DHKEM(P-384, HKDF-SHA384)"...
> https://www.iana.org/assignments/hpke/hpke.xhtml#hpke-kem-ids

With ECDH-ES, the algorithms are shared between different key subtypes.
I.e., there is no seprate:

- ECDH-ES-P256
- ECDH-ES-P256+A128KW
- ECDH-ES-P384
- ECDH-ES-P384+A192KW
- ECDH-ES-P521
- ECDH-ES-P521-A256KW
- ECDH-ES-X25519
- ECDH-ES-X25519+A128KW
- ECDH-ES-X448
- ECDH-ES-X448+A256KW

But instead there are just:

- ECDH-ES
- ECDH-ES+A128KW
- ECDH-ES+A192KW
- ECDH-ES+A256KW


HPKE defines two-parameter (elliptic curve, KDF) KEM called "DHKEM", and
most of KEMs used in HPKE are instances of that (currnently only
X25519Kyber768Draft00 is an exception).

"DHKEM(P-384, HKDF-SHA384)" => DHKEM with P-384 curve and HKDF-SHA384
KDF.

Taking https://github.com/lamps-wg/draft-composite-kem/pull/11 again,
it defines 11 KEMs. If all used different "alg" values, that would
be 22 (including KW variants). That is more algorithms than currently
exist in JWE (18).

And it would be duplication of information, which is always risky. What
if the two places disagree? Sometimes the answer is "critical
vulnerability".


> I assume RSA Kem would look sorta similar if it were added to the HPKE
> registry... It is surprising we don't see RSA KEM including some indication
> of strength in the algorithm identifier, in the examples we see "RSA-KEM
> with a 3072-bit key and KDF3 with SHA-256;" ... and I see ASN.1 with
> "CMS-RSA-KEM-2023".
> 
> What would a "fully specified RSA Kem algorithm ID" look like?
> 
> I'd imagine something like "RSA-KEM-3072-KDF3-SHA-256" ?

RSA-KEM is parameterized by KDF and output length. However, some places
seem to parametrize using hash instead, so something like
"RSA-KEM(SHA256)".




-Ilari

v2.23.0 | Report a Bug | By Email