IETF Logo Mail Archive

Re: [jose] [COSE] HPKE PartyU / PartyV

"lgl island-resort.com" <lgl@island-resort.com> Fri, 01 March 2024 03:39 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95EB5C14F694; Thu, 29 Feb 2024 19:39:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bwPEdkCzb0KC; Thu, 29 Feb 2024 19:39:15 -0800 (PST)
Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04on2121.outbound.protection.outlook.com [40.107.100.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 822A8C14F61E; Thu, 29 Feb 2024 19:39:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Nvs82K+zKEz4pvrIKHEWGFC5CX09htrQW9InzASxaWRhxdSXLNu+NEp38zg+DHdCd+v/ZStALvUi3ec9dmvQzXtKZQcvrsiXCoQhUBokHJwBNiBwaoKIPYx+wBav4ykJE2qmAFhqqVmmK4irFEMoMT9imgf7KVFbeYAhSDpljV4cfYpw9HFYozT2IkdenQ5yZ5nVDYxSzehKwODGz1ERQ/SQ0i0JASKZsf+hT3612xK6qxNK01dfxFM2Dxwivjm23cwfER8WiddWhIDLjIMVD0q1APfKr6seRmb+zRukp9qMnK4xhEoAzIg197SDPXeHSuSdoK6hfJBTqMK8VmRAxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=clNC+TltlqmBcvgQfC4o8wNKKhSryxpvyap2kkuMNNM=; b=Nn5t5WE70yS8DamYlG6CCcAg/a8LHDPrO5QL/ig7hzfXq1ZIRl9BXsz1+9n/8Zsy/v+d/q4hWnzK6F9FwCD69+1LWVNm5cHce7XGI3G2EYhUTlDdO0FxhWxEfnhW60E/HM+0UqxYfr2V0FREwutKHoKaqSbtJyXPTG6+6kDhLwgmvCXculnOU6OFT5DtmQTT4iHj94kfIJk0gG/7uCu/YzWmnt7Fte8ZnPZn/msibHCByX/2IVtTGwY3WsVjozncCqvfZ2wfbYUeYj9ySseHVqHUeCUyocKEOB1oZwF+LXbv/Qo7F+U0u+TnU++lQ7j6OfBmrGtTfp9G76lar3gXWg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=island-resort.com; dmarc=pass action=none header.from=island-resort.com; dkim=pass header.d=island-resort.com; arc=none
Received: from PH7PR22MB3092.namprd22.prod.outlook.com (2603:10b6:510:13b::8) by MW5PR22MB3132.namprd22.prod.outlook.com (2603:10b6:303:1a3::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7316.39; Fri, 1 Mar 2024 03:39:11 +0000
Received: from PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::1cab:7344:221c:bb8e]) by PH7PR22MB3092.namprd22.prod.outlook.com ([fe80::1cab:7344:221c:bb8e%4]) with mapi id 15.20.7316.039; Fri, 1 Mar 2024 03:39:11 +0000
From: "lgl island-resort.com" <lgl@island-resort.com>
To: Orie Steele <orie@transmute.industries>
CC: Ilari Liusvaara <ilariliusvaara@welho.com>, JOSE WG <jose@ietf.org>, cose <cose@ietf.org>
Thread-Topic: [COSE] [jose] HPKE PartyU / PartyV
Thread-Index: AQHaa18G3CDxxa67q0GK7dBIbCYz/bEiPT4A
Date: Fri, 01 Mar 2024 03:39:11 +0000
Message-ID: <8A6C56DD-F66E-4EBD-9BA1-01971E381D46@island-resort.com>
References: <CAN8C-_LUMe09=WbkwT-RckhR8+LYCQMw8XWnwmDLE5riYjd7pg@mail.gmail.com> <Zd749IrwWC2hI6yX@LK-Perkele-VII2.locald> <CAN8C-_J+mMABCa2HPWv5zJ=u1HSb+saq_mn5kB0Wq5upWUyM9Q@mail.gmail.com> <Zd-NRA2kH4fc_d-X@LK-Perkele-VII2.locald> <CAN8C-_+tG9845bn986Anr89ObNpUCzOAuiEJMPh4KGK3ixB+uQ@mail.gmail.com> <Zd-colj_jF47gLQP@LK-Perkele-VII2.locald> <CAN8C-_Jw2J6OY6N7gRVepVuHiC5NqgH36dXQ6krZ1U-Spqq7fQ@mail.gmail.com> <ZeCZJK76cQNZp7q9@LK-Perkele-VII2.locald> <CAN8C-_+_nzGCWV6zNny1j_9TTikW8rBtw9388YB7UGzSwEzoTw@mail.gmail.com> <ZeDih4he5eZ1y3PO@LK-Perkele-VII2.locald> <CAN8C-_LpNbCfe3FDF=4nnGEAnZku3+z51J1VcfxuGVqQab=xZg@mail.gmail.com>
In-Reply-To: <CAN8C-_LpNbCfe3FDF=4nnGEAnZku3+z51J1VcfxuGVqQab=xZg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=island-resort.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH7PR22MB3092:EE_|MW5PR22MB3132:EE_
x-ms-office365-filtering-correlation-id: da68b050-5203-4895-4599-08dc39a1289b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rD2OjrLzSVw4VyTvBciHuDanaot/SQH2KvGEGZRP8LDfPdW0bkBjNNdpAF5DKwlVGHZA+zQltTQxE/AmFYS8qvc0vdrEl6sfxW4wZlkAH8Qo6qhBHXQAiN0ASyyVB07eX/lsVdh2o9atsHbM6ojuiAv6QWXnw6OBHR6DX7bK+JE2j49SGPU/NGnq37E7HZmA5EemZoKnY2d5h4qSz7RNCA21DXI5O8fQaBSPBjMbNjbW1Ln2cQxe4gPIIh8yDd/wrVzKVjU/uF20y94PM6vN2lWOkwZ2rzbK1VX0Sx8fz20lEJj0cH2OssIs1xS4Bl3vzsP7ZZCINyPwm0SKdtr+1ElETK7I/Zep/BKaY3MafMKNO7u6mRawLPVDiVlWJhiRR0nJlaRDqGBpxOZXKV+NI0MCejiGEfLpaMD0fD5X7DxklEIEGIYO+bD5wLVwipEa1759jG1OCEghKuovQAUL1G/q6pdOllo3Bk/2r+oo2NEvyfD8e4dGFTh7LymVZ3oAbzdxlOYUdeBHusNjtpPLBL8UcFYdJurK0PjIJ+L3oRgYcwF5s/eQNnHeo1AHK88CLY8VRNXMK/6+207tFCvEtUlTVLe2051c/DXaQDR8p4D5r1QvFhzoSzw8VcFsCBU1bYFMuM/QNVXd85M3UaOCWbX1gUoK1OCu++FNRZoGCN4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR22MB3092.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Oo25ylZeS5RmxTFtvhZw/1F9VncrWdb8cS0acep371E+ze7wx0UvmKR75Smy/IWdqHs4G+ePlTupRQutyPrTBHxfwFTmu4xlxsDiSvkZbIAhRuMLSDJlnIwjKpvwHD/OUVs7dhAiq3gkQiOyHbUwqrHgiai68vInTIfRJoJZhbkxMrprvApSpA/fqeKU6GMUn5fpvIsmEQWLDXTvIs4bfR7qE3Uz2sr/lKarorQ/ibHS5RWqFSgyQ7uLm9kKTGM1WJEYnPnxh6h3tubjeK5vg+ipigH3aCBm2gJldw+ja+i+Zxx05uZ4RvLEqTELKTnMJ53SZlL1O1XfU6E3b5io1OlL2a1zXTuskAVkJxFZlH4tdop7Fq9mvZZHB/rgkgUKY/TK0omBAak96HRTLau2Vhl0tb+SGg8TOPoTtU1okou9QYC0vuRWlMon65emESwoAUUo/NDf72VcR9PuGZRKFXOwneaVhZyZS218NBjNyjWjCGWGKVM1Yi14G2uQ73vv/rsDx5pzcYRnzhB8E1XxkxANHMe7p6YsqCKWn4bEisgX4ssvUGLCwGdMWjjl+JQSnYqARte43EC82+ljeG++ldQ0eAa5htp5wFi/1bZsDJZuU2LYx2D+VkZfypTMN8/4dJJwDBtDGg6Ok3PDBwpL5WVvZK2/HXlJxwd5weJrVPTxUqAgQInkAkogmzStUZKNm3UZLSv2QONCljyi5+RMFdUHaDaNkpuD2DxG6Rsf9gyS4cQb17vxZxPJw/Q9sezPOLH4Qjd48pTwL1K8cq1/Ewu4vhM315QgETk+8NoBGRhXIS07+/44IgBYGjxQUshvnMOM3two112lo4/WJlWeLm5lns0vKJ6gO1TrLoArs76bMJVAMBkX/ztDD6cbAknJx5lVYO3Hq3KrdmSzCIKXBlR0E4N+Kn9tUKBYi61efWUzYiFwwcXKewjz9YLljPHZXiqozlYLKmmfNORPONhWpUdu0JsPQhyKN10I9jolfgEk2j120ZnLdeyu035Yw1Tb4lsvTbwya+H3p1VcLEhlunxfe6SutS00eXqnwEpPgDa0TPkJrObT4OgbvXhRz9+KkVEQN4Oab2Uvoo8LoQrOSRPQ7SO9QzzmkMYjumE5/S+6PbYSX/j70sK18UR3U1sgj7cb9vxfTIZdLrLHF1gXkjvWNRHtToU23BsLQvX7dUbpO9JtZhje/AJgdATU7OIfv+VOsaekVj1z9PmR4wAvssPNI4F+ndiWT8gOETtTymsJIJykKx2dJYo/S7wSZhAO+yj8hHKY6XKRLtEvLlYyej/PH2kHyEbMrA9QwSUf7gYVEdHAqJSD3cabmj0fW/G6dmsj/QKY9l43SdyVIzxzrSePG0ecBNiymoYQju2jRy0BlffMYINhPXqDcl77rW+lAQSo0+nzHBQa86xUGNh4DwXp7ytQGpYCDeCHoFuYVOwE2orzp5aEdVr0Yno4D3mB6ETzLBuDT40x6UM6LFsclk54Gb7KVALwXAAJHg0p+oZrzpiNLxFwVEzitYAdL0zDP9TdIUO2v6hzPOuoYa2WCwUKyr7xbGyk6qbfSaDysgXJeQ3MNxCegQ9beQi0kUvGbZIdx7p3Hd5NdDZB0jOOhQ==
Content-Type: multipart/alternative; boundary="_000_8A6C56DDF66E4EBD9BA101971E381D46islandresortcom_"
MIME-Version: 1.0
X-OriginatorOrg: island-resort.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH7PR22MB3092.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: da68b050-5203-4895-4599-08dc39a1289b
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2024 03:39:11.3125 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ad4b5b91-a549-4435-8c42-a30bf94d14a8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PZB/gtyfnnaPXseFjDr2DunD8ga2ss3MIhDYZze0cIagdEyFlt5LgrX9S2QQBA5j+jcd5XsLY6BD2lXrbxfqVg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW5PR22MB3132
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/WU2UhV-RYbKqXLEGsEwZU7pJaBc>
Subject: Re: [jose] [COSE] HPKE PartyU / PartyV
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2024 03:39:19 -0000

So here’s a possible new Enc_structure Orie suggested. I’m calling it Rec_structure. It is just for COSE_Recipients.


Rec_structure = [
    context :  “Enc_Recipient” / “Rec_Recipient",
    protected : empty_or_serialized_map,
    next_alg : int/tstr
]

- protected is for the protected headers from the COSE_Recpient
- No external_aad since COSE_Recipient doesn’t have that
- Pass this as the aad parameter to Seal() as Ilari suggests
- next_alg is the COSE algorithm ID from the COSE layer below and is mandatory

The COSE layer crossing here is pretty much the same as for COSE_KDF_Context.AlgorithmID for a COSE Recipient with alg ID -25. That is, there is already this layer-crossing in RFC 9053.

I've intentionally chose only the algorithm ID, not all the protected headers from layer 0.  This is because of implementation complexity and memory use. My COSE implementation can handle arbitrarily large blocks of header parameters (plus arbitrarily large external_aad) without allocating memory through use of incremental hashing. I don’t want to have multiple incremental hashes in flight at once, one for each recipient, nor do I want to put a cap on the size of header parameters or use malloc. Passing only the algorithm ID across layers is simpler and cleaner.

I’ve implemented  COSE_KDF_Context.AlgorithmID. This will be almost identical.

Also, no COSE_KDF_Context.SuppPubInfo.keyDataLength because COSE alg IDs are all for a specific key length.

Last, I think this would work when we fix COSE alg ID -29.

LL



On Feb 29, 2024, at 3:30 PM, Orie Steele <orie@transmute.industries> wrote:

Inline:

On Thu, Feb 29, 2024 at 2:03 PM Ilari Liusvaara <ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>> wrote:
On Thu, Feb 29, 2024 at 11:04:57AM -0600, Orie Steele wrote:
> I think we actually agree here.
>
> The remaining point is just what to do in HPKE.
>
> 1. New header parameters, mandatory processing rules, mix
> content encryption algorithm into the KDF (via HPKE INFO).

HPKE does not allow using both INFO and AAD for one message (I do not
know why), and INFO has a short length limit (because it is used in
ways that pretty much require buffering).

So only AAD can be used.


> 2. New Enc_structure, (fix disconnected layers vulnerability), protect
> "Enc_structure" with AAD (via HPKE AAD).

impl MultiRecipientEncrypt
{
        pub fn new(alg: EncryptionAlgorithm, rng: &mut TemporaryRandomStream) ->
                Result<MultiRecipientEncrypt, String>
        {
                //...
        }
        pub fn get_key(&self) -> &[u8] { &self.key }
        pub fn add_recipient(&mut self, recipient: &[CBOR])
        {
                //...

Here is where your recipient code checks the algorithm.
Constructs the Enc_Structure (either fixing, or not fixing the AES-CBC issue).
Encrypts the content encryption key, using Enc_structure as AAD.
And sets the encrypted_key of the recipient structure.

IMO, it's a mistake to encrypt a symmetric key if you are not sure what it will be used for...
especially if the attacker can change its use from AES-GCM to AES-CBC.

You can call refusing to encrypt a key without knowing the algorithm it will be used with a layer violation.
... I call it a security oriented design improvement.

        }
        pub fn finish<M:MessageSink>(self, ad: &dyn EncryptAdditionalInfo, msg: &[u8], to: M) ->
                Result<<<M as MessageSink>::Buffer as MessageBuffer>::Residual, String>
        {
                //...
        }
}

Any current other-type recipient (which is pretty much anything that is
not a Direct Encryption or Direct Key Agreement) can be supported via
that interface.

But it can not support anything that mixes layers. Hence mixing layers
is a breaking change.

I don't get why it cannot, if it's because the protected header is not known yet... You could refactor your code.

Why do all the "recipient work", only to figure out that AES-CBC is requested and your library has decided to not implement it...
or is prohibited from implementing it... as is the case for JOSE.


And COSE design clearly intends for the layers to be kept separate.


Then its design needs to account for attacks that exploit the layer separation.

You can claim layer purity as a justification for handing out decryption keys for private messages.

But I don't have to agree with you : )


> What JWE allows, is based on the algorithms it relies on, and their
> processing rules are algorithm specific, for example:
>
> https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.1.2

All those processing rules operate on the JOSE header. Which means no
distinction between protected and unprotected.

This allows interface analogous to the above to work in JOSE.


> So both 1 and 2 can also work for JOSE, except that there is no
> "Enc_structure", there is just the normative language regarding:
>
> "What to set for HPKE AAD in seal and open" and "What to set for HPKE
> INFO"...
>
> If we are not going to create COSE_KDF_CONTEXT, then suggest we will also
> not create ConcatKDF context in JOSE.
>
> So HPKE INFO, will be the same in both JOSE HPKE and COSE HPKE.
>
> The guidance that JOSE provides regarding using the protected header bytes
> as aad, seems reasonable.
>
> https://datatracker.ietf.org/doc/html/rfc7516#appendix-A.4.5
>
> """
> Let the Additional Authenticated Data encryption parameter be
> ASCII(BASE64URL(UTF8(JWE Protected Header)))
> """
>
> When you apply this guidance to HPKE Direct / Integrated Encryption, there
> is only the top level protected header to consider since there is only a
> single recipient.

Yes, as long as the HPKE enc is not in protected headers, that is
completely reasonable thing to do.

I've implemented both HPKE modes in JOSE and COSE.

It's working fine in protected headers for me...

I don't think it needs to be in protected headers, but in compact JWE...
that's the only header, so that's where it goes... ( encrypted JWT ... digital identity / credential use cases ).

This also lines up with traditional compact JWE encryption...

  const key1 = await jose.generateKeyPair('ECDH-ES+A128KW', { crv: 'P-256', extractable: true })
  const jwe = await new jose.CompactEncrypt(
    new TextEncoder().encode('It’s a dangerous business, Frodo, going out your door.'),
  )
    .setProtectedHeader({ alg: 'ECDH-ES+A128KW', enc: 'A128GCM' })
    .encrypt(key1.publicKey)
  const { plaintext, protectedHeader } = await jose.compactDecrypt(jwe, key1.privateKey);
  expect(protectedHeader.alg).toBe('ECDH-ES+A128KW')
  expect(protectedHeader.enc).toBe('A128GCM')
  expect(protectedHeader.epk.kty).toBe('EC')
  expect(protectedHeader.epk.crv).toBe('P-256')
  // protected header also protects the epk.
  expect(new TextDecoder().decode(plaintext)).toBe('It’s a dangerous business, Frodo, going out your door.')




> When you apply this guidance to HPKE Key Encryption, in JOSE, you are
> "mixing layers", but that's ok to do, because there is no way to understand
> any of the HPKE algorithms in the context of JOSE without reading the RFC
> that defines that behavior... which we are hopefully progressing through
> these debates : )

No, it is not ok.

The "attack" you are trying to "fix" can never work against JWE.

I'm not trying to fix it for JWE, because those algorithms are prohibited in JWE:

https://www.iana.org/assignments/jose/jose.xhtml

I am trying to make HPKE AAD take protected headers, because that's how they are protected in JOSE.

I'm also trying to place "encapsulated keys" in protected and unprotected headers, because that's where "epk" goes in JOSE.


And JWE clearly intends an API analogous to the above COSE example to
work. Again, it is broken by mixing layers. There is even a precedent on
how AEAD-capable algorithm behaves: It does not mix layers.

counterpoint, see the JOSE examples above:

expect(protectedHeader.alg).toBe('ECDH-ES+A128KW')
expect(protectedHeader.enc).toBe('A128GCM')

If you set A128GCM AAD to be the protected header, your AEAD is providing integrity for your key agreement and key wrapping algorithm identifier.

We know this is not required, because we also have JOSE protected headers that look like this:
{
  "enc": "A128GCM",
  "epk": {
    "crv": "P-256",
    "kty": "EC",
    "x": "ticr_5a7x5Y4kWPRKIEjMV1ufG_AUW4Ud9Aapmx1uOY",
    "y": "eWboqDQfzcDOaGnNRXansvIG9QgeYrjhs3dh60vQA0M"
  }
}



> The logic for COSE is the same, regarding proposals 1 and 2.

With unfortunate difference that RFC 8152 (nor does RFC 9052) did not
explicitly state a critical security requirement. And then some folks
went ahead and added a thing that makes it insecure.

(Bonus points for making a thing I can't figure out how to use
correctly in any useful way...)

: )

And this is why we have 2 lists included on this thread.

We don't want to end up making JOSE vulnerable by following COSE advice,
or make COSE vulnerable by following JOSE advice... There are important security differences.

We also don't want encapsulated keys treated differently in ways that make security analysis difficult.

Part of the reason why is that we already have security analysis for "epk" in both JOSE and COSE,
and that's conceptually what DHKems are outputting via "enc".



> I like your comment regarding the fully specified algorithms draft...
> considering the encryption use case for fully specified algorithms:
>
> https://www.rfc-editor.org/rfc/rfc7520#section-5.6.3
>
> {
>      "alg": "dir",
>      "kid": "77c7e2b8-6e13-45cf-8672-617b5b45243a",
>      "enc": "A128GCM"
> }
>
> {
>      "alg": "dir",
>      "kid": "77c7e2b8-6e13-45cf-8672-617b5b45243a",
>      "enc": "HPKE-Base-P256-SHA256-AES128GCM"
> }
>
> I would consider both of these cases "fully specified".

>From draft-ietf-jose-fully-specified-algorithms, section 5.

"So for instance, for JOSE, alg values and enc values MUST each be
fully specified, and their behaviors MUST NOT depend upon one another."

This means that legal enc and legal alg values can be freely combined.

I don't follow... is your point that:

{
     "alg": "Ed25519",
     "kid": "77c7e2b8-6e13-45cf-8672-617b5b45243a",
     "enc": "A128GCM"
}

Make no sense?...

I agree but that does not invalid that both "A128GCM" and "HPKE-Base-P256-SHA256-AES128GCM" are fully specified.



> One is fully specified by listing a single AEAD algorithm.
>
> The other is fully specified by listing an HPKE SUITE, that bundles KEM,
> KDF and AEAD together.

The problem is that once you have "enc", it will do its thing. Any
interference from "alg" is prohibited.

I think that's an argument in favor of :

{
     "alg": "dir",
     "kid": "77c7e2b8-6e13-45cf-8672-617b5b45243a",
     "enc": "HPKE-Base-P256-SHA256-AES128GCM"
}

For direct / integrated encryption in JOSE?


And once you have "alg", it will do its thing, any interference from
"enc" is prohibited.

What do I do with "dir", if I can't look at "enc" ?



> In the context of COSE, we don't have "enc", but we do have fully specified
> algorithms for COSE HPKE.

COSE has layers. And it is clear that those are not allowed to interfere
with one another.


I'd say it's clear they interfered with each other in ways that produced vulnerabilities.

That's ok, everyone makes mistakes.

https://datatracker.ietf.org/doc/html/rfc9459 (and it seems the IETF agrees).

Let's return to the solution:

HPKE AAD = CBOR ( [ "Encrypt1", CBOR ( RecipientProtectedHeader ),  CBOR ( ProtectedHeader ), external_aad ])

If you think Encrypt1 should never have external aad, you don't need a new structure, you can use Encrypt0 with the layer0 protected header AS external AAD.

HPKE AAD = CBOR ( [ "Encrypt0", CBOR ( RecipientProtectedHeader ),  CBOR ( ProtectedHeader ) ])

Logically you are encrypting a content encryption key to a single recipient... so this seems... not that terrible.

This won't stop an attacker from ignoring HPKE recipients and toggling A128GCM to A128CBC...

But it will prevent HPKE recipients from accidentally handing out an AES-GCM key 16 bytes at a time for content that might not be exclusively encrypted to them...

I might not be able to convince my friend to use HPKE, but I don't have to help an attacker decrypt our shared private content.




-Ilari

_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose


--

ORIE STEELE
Chief Technology Officer
www.transmute.industries<http://www.transmute.industries/>
[https://ci3.googleusercontent.com/mail-sig/AIorK4xqtkj5psM1dDeDes_mjSsF3ylbEa5EMEQmnz3602cucAIhjLaHod-eVJq0E28BwrivrNSBMBc]<https://transmute.industries/>
_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose

v2.23.0 | Report a Bug | By Email