IETF Logo Mail Archive

Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE?

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 13 February 2024 13:40 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7521CC151552; Tue, 13 Feb 2024 05:40:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nvXkq4J4M2s0; Tue, 13 Feb 2024 05:40:36 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9EB4C15109E; Tue, 13 Feb 2024 05:40:34 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id CD52E1EB3A; Tue, 13 Feb 2024 15:40:31 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id wu1Dh5S7obq0; Tue, 13 Feb 2024 15:40:31 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 7A993230A; Tue, 13 Feb 2024 15:40:29 +0200 (EET)
Date: Tue, 13 Feb 2024 15:40:29 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Message-ID: <ZctxTZAplkEyc0ly@LK-Perkele-VII2.locald>
References: <CAN8C-_LgRdZ-vXFDQJSghKBfJ_gGZWaUE2+qX63faLdnTHSGGg@mail.gmail.com> <ZcqJEVmDxo0YZ6qi@LK-Perkele-VII2.locald> <CAN8C-_+5+rfseHqv2KBV4A0GOy7pvWqKwL8ycC+U9w+wm91P0Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAN8C-_+5+rfseHqv2KBV4A0GOy7pvWqKwL8ycC+U9w+wm91P0Q@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/XTVNN5l9dWrpq-Sy-lrzTv4AoCk>
Subject: Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2024 13:40:38 -0000

On Mon, Feb 12, 2024 at 04:55:26PM -0600, Orie Steele wrote:
> Inline:
> 
> On Mon, Feb 12, 2024 at 3:09 PM Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> 
> > On Mon, Feb 12, 2024 at 12:41:52PM -0600, Orie Steele wrote:
> >
> > However, stuff like this might be more interesting:
> >
> > https://github.com/lamps-wg/draft-composite-kem/pull/11
> >
> >
> Yes, this is another reason to ask... will we see composite kems as
> standalone building blocks (like RSA Kem)
> Or will we see HPKE Suites that pair those building blocks with specific
> choices of KDF and AEAD.

Yes, composite KEMs will be standalone building blocks.

(In fact, that is prerequisite for KEM to be added to HPKE.)


> > In JWE and COSE, KEMs act similarly to ECDH-ES and have the same types
> > (Direct Key Agreement, Key Agreement with Key Wrap(ping)).
> >
> > Anything one can use ECDH-ES for, one should be able to use KEM for.
> 
> epk is already used for this case, the ES part, is what pairs with the
> "epk" part.

I was referring to where it can be used, not the precise encoding.

 
> > > Is it ok if JOSE uses "epk" and JWK, COSE uses a new header
> > > parameter instead of using "epk" and COSE Key?
> >
> > Well, I think using new header parameter is easier for implementations
> > than using a JWK (or COSE_Key). The JWK seems just pointless wrapping
> > of a byte string.
> 
> It's not pointless.
> It uses the existing code points for headers, which reduces the burden on
> applications that will have to keep processing those headers.
> The applications only need to switch on "alg", and then process the
> associated epk.... which is what they are already doing for
> "ECDH-ES" and "epk" today.

For application that switches on "alg", it much easier to just:

- Pull a new header parameter out of headers
- Base64url-decode that

Than:

- Pull "epk" parameter out of headers.
- Pull "kty" out of key
- Check the key type is correct.
- Pull "ek" out of key.
- Base64url-decode that.

And every one of those steps can also fail.

I count that there are currently 18 different algorithms for JWE. Only
4 of those use "epk". Not even all Key Agreement with Key Wrapping
algorithms do.

In COSE, it is even more lopsided, since there is no base64url.


> If we didn't have these existing application processing considerations, it
> would be easier to say adding a new header param is the correct solution in
> my opinion, but we are probably headed for testing RSAES-OAEP, ECDH-ES, and
> HPKE recipients for the same encrypted messages.... if we add
> RSA-KEM+A128KW to that mix, it's better to consider the design cost of that
> now... before the drafts become standards... I think either path will work,
> but we should force the API design to align, for the sake of developers...
> I would call it a win if JOSE and COSE handle this in a similar way, and a
> loss if they decide to handle it differently... I am not attached to the
> design using epk, but I do think it is easier for implementations that have
> to keep supporting ECDH-ES alongside HPKE and RSA Kem.

RSA-KEM+A128KW is Bad Idea.

Trying to internally handle RSAES-OAEP, ECDH-ES, HPKE and KEM in common
way will just lead to nasty abstraction rot. And abstraction rot is a
vicious kind of technical debt. So using "epk" for anything that is not
ECDH-ES will make things harder, not easier.

As for API design, the main issue are algorithms that do something that
is unexpected. There is nothing unexpected in using a new header
parameter.

In contrast, both JOSE-HPKE modes do very unexpected things. And
Integrated Encryption is something so fundamentally unexpected that it
not being aligned with HPKE as Key Encryption is not an issue for any
implementation.

It would be much smaller problem for implementators if:

- JOSE-HPKE-KE used new parameter for enc, Encrypted Key for ct.
- JOSE-HPKE-IE used Encrypted Key for enc, Ciphertext for ct.

Than if JOSE-HPKE-IE put enc in parameters, forcing multishot.

The reason for this is that even trying to use the same algorithm
dispatch for Integrated Encryption will already lead to nasty
abstraction rot.

That forces duplicate implementations of all JOSE-HPKE algorithms. And
once you have duplicate implementations, those can freely diverge.


And given how unaligned JWE and COSE_Encrypt are, why should any new
stuff even try to be aligned in any way? Especially if that would lead
to worst-of-both-worlds.




-Ilari

v2.23.0 | Report a Bug | By Email