Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE?
Orie Steele <orie@transmute.industries> Mon, 12 February 2024 22:55 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 103E5C151553 for <jose@ietfa.amsl.com>; Mon, 12 Feb 2024 14:55:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level:
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PE-OSYv1IM8A for <jose@ietfa.amsl.com>; Mon, 12 Feb 2024 14:55:38 -0800 (PST)
Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD25BC15109A for <jose@ietf.org>; Mon, 12 Feb 2024 14:55:38 -0800 (PST)
Received: by mail-pg1-x531.google.com with SMTP id 41be03b00d2f7-5d42e7ab8a9so2317965a12.3 for <jose@ietf.org>; Mon, 12 Feb 2024 14:55:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1707778538; x=1708383338; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=TSCohtU5ZRAxtGPCkHtnx7ZZCDtZuHXi9p2Xnird8rI=; b=FPHdmQ5LfEjYD5cTUfYEOirpIP7moF6pGL2/xAY0s+oTLPGjr7b58oKvx8my02y2Vk wRozWw3HNVNbGe1/lpkC6Tibf8EWFGUbX433dwwKXjpoMIV8N48Fehe4jMQEZipzcYEj XeBYU3HOlEFqHMjf/gPIHPiK4PImZNrQENay/vjhk31+ZTsNMPu7bA76gUBWpaf4/Mzr qVYJbUT51r7iqUsB8TNywmIrlqmdx9hqO8oWf1qYzJFmAqxhmRFhyVMMSXX1DwBZXe4+ 3Z+9cTslrZv1HKnI877wcZeAYmSDJRZRVevAFNpzeA24nk/aJfTzE62ejcfgA0YIpgR1 VvZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707778538; x=1708383338; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TSCohtU5ZRAxtGPCkHtnx7ZZCDtZuHXi9p2Xnird8rI=; b=ndTaE3LR+5alUDEf+PwV3WZhB/mng+FmhlV7h2WrcEBZeMa2zvahRPkpHqNROCz0B7 d0jClbLzUniu8+VGxHz96980zcaXeQgLjEAHinV/9d8SULhsiWCy9yUbQHCPUraHcDd6 K3rnJRnbQPbt3vK0eiRZdVp/MaIlbAYanH7I57lt2AaUQfWygtYuEnE9f8soM8noKJzF PYYUujev88xGsIl1aFKN24kAsVDd3Rqlr8KSmmQFeDir1pOkC3xMePOt3zjNkjgceUMZ khzW7uPBq2k/qGWHbjLLa3M6HsXADZTOeZvLqNCdxmg+mlw+V3swux5Zap9Xqv+ydlBe 18sw==
X-Forwarded-Encrypted: i=1; AJvYcCWlMFRFQlnQZIobZf1am5OtfvQnSPYKUM8ze1CQtg3NJBJPDJUKYGaOwI2WyyYCB/l5knkcrXkP2bj9gDF5
X-Gm-Message-State: AOJu0YxIsBwEdoavXkphFkoIcd0AIRt0RDz1qM3NP1c9GZslnKIIUWQG xdfOGR2HwQEXpxq9kPE0RuSvqkLh8rNY24n7LvWvS5iTwM+nGHOVwcw7NP7LpEjXRwwxQvslzRp BHvtn8HuH2bWab/UavdX0hk2FP1U6rVcrWCvOcF4mQ6CT9t8IMc0=
X-Google-Smtp-Source: AGHT+IG6xFltRqBcnqSxjuzsy1+GUJCVJnCdjjUl3CoxGsV2tm8ht62YEk3qGA+UR2MQ/nuusk2NRzaT3T3HxeoMhKA=
X-Received: by 2002:a05:6a20:2d29:b0:19c:6a9c:2c76 with SMTP id g41-20020a056a202d2900b0019c6a9c2c76mr6708875pzl.10.1707778537605; Mon, 12 Feb 2024 14:55:37 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_LgRdZ-vXFDQJSghKBfJ_gGZWaUE2+qX63faLdnTHSGGg@mail.gmail.com> <ZcqJEVmDxo0YZ6qi@LK-Perkele-VII2.locald>
In-Reply-To: <ZcqJEVmDxo0YZ6qi@LK-Perkele-VII2.locald>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 12 Feb 2024 16:55:26 -0600
Message-ID: <CAN8C-_+5+rfseHqv2KBV4A0GOy7pvWqKwL8ycC+U9w+wm91P0Q@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000016ea960611372ddb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/XYaLwDq3YuB1oTMdu0M1D7-Uqn0>
Subject: Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Feb 2024 22:55:43 -0000
Inline: On Mon, Feb 12, 2024 at 3:09 PM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Mon, Feb 12, 2024 at 12:41:52PM -0600, Orie Steele wrote: > > See https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc5990bis/ > > > > Do we expect to see RSA Kem support in JOSE and COSE without the use of > > HPKE? > > > > If so, how do we identify RSA keys for use with KEMS? How do we transport > > KEM CT ? > > I would imagine keys specify which KEM those keys use. > > And then there would be KEM algorithms analogous to ECDH-ES ones (there > are a few details about ECDH-ES algorithms that need tweaking for > things to work with KEMs). > > IIRC, only three differences are needed: > > - KEM shared secret goes where ECDH result used to go. > - Where one sticks the KEM ciphertext. > - Some trivial encaps/decaps process stuff. > > Things like KDFs can just be reused as-is. > > > > One option would be to reuse what we have in the JOSE HPKE draft, to > > transport the KEM CT as an ephemeral encapsulated key: > > If HPKE uses a header, I would imagine it uses the same one. KEM CT > can be assumed to be a byte string. > > > > Similar to the discussions we have had for ECDH-ES+A128KW vs HPKE, let us > > start a discussion for > > > > RSAES-OAEP w/ SHA-256 vs HPKE or Plain RSA Kem (TBD) > > > > - https://www.rfc-editor.org/rfc/rfc7518.html#section-4.3 > > - https://www.rfc-editor.org/rfc/rfc8230.html#section-3 > > Well, there is already RSA support. > > However, stuff like this might be more interesting: > > https://github.com/lamps-wg/draft-composite-kem/pull/11 > > Yes, this is another reason to ask... will we see composite kems as standalone building blocks (like RSA Kem) Or will we see HPKE Suites that pair those building blocks with specific choices of KDF and AEAD. > > > The reason I raise this, is that Ilari mentioned wanting to use JOSE > HPKE's > > Integrated Encryption and Key Encryption modes, without HPKE but with > other > > KEMs, so considering how RSA Kem might be supported in JOSE and COSE > seems > > worth discussing. > > Integrated Encryption can not work with KEMs. > Of course, you are correct. > > In JWE and COSE, KEMs act similarly to ECDH-ES and have the same types > (Direct Key Agreement, Key Agreement with Key Wrap(ping)). > > Anything one can use ECDH-ES for, one should be able to use KEM for. > epk is already used for this case, the ES part, is what pairs with the "epk" part. > > > Is it ok if JOSE uses "epk" and JWK, COSE uses a new header > > parameter instead of using "epk" and COSE Key? > > Well, I think using new header parameter is easier for implementations > than using a JWK (or COSE_Key). The JWK seems just pointless wrapping > of a byte string. > It's not pointless. It uses the existing code points for headers, which reduces the burden on applications that will have to keep processing those headers. The applications only need to switch on "alg", and then process the associated epk.... which is what they are already doing for "ECDH-ES" and "epk" today. If we didn't have these existing application processing considerations, it would be easier to say adding a new header param is the correct solution in my opinion, but we are probably headed for testing RSAES-OAEP, ECDH-ES, and HPKE recipients for the same encrypted messages.... if we add RSA-KEM+A128KW to that mix, it's better to consider the design cost of that now... before the drafts become standards... I think either path will work, but we should force the API design to align, for the sake of developers... I would call it a win if JOSE and COSE handle this in a similar way, and a loss if they decide to handle it differently... I am not attached to the design using epk, but I do think it is easier for implementations that have to keep supporting ECDH-ES alongside HPKE and RSA Kem. > > > > > -Ilari > > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [jose] JOSE/COSE RSA Kem without HPKE? Orie Steele
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Russ Housley
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Ilari Liusvaara
- Re: [jose] JOSE/COSE RSA Kem without HPKE? Neil Madden
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Ilari Liusvaara
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Orie Steele
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Orie Steele
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Ilari Liusvaara
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Ilari Liusvaara
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Ilari Liusvaara