[jose] Re: draft-ietf-jose-hpke-encrypt-01
Les Hazlewood <lhazlewood@gmail.com> Mon, 08 July 2024 23:38 UTC
Return-Path: <lhazlewood@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B0EEC23A85B for <jose@ietfa.amsl.com>; Mon, 8 Jul 2024 16:38:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id My3Zp3nRIAjY for <jose@ietfa.amsl.com>; Mon, 8 Jul 2024 16:38:27 -0700 (PDT)
Received: from mail-yw1-x1131.google.com (mail-yw1-x1131.google.com [IPv6:2607:f8b0:4864:20::1131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ED23C180B65 for <jose@ietf.org>; Mon, 8 Jul 2024 16:38:22 -0700 (PDT)
Received: by mail-yw1-x1131.google.com with SMTP id 00721157ae682-6510c0c8e29so40609047b3.0 for <jose@ietf.org>; Mon, 08 Jul 2024 16:38:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720481901; x=1721086701; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=fY0v/cF7/Lh8UvELOJqGw3l6Tp+hgyN+64Bm3SBn2i0=; b=hjUD1abDWCXdr25O2yp9DQtP+kO6Z+KAXtiPc1gof+nuJ8VYGjktuUj9DCDA//KWGr N+1gPXPlNlvrI7ptS9MgqcbWikXl9nTCADc9IP5O4ooSAuGpt1JLvNMLRtTOOedjFTrR fF2HR7tau6V2olHtKmSF02tPVG5c4KHaLD/f15Xo5RtY6trD/TsSt9djq37kPdtoC2c2 V6Fg3vXB0z2vcKn8KE4+Nks1XeN8pBwygS57EXb/Go1YYF6zqrXcXvUJJSv7JR7PpJCV m/vG3RxSICLsz9Rcy2EPzP79LNIA3Gxq4pdgigf/mTbos5MZ1h8IozlVm3M8Y3RR/WWo 13Pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720481901; x=1721086701; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=fY0v/cF7/Lh8UvELOJqGw3l6Tp+hgyN+64Bm3SBn2i0=; b=pRrHWzG9aLBEsdJHr21fpZnX6vKutOadNSC/MG2+YC2LyJG4DTuEdPHbEoYmqIvbhD +LsUK18Yqn+Vtda4SKnjk7CLT+cSAzMxxylw8PWj4lANxXUzf1tCDOoDL97ZiTw/ldOU CTNr5C8PQzPsOiwFqeKcLr27HIItmPcAriDs0e6dxzLxogP7cqPxi9R/m9Q0sVco9ddZ KX1lpW9/k5Wkakw0PGPoAJfA8n0hd3O/f0WM9Z6ZssB7yKHEEP3WVA3lztAdbxu6z+9S 5P4fpvT5pB61pJuGu2wAPoty7dPLTOeQjA38hUS8lw+30CXbGy8MNvPluVii/6PjlO24 bliw==
X-Gm-Message-State: AOJu0YzDYEIAnr7RKEBeQcTYXS/Q+JgzfBdiBeYEa9YynpNzfFk9a4Cl bT6bTq55PgLo7rpkq5MjI89gFNsPdCIRat/8WMH+38Q8332N7loB2xOy4exsT6g6tprzm71P14L 3ElTjxlPh4MnDKshhg/k1+V+2xM51P9Pb
X-Google-Smtp-Source: AGHT+IHxCQVVDnMBKv5qL+sgQ7uvs9UnGUY5uwQhE7HW5gVmBUfrytbS/kAnm77k4fQlHyMp8I43O2K1CKfHhNUq9mw=
X-Received: by 2002:a81:b50f:0:b0:632:58ba:cbae with SMTP id 00721157ae682-658f0fb34d3mr11938097b3.52.1720481901192; Mon, 08 Jul 2024 16:38:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_KMx_M9vL3kwoohkiVrndU_MohxdGC_vLkBo7R_+-6T2g@mail.gmail.com> <CACVbtYOsf7MkHPOzFgE14JhKrSzAd8EkZ0Sr4X0XRMzdCUtbkA@mail.gmail.com> <CACVbtYOOpwTKZt7dH7JV983SmU7gRbsaXY8ru4Ty-+S081oTEQ@mail.gmail.com> <CAN8C-_Kb9ZOec8SXUkqqd3P7VnEYSDukVm56kpdx+fVEw4KHag@mail.gmail.com>
In-Reply-To: <CAN8C-_Kb9ZOec8SXUkqqd3P7VnEYSDukVm56kpdx+fVEw4KHag@mail.gmail.com>
From: Les Hazlewood <lhazlewood@gmail.com>
Date: Mon, 08 Jul 2024 16:38:10 -0700
Message-ID: <CACVbtYPauBzeSmXPr8Fyb7Jh3u7ydJgX632B0Fwdn4UPgAfQBg@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Content-Type: multipart/alternative; boundary="000000000000902e94061cc4e886"
Message-ID-Hash: GAYVDHGFIRFHFXMXL2VPVW7Q75SOXTDK
X-Message-ID-Hash: GAYVDHGFIRFHFXMXL2VPVW7Q75SOXTDK
X-MailFrom: lhazlewood@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: JOSE WG <jose@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: draft-ietf-jose-hpke-encrypt-01
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/XonE6KJ-Rm51uXkMOxYVldksHbI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>
Thinking though this a whole lot more I think I was confused on which alg/enc parameters were used in which header elements. To avoid that confusion for myself, I'll refer to them using their RFC 7516 names: Currently with JWE, `enc` algorithms/IDs are all AEAD algorithms, and I think this must remain the same. Consistency, no surprises, everything stays the same, lowest possible impact to all existing JOSE implementations. And actually, having this value be anything other than an AEAD algorithm would violate RFC 7516, Section 4.1.2 <https://datatracker.ietf.org/doc/html/rfc7516#section-4.1.2> as written: "This algorithm MUST be an AEAD algorithm with a specified key length." Many implementations (mine included) make plenty of assertions that this must be an AEAD algorithm that requires secret keys, etc. Changing this to be a different type of algorithm would cause a lot of problems on implementations, especially those written in typesafe languages. In the multi-recipient case, I agree, there doesn't need to be an `enc` value in the JWE Per-Recipient Unprotected Header because it's always implied by the JWE Protected Header. This must be the same for all recipients anyway. Nor is an JWE Protected Header `alg` value required since that will likely be different per recipient. The union (JWE JOSE Header) for a single recipient and/or JWT must have both header parameters however. For HPKE then, it seems that the `alg` value only needs to include the first 2 HPKE cipher suite IDs/tokens and exclude the trailing AEAD id as Michael Jones said. But then Ilari said: "- The first means to use algorithm "HPKE-P256-SHA256" (presumably Direct Key Agreement) to derive key for "A128GCM" (which is defined by RFC7518) bulk encryption." I'm probably missing something, but I don't believe this is an issue. HPKE does not use nor accept direct shared symmetric key IKM (input key material). That is, HPKE is only to be used for public key derivation of a shared secret (KEM) which is then tied to context and made cryptographically uniform (HKDF), and that output key is used as the AEAD symmetric key. That means if you have an `enc` value, you only need the HPKE ID trailing tokens to be a tuple because you already have the 3rd in the `enc` header parameter. That is: header['alg'] + header['enc'] would always equal "HPKE-<KEMID>-<HKDFID>-<AEADID>" That is unless you're trying to use HPKE as a key encryption/wrapping algorithm, which brings me to my next question: Why is JWE HPKE Key Encryption necessary at all? Since HPKE requires asymmetric keys to be used, what is the use case for encrypting a direct/shared symmetric key when the recipient must decrypt with their private key anyway? Thanks, Les
- [jose] draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Michael Jones
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 tirumal reddy
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Simo Sorce
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Matt Chanda
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Matt Chanda
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Matt Chanda
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Matt Chanda
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Les Hazlewood
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Orie Steele
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Brian Campbell
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Brian Campbell
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 Ilari Liusvaara
- [jose] Re: draft-ietf-jose-hpke-encrypt-01 - Setu… Matt Chanda