IETF Logo Mail Archive

Re: [jose] HPKE Compact JWE Demo

Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 11 February 2024 10:26 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D366DC14F699 for <jose@ietfa.amsl.com>; Sun, 11 Feb 2024 02:26:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UIFu1E0qnApQ for <jose@ietfa.amsl.com>; Sun, 11 Feb 2024 02:26:09 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52DECC14F684 for <jose@ietf.org>; Sun, 11 Feb 2024 02:26:08 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 8CACF17E75 for <jose@ietf.org>; Sun, 11 Feb 2024 12:26:05 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id CsD9pv1A4sTQ for <jose@ietf.org>; Sun, 11 Feb 2024 12:26:05 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 4A9AF72 for <jose@ietf.org>; Sun, 11 Feb 2024 12:26:04 +0200 (EET)
Date: Sun, 11 Feb 2024 12:26:03 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: JOSE WG <jose@ietf.org>
Message-ID: <Zcigu0VDAvdeJPT0@LK-Perkele-VII2.locald>
References: <CAN8C-_KgcsaY9A4icRhjHAPnEVb8fYu3vzf0=mk_ODkGEVDDtw@mail.gmail.com> <Zce0L9JgcfA2CAE7@LK-Perkele-VII2.locald> <CAN8C-_+aK5U3iVLJxg4RFe09K+OmkPfboROjRJYViwoYzcywRw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAN8C-_+aK5U3iVLJxg4RFe09K+OmkPfboROjRJYViwoYzcywRw@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/ZJLkhg0PC3tJyj6GqUms28BsvEc>
Subject: Re: [jose] HPKE Compact JWE Demo
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Feb 2024 10:26:13 -0000

On Sat, Feb 10, 2024 at 03:15:11PM -0600, Orie Steele wrote:
> This list feels like mostly complaints about JWE, and not about JOSE HPKE.

Sure, JWE has its problems, but that ship has sailed. Debating those
problems when working with JWE is not productive. One just has to live
with those.

There is only one complaint about JWE, and that is then immediately
taken as something one needs to live with. Plenty of other complaints
just are not relevant here.


> With compatibility with ECDH-ES JWE shown, I feel pretty confident that the
> design is on a good track.

That was only a smoke test. Failing it would have been really bad, but
passing does not mean things are actually working.


> If there are problems in the design we have now... those problems are
> fundamental to JWE.

I disagree. I think things can be vastly improved while modifying JWE
no more than what is currently done.


> We are adding HPKE support to JWE not making an incompatible alternative to
> JWE, that only works with HPKE.

The draft does currently have requirements incompatible with JWE. E.g.,

- Requirement to use JSON serialization for Key Encryption.
- Requirement to put "enc" in protected parameters for Key Encryption.
- Requirement to put "alg" in per-recipient unprotected header for Key
  Encryption.

And then arguably also requirement to use compact serialization for
Integrated Encryption.


As example of just what requirements like this can cause, I once wrote
support for extensible priorities in HTTP/2 in a reverse proxy. IIRC, I
explicitly ignored every single requirement that went against base
HTTP/2. Mostly, because code I was modifying was designed for as
specified by base HTTP/2.


> Adding the ability to upgrade to HPKE without major breaking interface
> changes is the objective, and greenfielding alternatives to JWE just delays
> adoption of KEMs and resilience to harvest now decrypt later.

Greenfielding alternatives to JWE is not an option.

And even stuff that just goes against precedent can cause severe issues.

E.g., Multi-recipient interface with similar design as I used in
COSE-HPKE test code would seem to work just fine now. But it would be
a major breaking change to add HPKE as currently specified to it.


> The guiding principle is this:
> 
> Adding HPKE based single recipient and multiple recipient support, with as
> few changes to JWE as possible.

The guiding principles I have:

- Keep things as simple as possible.
- Minimize disruption caused by JWE changes for single recipient.
- Zero HPKE-specific modifications to JWE.
- Zero modifications to JWE for multiple recipient support.

Note that first two are relative, while the last two are absolute.
And new header parameters, algorithms, etc. are not "modifications to
JWE".

The reason for requiring zero modifications for multiple recipients
is that the interaction between recipients is specified by JWE, and
trying to change those rules is asking for critical issues.

And some changes to JWE are required in order to add the Integrated
Encryption mode, I.e., this draft needs to update RFC 7516, but those
changes must not preclude non-HPKE mechnisms later.

And as example of disruption JWE changes could cause, consider
implementation that immediately parses JWE doing the first three steps
of JWE section 5.2. Maybe together with doing step 15. By time that is
done, original serialization is lost. That is very much code one does
not want to touch lightly.


> This constraint makes our job simple... What parameters go in headers? How
> can we accomplish what is needed with as few HPKE specific changes as
> possible.

For stuff relevant to HPKE, nothing except alg needs to go in headers.
This is in contrast to things like Key Agreement ephemeral key, that
does need to go into headers.

I don't see any need for HPKE-specific changes. Even a new header for
KEM ciphertext (problematic for other reasons) could be usefully
repurposed for KEM Key Agreement.

 
> The current draft does the best at this so far, but it's possible in can be
> further improved.
>
> I don't think your suggestion to concatenate strings values for enc and ct
> is an improvement.

What other way is there to satisfy:

- Avoid requiring multi-shot HPKE for compact.
- Both modes encode the output in the same way.

?

I don't think there are any. There is only one output field besides
headers for Key Encryption, and Integrated Encryption can not use
headers in compact without requiring multi-shot.




-Ilari

v2.23.0 | Report a Bug | By Email