Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE?
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 20 February 2024 19:43 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BF14C180B68; Tue, 20 Feb 2024 11:43:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KSqYB8SYApOC; Tue, 20 Feb 2024 11:43:55 -0800 (PST)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A40B5C180B64; Tue, 20 Feb 2024 11:43:44 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id C6021144A1; Tue, 20 Feb 2024 21:43:41 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id FrH5mRatvYV9; Tue, 20 Feb 2024 21:43:41 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 7EB1B292; Tue, 20 Feb 2024 21:43:39 +0200 (EET)
Date: Tue, 20 Feb 2024 21:43:39 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Message-ID: <ZdUA66F8QdsiwQxg@LK-Perkele-VII2.locald>
References: <CAN8C-_LgRdZ-vXFDQJSghKBfJ_gGZWaUE2+qX63faLdnTHSGGg@mail.gmail.com> <ZcqJEVmDxo0YZ6qi@LK-Perkele-VII2.locald>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <ZcqJEVmDxo0YZ6qi@LK-Perkele-VII2.locald>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/fyCN1GC-Itq6VeLr60nMHo-SlWM>
Subject: Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2024 19:43:59 -0000
On Mon, Feb 12, 2024 at 11:09:37PM +0200, Ilari Liusvaara wrote: > On Mon, Feb 12, 2024 at 12:41:52PM -0600, Orie Steele wrote: > > See https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc5990bis/ > > > > Do we expect to see RSA Kem support in JOSE and COSE without the use of > > HPKE? > > > > If so, how do we identify RSA keys for use with KEMS? How do we transport > > KEM CT ? > > I would imagine keys specify which KEM those keys use. > > And then there would be KEM algorithms analogous to ECDH-ES ones (there > are a few details about ECDH-ES algorithms that need tweaking for > things to work with KEMs). > > IIRC, only three differences are needed: > > - KEM shared secret goes where ECDH result used to go. > - Where one sticks the KEM ciphertext. > - Some trivial encaps/decaps process stuff. > > Things like KDFs can just be reused as-is. Attempting to spec things out to check this: JOSE: ----- algorithms KEM, KEM+A128KW, KEM+A192KW and KEM+A256KW work like ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW respectively with the following differences: In the sender end, the shared secret Z is established by encapsulating to public key. This also yields ciphertext, which is base64url-encoded and placed to "kct" parameter ("epk" parameter is not used). In the receiver end, the shared secret Z is established by decapsulating the (base64url-encoded) ciphertext in the "kct" parameter. Key derivation uses Concat KDF with inputs as specified in RFC 7518 section 4.6.2. The key MUST be for some KEM. The KEM algorithm is assumed to have both shared secret and ciphertext be octet strings. For security, the KEM used MUST be IND-CCA secure (with exception of failures caused by malleability). KEM is Direct Key Agreement and others are Key Agreement with Key Wrapping. COSE: ----- algorithms KEM+HKDF-256, KEM+HKDF-512, KEM+A128KW, KEM+A192KW and KEM+A256KW work like ECDH-ES+HKDF-256, ECDH-ES+HKDF-512, ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW respectively with the following differences: In the sender end, the secret input to the KDF is the shared secret established by by encapsulating to public key. This also yields ciphertext, which is placed in the -4 header parameter (the -1 header parameter is not used). In receiver end, the secret input to the KDF is the shared secret established by decapsulating the ciphertext in the -4 header parameter. Key Derivation uses the KDF defined in RFC 9053 section 5.1, with the context structure defined in RFC 9053 section 5.2. The key MUST be for some KEM. The KEM algorithm is assumed to have both shared secret and ciphertext be byte strings. For security, the KEM used MUST be IND-CCA secure (with exception of failures caused by malleability). KEM+HKDF-256 and KEM+HKDF-512 are Direct Key Agreement and others are Key Agreement with Key Wrap. ... Seems to hold up pretty well. No reason to care about malleability, that gets immediately ruined anyway. However, IND-CCA failures not from malleability tend to be something nasty that one very much has to care about. -Ilari
- [jose] JOSE/COSE RSA Kem without HPKE? Orie Steele
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Russ Housley
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Ilari Liusvaara
- Re: [jose] JOSE/COSE RSA Kem without HPKE? Neil Madden
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Ilari Liusvaara
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Orie Steele
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Orie Steele
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Ilari Liusvaara
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Ilari Liusvaara
- Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE? Ilari Liusvaara