IETF Logo Mail Archive

Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE?

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 20 February 2024 19:43 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BF14C180B68; Tue, 20 Feb 2024 11:43:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KSqYB8SYApOC; Tue, 20 Feb 2024 11:43:55 -0800 (PST)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A40B5C180B64; Tue, 20 Feb 2024 11:43:44 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id C6021144A1; Tue, 20 Feb 2024 21:43:41 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id FrH5mRatvYV9; Tue, 20 Feb 2024 21:43:41 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 7EB1B292; Tue, 20 Feb 2024 21:43:39 +0200 (EET)
Date: Tue, 20 Feb 2024 21:43:39 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Message-ID: <ZdUA66F8QdsiwQxg@LK-Perkele-VII2.locald>
References: <CAN8C-_LgRdZ-vXFDQJSghKBfJ_gGZWaUE2+qX63faLdnTHSGGg@mail.gmail.com> <ZcqJEVmDxo0YZ6qi@LK-Perkele-VII2.locald>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <ZcqJEVmDxo0YZ6qi@LK-Perkele-VII2.locald>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/fyCN1GC-Itq6VeLr60nMHo-SlWM>
Subject: Re: [jose] [COSE] JOSE/COSE RSA Kem without HPKE?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2024 19:43:59 -0000

On Mon, Feb 12, 2024 at 11:09:37PM +0200, Ilari Liusvaara wrote:
> On Mon, Feb 12, 2024 at 12:41:52PM -0600, Orie Steele wrote:
> > See https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc5990bis/
> > 
> > Do we expect to see RSA Kem support in JOSE and COSE without the use of
> > HPKE?
> > 
> > If so, how do we identify RSA keys for use with KEMS? How do we transport
> > KEM CT ?
> 
> I would imagine keys specify which KEM those keys use.
> 
> And then there would be KEM algorithms analogous to ECDH-ES ones (there
> are a few details about ECDH-ES algorithms that need tweaking for
> things to work with KEMs).
> 
> IIRC, only three differences are needed:
> 
> - KEM shared secret goes where ECDH result used to go.
> - Where one sticks the KEM ciphertext.
> - Some trivial encaps/decaps process stuff.
> 
> Things like KDFs can just be reused as-is.

Attempting to spec things out to check this:


JOSE:
-----
algorithms KEM, KEM+A128KW, KEM+A192KW and KEM+A256KW work like ECDH-ES,
ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW respectively with the
following differences:

In the sender end, the shared secret Z is established by encapsulating
to public key. This also yields ciphertext, which is base64url-encoded
and placed to "kct" parameter ("epk" parameter is not used).

In the receiver end, the shared secret Z is established by decapsulating
the (base64url-encoded) ciphertext in the "kct" parameter.

Key derivation uses Concat KDF with inputs as specified in RFC 7518
section 4.6.2.

The key MUST be for some KEM. The KEM algorithm is assumed to have both
shared secret and ciphertext be octet strings.

For security, the KEM used MUST be IND-CCA secure (with exception of
failures caused by malleability).

KEM is Direct Key Agreement and others are Key Agreement with Key
Wrapping.


COSE:
-----
algorithms KEM+HKDF-256, KEM+HKDF-512, KEM+A128KW, KEM+A192KW and
KEM+A256KW work like ECDH-ES+HKDF-256, ECDH-ES+HKDF-512,
ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW respectively with
the following differences:

In the sender end, the secret input to the KDF is the shared secret
established by by encapsulating to public key. This also yields
ciphertext, which is placed in the -4 header parameter (the -1 header
parameter is not used). 

In receiver end, the secret input to the KDF is the shared secret
established by decapsulating the ciphertext in the -4 header parameter.

Key Derivation uses the KDF defined in RFC 9053 section 5.1, with the
context structure defined in RFC 9053 section 5.2.

The key MUST be for some KEM. The KEM algorithm is assumed to have both
shared secret and ciphertext be byte strings.

For security, the KEM used MUST be IND-CCA secure (with exception of
failures caused by malleability).

KEM+HKDF-256 and KEM+HKDF-512 are Direct Key Agreement and others are
Key Agreement with Key Wrap.



... Seems to hold up pretty well.

No reason to care about malleability, that gets immediately ruined
anyway. However, IND-CCA failures not from malleability tend to be
something nasty that one very much has to care about.




-Ilari

v2.23.0 | Report a Bug | By Email