IETF Logo Mail Archive

Re: [jose] [COSE] HPKE PartyU / PartyV

Orie Steele <orie@transmute.industries> Thu, 29 February 2024 17:05 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2AF3C14F5FF for <jose@ietfa.amsl.com>; Thu, 29 Feb 2024 09:05:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.085
X-Spam-Level:
X-Spam-Status: No, score=-7.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wu7gzlt8FOEh for <jose@ietfa.amsl.com>; Thu, 29 Feb 2024 09:05:09 -0800 (PST)
Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0159C13AE23 for <jose@ietf.org>; Thu, 29 Feb 2024 09:05:09 -0800 (PST)
Received: by mail-pg1-x529.google.com with SMTP id 41be03b00d2f7-5dca1efad59so898084a12.2 for <jose@ietf.org>; Thu, 29 Feb 2024 09:05:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1709226309; x=1709831109; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+ki4aLc+ODcj7SmbsJNQkcZINlUNjHHH6jI9PH0rA0M=; b=U9w54wFv20kMkJA7XIrYo4TUguBmBJp+IuUbnWE5flOF7rAWYZlAwNZQ50DsiiStpX QXpj3Z59cp8gs4qLZpvbHTb/ZTHfubSI6V9ujSCAWa0o8Dvb1yQPKV22nGx+PLZic+/x EPtf822wMGLGTQjJVKT403n5ji9aaDJOdZYkAIXzGrqkDBpb27xqwnK9FaK67qbEpxK2 kIEkMb2zxfcMyUA0Aeh6sULTVycR+57AChhNnd2bKBYNEDwoBKLW5Wru3VM9v1vBQUTP kXMQSVNhnPkR2GL8IHwJWgfPWsAf+fXgwPfFrlEa6ChgjTZpc/0tFh8oAt7SCTje5aPl ubbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709226309; x=1709831109; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+ki4aLc+ODcj7SmbsJNQkcZINlUNjHHH6jI9PH0rA0M=; b=rYl9Yq/jvM4da9CWsPJJoK833+y8d4S0IuqDjnYuvkweh7bEjWluE9VO5NNulNIxap R32WDkkM5BrCZunT9n9z7oKbQ8uzLl3JE3kAkMS5Mu5aJEGMfk3eiJ0ZbOUf/4Y8k/28 aMWVF/keGIgnvsrGzHqfiF47joa/jijHkZn2dy8/By0tWKinuOpYetwFheNScCCCcdQa WMGfy7GG0L0jS1fwMlAnbpNWTyXxLtf4HOlPA19LPl6KBQXmFt0Tn92ZWre1qgiIqTwE NOH2+8qx3Nq/UH6wfftGqWfTAFEmw2WRVlAhBznj37iotd0tNBa9I79gRRvYMm56LSsm ljLQ==
X-Gm-Message-State: AOJu0YySWZ5/YYj7PCKMja8hAECyXjTkTnOPIZPXQyOaHJf+NKAP1I5H 38KdwU9pkyFgQtesGg83gR5TBE8Pk502MDn5CLGqGOmWYLbnsXoMNKIR6elULEohL2+JVyRClXm 7ypoY8cbFeU7IS9Ct6W0W04yrxzP8xpUhH8YKcqaTc7CkVlpomuzkLw==
X-Google-Smtp-Source: AGHT+IEcOxlD/5Vy0gqVRdSkQyE329C9Gn+ANqrWGWTtuqn4ZIhrpeC6lbs3Au4OGVbkfMhKHsfPOUZop1coJ4LeMNM=
X-Received: by 2002:a17:90a:d347:b0:29a:67fa:7bb7 with SMTP id i7-20020a17090ad34700b0029a67fa7bb7mr2590927pjx.47.1709226308724; Thu, 29 Feb 2024 09:05:08 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_LUMe09=WbkwT-RckhR8+LYCQMw8XWnwmDLE5riYjd7pg@mail.gmail.com> <Zd749IrwWC2hI6yX@LK-Perkele-VII2.locald> <CAN8C-_J+mMABCa2HPWv5zJ=u1HSb+saq_mn5kB0Wq5upWUyM9Q@mail.gmail.com> <Zd-NRA2kH4fc_d-X@LK-Perkele-VII2.locald> <CAN8C-_+tG9845bn986Anr89ObNpUCzOAuiEJMPh4KGK3ixB+uQ@mail.gmail.com> <Zd-colj_jF47gLQP@LK-Perkele-VII2.locald> <CAN8C-_Jw2J6OY6N7gRVepVuHiC5NqgH36dXQ6krZ1U-Spqq7fQ@mail.gmail.com> <ZeCZJK76cQNZp7q9@LK-Perkele-VII2.locald>
In-Reply-To: <ZeCZJK76cQNZp7q9@LK-Perkele-VII2.locald>
From: Orie Steele <orie@transmute.industries>
Date: Thu, 29 Feb 2024 11:04:57 -0600
Message-ID: <CAN8C-_+_nzGCWV6zNny1j_9TTikW8rBtw9388YB7UGzSwEzoTw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: JOSE WG <jose@ietf.org>, cose <cose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f90abc0612884241"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/gpWYH_6zqfPLy1GBWMwKSf_WcpA>
Subject: Re: [jose] [COSE] HPKE PartyU / PartyV
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Feb 2024 17:05:13 -0000

I think we actually agree here.

The remaining point is just what to do in HPKE.

1. New header parameters, mandatory processing rules, mix
content encryption algorithm into the KDF (via HPKE INFO).
2. New Enc_structure, (fix disconnected layers vulnerability), protect
"Enc_structure" with AAD (via HPKE AAD).

What JWE allows, is based on the algorithms it relies on, and their
processing rules are algorithm specific, for example:

https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.1.2

So both 1 and 2 can also work for JOSE, except that there is no
"Enc_structure", there is just the normative language regarding:

"What to set for HPKE AAD in seal and open" and "What to set for HPKE
INFO"...

If we are not going to create COSE_KDF_CONTEXT, then suggest we will also
not create ConcatKDF context in JOSE.

So HPKE INFO, will be the same in both JOSE HPKE and COSE HPKE.

The guidance that JOSE provides regarding using the protected header bytes
as aad, seems reasonable.

https://datatracker.ietf.org/doc/html/rfc7516#appendix-A.4.5

"""
Let the Additional Authenticated Data encryption parameter be
ASCII(BASE64URL(UTF8(JWE Protected Header)))
"""

When you apply this guidance to HPKE Direct / Integrated Encryption, there
is only the top level protected header to consider since there is only a
single recipient.

When you apply this guidance to HPKE Key Encryption, in JOSE, you are
"mixing layers", but that's ok to do, because there is no way to understand
any of the HPKE algorithms in the context of JOSE without reading the RFC
that defines that behavior... which we are hopefully progressing through
these debates : )

The logic for COSE is the same, regarding proposals 1 and 2.

I like your comment regarding the fully specified algorithms draft...
considering the encryption use case for fully specified algorithms:

https://www.rfc-editor.org/rfc/rfc7520#section-5.6.3

{
     "alg": "dir",
     "kid": "77c7e2b8-6e13-45cf-8672-617b5b45243a",
     "enc": "A128GCM"
}

{
     "alg": "dir",
     "kid": "77c7e2b8-6e13-45cf-8672-617b5b45243a",
     "enc": "HPKE-Base-P256-SHA256-AES128GCM"
}

I would consider both of these cases "fully specified".

One is fully specified by listing a single AEAD algorithm.

The other is fully specified by listing an HPKE SUITE, that bundles KEM,
KDF and AEAD together.

In the context of COSE, we don't have "enc", but we do have fully specified
algorithms for COSE HPKE.

Thanks for your comments.

Regards,

OS




On Thu, Feb 29, 2024 at 8:48 AM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Wed, Feb 28, 2024 at 03:31:26PM -0600, Orie Steele wrote:
> > >
> > >
> > > <snip>
> > >
> >
> >
> > > JWE requirements imply that if { alg: dir, enc: HPKE...A128GCM } is
> > > legal, then { alg:ECDH-ES, enc: HPKE...A128GCM } is also legal. But
> > > the latter tries to derive HPKE key from Direct Key Agreement, which is
> > > absurd. Contradiction. Therefore { alg: dir, enc: HPKE...A128GCM } can
> > > not be legal. Q.E.D.
> > >
> >
> > JOSE HPKE can say:
> >
> > When using direct encryption, set the protected header "alg" to "dir",
> set
> > the "enc" value to "HPKE...A128GCM".
> > Values other than "dir" MUST NOT be used when "enc: HPKE...A128GCM" is
> > present in protected headers.
> > Direct encryption with HPKE MUST NOT be used with more than one
> recipient.
>
> No, JWE does not allow doing that.
>
>
> > That being said, we could add new values for integrated encryption, and
> the
> > same argument would apply:
> >
> >  { alg: hpke-ik, enc: HPKE...A128GCM } or { alg: HPKE...A128GCM, enc:
> > hpke-ik }
> >  { alg: hpke-ik, enc: A128GCM } or { alg: ECDH-ES, enc:  hpke-ik }
>
> I don't think that would be a good idea.
>
> And it would also violate section 5 of
> draft-ietf-jose-fully-specified-algorithms-01.
>
> If adding a new sort of thing, it should be added into space that was
> previously invalid. One such is missing "enc".
>
>
> > Arguing a contradiction from a false (absurd) premis, is invalid.
>
> If x => y and y is false, then x is false.
>
>
> > > > * COSE: HPKE AAD is CDE of Enc_Structure, just like for symmetric
> AEAD.
> > > >
> > > > ^ I do not understand how this proposal secures both the recipient
> > > > protected header, and the top level protected header, while
> addressing
> > > the
> > > > oracle attack.
> > >
> > > It does not. Because the only way to address oracle attack without
> > > breaking changes are via totally different kind of mechanism.
> > >
> >
> > LAMPs draft addresses it by mixing the content encryption AlgorithmID
> used
> > into the KDF.
> >
> >
> https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-cek-hkdf-sha256-00#section-5.1
>
> Because that is the only way to fix it in CMS without breaking change.
>
>
> > That's a layer violation in traditional COSE, but because there is no
> > COSE-HPKE,
> > that can be the default behavior if we write text that makes it so.
>
> That is still a breaking change (breaks any library interface assuming
> no layer-mixing)
>
>
> > This is why I pointed at COSE_KDF_CONTEXT... we could try solving this
> > problem using it.
> > but since it's mostly redundant to HPKE, that seems like a bad idea.
>
> Yeah, using COSE_KDF_Context with HPKE is a bad idea.
>
>
> > That leaves only HPKE INFO and HPKE AAD as the possible places to address
> > this.
>
> That assumes it is addressed. However, there is no way to do so without
> a breaking change (see above).
>
>
> > I'd be happy to review your alternative proposals.
>
> A hacky HPKE-specific fix would be to require that keys encrypted by
> HPKE MUST NOT be used for unauthenticated encryption without KDF step
> in between.
>
>
> The proper way to fix it is to add a header parameter that adds a KDF
> step between the CEK and the actual key used in symmetric encryption.
>
> And then add a requirement that any key used for unauthenticated
> encryption MUST come from KDF.
>
>
> > > > Since HPKE is new, we don't have to forward the vulnerable 2 layer
> > > behavior
> > > > for the case where all algorithms in a 2 layer are HPKE algs.
> > > >
> > > > We cannot fix the oracle attack in a "mixed alg" 2 layer cose
> structure,
> > > > because it would require breaking changes.
> > >
> > > Just fixing it for HPKE would already require breaking changes (by
> > > introducing layer-mixing)
> > >
> >
> > This is false, because there is no JOSE or COSE HPKE.
> >
> > By default, any new HPKE algorithm will be new functionality for
> libraries,
> > and can therefore not be called a breaking change... since there is
> nothing
> > to break.
>
> It breaks any library interface that assumes no layer-mixing. Which is
> a reasonable assumption, given that currently everything layers neatly.
>
>
>
>
> -Ilari
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

v2.23.0 | Report a Bug | By Email