[jose] Re: draft-ietf-jose-hpke-encrypt-01

Orie Steele <orie@transmute.industries> Mon, 08 July 2024 17:59 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D69A7C14F6FB for <jose@ietfa.amsl.com>; Mon, 8 Jul 2024 10:59:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K3QPRqlmCA6Q for <jose@ietfa.amsl.com>; Mon, 8 Jul 2024 10:58:59 -0700 (PDT)
Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAA45C151096 for <jose@ietf.org>; Mon, 8 Jul 2024 10:58:59 -0700 (PDT)
Received: by mail-pj1-x1031.google.com with SMTP id 98e67ed59e1d1-2c961b5f215so2357895a91.0 for <jose@ietf.org>; Mon, 08 Jul 2024 10:58:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1720461539; x=1721066339; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=QM3E41A4GnMbAM8P05g9P8rzwnCI5XK6FRRiKE+GGIg=; b=bYtfDIm/C8m6mZoz3KYiY0JybUC2F1I/gben3A7JtqmkCGcQZEdR1MXfPPzxzuUrr6 LmqoTY3np5n5os9/WkhfdwkrWT9dYiMGNsV4bFojWAKQshm6tQSmyzEyylYV4oO8eId9 U7Qy7HLtVF5rBVoQrg+UNC+WhrsiiuUWMwRhGLU2gBscMeNS76mNHY2KgIrsSf79EQVU /bqj80Vrwwjz4enrIMEqGbCF0gW7LQ8G1A1YoLvHB5Q4onQ6BOGIWncVGkztef49jxDI UODmNTcjrzA38J8caM+uFQr1RHNr46nKmx6DBjoixhEep/sg93qtxlRbtQ+Cyxo5zRCS vLlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720461539; x=1721066339; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QM3E41A4GnMbAM8P05g9P8rzwnCI5XK6FRRiKE+GGIg=; b=A0QMi6lL6gJeUL42+EMMlWBZLcBgAnnJUOmwmAvB7uQ0uKLeC7qVLnd6ypV+BXDB9D Rb+gvTDdodUECj5gl/0y+OgRXdhOCmQ8tmAtRy7rbXp+7O0EhRH9wQpOHY99y5N0x5cE H16NTpf8Z6em/zU/27ahZd8GuJ7EYqV81gX9dbTE058w3SoiS1iWvDkCfbK24JcNX+Ql GUBPNNdQfKsny4LpX//Q088AYc19jtI1vUK5gtVepel7UvTjfW/N2Smgyh5LUzQU/IlC YnXtc3mSLOHh53SEWF1qZGUtndJaLJxuJawiXV1caIV3RKPFUzydkPyFkVjhx4TlOOnJ 5c5A==
X-Gm-Message-State: AOJu0YwWGjmUh1BQSRnDKVisFW6KEHr26xNPAoZW7afv4FfxVYiPDNxb 73mkgf0Foz8gA+barJszYpekuqypCiaera7kItgfETheLBQH5Xi1TEaPhKOB+m7WiZkdMZtIZba +ZNrdRGs8zp8TnNc8Demora4jlf5urOxe1nfVAFd95DnsJofBFRY=
X-Google-Smtp-Source: AGHT+IHS2AUgQLRX/TLdG1WSk/KWzQbCf1dttOs0jQx8NZ1DWVd89jRSzDecOt9w5tPJc+H+aHkkfevX13xr0X7b52w=
X-Received: by 2002:a17:90a:3006:b0:2c9:63a4:a138 with SMTP id 98e67ed59e1d1-2ca35c283ebmr394739a91.11.1720461539077; Mon, 08 Jul 2024 10:58:59 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_KMx_M9vL3kwoohkiVrndU_MohxdGC_vLkBo7R_+-6T2g@mail.gmail.com> <CACVbtYOsf7MkHPOzFgE14JhKrSzAd8EkZ0Sr4X0XRMzdCUtbkA@mail.gmail.com> <CACVbtYOOpwTKZt7dH7JV983SmU7gRbsaXY8ru4Ty-+S081oTEQ@mail.gmail.com>
In-Reply-To: <CACVbtYOOpwTKZt7dH7JV983SmU7gRbsaXY8ru4Ty-+S081oTEQ@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 08 Jul 2024 12:58:48 -0500
Message-ID: <CAN8C-_Kb9ZOec8SXUkqqd3P7VnEYSDukVm56kpdx+fVEw4KHag@mail.gmail.com>
To: Les Hazlewood <lhazlewood@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000e30dbf061cc02a5f"
Message-ID-Hash: F5MABX3O5EVXRP4U5V62OCFRY2QY73JX
X-Message-ID-Hash: F5MABX3O5EVXRP4U5V62OCFRY2QY73JX
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: JOSE WG <jose@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: draft-ietf-jose-hpke-encrypt-01
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/mPQf9Y9MCKgtxugJ0hkNKMw0YmM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

### Key Encryption Example

{
*        "protected": "eyJlbmMiOiJBMTI4R0NNIn0", // { "enc": "A128GCM" }*
        "iv": "xFOVHqPoufKESHE0",
        "ciphertext":
"jrQO6jW9iuxDHl46SWDQW3nmedYU09I1xssRZlOYWYE2HbAXmXDwgAc5hLGVTQxizhLaC0YaNh4im2GJ9_h7",
        "tag": "1zAmVzvbaZiAU_olStTzdg",
        "aad": "cGF1bCBhdHJlaWRlcw",
        "recipients": [
          {
            "encrypted_key": "_jOYzDrItWbL9Vv035qEnJTip0vvhmC_",
            "header": {
              "kid":
"urn:ietf:params:oauth:jwk-thumbprint:sha-256:8ty4B2GslLjOxJdGjd9YdybvX15eFroyQHio1YimpZk",
              *"alg": "ECDH-ES+A128KW", // works today*
              "epk": {
                "kty": "EC",
                "crv": "P-256",
                "x": "JkxQ8Sry4ZHd45Qea4vt3MxIuliC-ZT08YFEJrRr5VU",
                "y": "TIbmUelobO3iwCj1x6RWG7Wk28XDHBH-U5lLZH6n7P8"
              }
            }
          },
          {
            *"encrypted_key":
"GcLTSQO7NabyItEqeh2EQB2Uh8KrV79-FGFSVQ-fG-E", // encrypted with *
*HPKE-P256-SHA256-A128GCM*
            "header": {

*              "alg": "HPKE-P256-SHA256-A128GCM", // hopefully works in the
future, maybe the name will change?              "enc": "A128GCM", //
probably not needed, maybe remove?*
              "kid":
"urn:ietf:params:oauth:jwk-thumbprint:sha-256:8Tp_DUMUqBo1nsGLwEtk-Y0Lway4dzQRpgUR4ZzyXpQ",
              "psk_id": "our-pre-shared-key-id",
              "auth_kid":
"urn:ietf:params:oauth:jwk-thumbprint:sha-256:8Tp_DUMUqBo1nsGLwEtk-Y0Lway4dzQRpgUR4ZzyXpQ",
              "ek":
"BA80h3xLNmrwWMi1ME--hniqwBcQplt5lwM_r02vXewA1_igignkUnm0qb6mIjaw1c8qs78ZyC3wV_1fpumQP-c"
            }
          }
        ]
}

### Integrated Encryption Example

{
        "protected": "eyJhbGci...tjaWq-PqOZoatF2hrJoho",
        "ciphertext": "nLg0PgTlkWAk9Z77rJvpJYnRAL9QRI0A4GgsFkZUcRgUaVOt",
        "aad": "8J-PtOKAjeKYoO-4jyBiZXdhcmUgdGhlIGFhZCE"
}

Decoded protected header:

{

*  "alg": "HPKE-P256-SHA256-A128GCM",  "enc": "A128GCM", // previously
"dir", ... something needs to stay here for integrated encryption?*
  "kid":
"urn:ietf:params:oauth:jwk-thumbprint:sha-256:S6AXfdU_6Yfzvu0KDDJb0sFuwnIWPk6LMTErYhPb32s",
  "psk_id": "our-pre-shared-key-id",
  "auth_kid":
"urn:ietf:params:oauth:jwk-thumbprint:sha-256:S6AXfdU_6Yfzvu0KDDJb0sFuwnIWPk6LMTErYhPb32s"
}

As you can see, the problem is that currently HPKE "alg" names do not
distinguish between "direct encryption like things" and "key agreement with
key wrapping like things"... for both cases we see:

"alg": "HPKE-P256-SHA256-A128GCM", // currently use for both
"enc": "A128GCM", // optional / invalid for key encryption?... mandatory
for integrated encryption...

We need a way to tell from the header, if the mode is "integrated
encryption" or "key encryption"... either from looking only at the alg, or
looking at the alg and enc.

Folks familiar with direct encryption and key agreement with key wrapping
would probably expect to see:

"alg": "HPKE-P256-SHA256+A128KW" // for key encryption

and ...

"alg": "HPKE-P256-SHA256",  // for "integrated encryption"
"enc": "A128GCM",

I'm hoping that "HPKE-P256-SHA256-A128GCM" is ok for both cases, and the
presence of "enc" is sufficient to distinguish them... but if folks
disagree, feel free to propose something that makes this clearer.

Regards,

OS

On Mon, Jul 8, 2024 at 12:05 PM Les Hazlewood <lhazlewood@gmail.com> wrote:

> Apologies, I misread the compact form in the version 01 draft - it does
> indeed included the cek ciphertext, but not the iv or aad tag.  But my
> comments/questions about mandatory `alg` and `enc` values are still valid I
> believe.
>
> On Mon, Jul 8, 2024 at 9:58 AM Les Hazlewood <lhazlewood@gmail.com> wrote:
>
>> Thanks Orie,
>>
>> As a long-time implementer and maintainer of a widely used JOSE library,
>> I'm have some concerns that I hope could be addressed.  Admittedly, most of
>> my questions are relevant to single recipient and compact (JWT) forms.
>>
>> I don't think for JWE there should ever be an omitted `alg` header
>> parameter: its omission and/or 'none' value can and has caused security
>> problems in the past for parsers and this feels like opening a can of worms
>> again.  Further, it adds cyclomatic complexity (conditionals) for
>> validation assertions that, I hope, shouldn't ever be necessary.
>> Non-absent deterministic values are so much nicer and reduce potential
>> problems.
>>
>> The way `alg` has always worked (conceptually at least) IMO from a
>> library implementor point of view is it means "the algorithm used to obtain
>> the AEAD content encryption key and its potentially associated ciphertext".
>>  `enc` is "the algorithm used to AEAD encrypt the payload".  That is,
>> (pseudocode):
>>
>> enc_alg = enc_registry.find( header['enc'] )
>> key_alg = alg_registry.find( header['alg'] )
>> kek = keystore.find( header['kid'] )
>> cek, cek_ciphertext = key_alg((kek, encAlg, header)
>>
>> For JWE:
>>
>> - No `alg` inherently means "there isn't a way to obtain an cek/cdk".
>> - No `enc` means "the payload is not encrypted", so both must always be
>> present for JWE.
>> - No JWE ciphertext token in the compact JWE string means 'there is no
>> encrypted key ciphertext', when clearly there is (encapsulation).
>>
>> I could be missing something (and happy to be educated accordingly), but
>> I would really like to see the HPKE work maintain these existing constructs
>> - changing them to introduce additional complexity is not an intuitive, nor
>> safe, idea IMO.
>>
>> Respectfully,
>>
>> Les Hazlewood
>> JJWT author/maintainer
>>
>> On Sun, Jul 7, 2024 at 3:17 PM Orie Steele <orie@transmute.industries>
>> wrote:
>>
>>> Hello,
>>>
>>> I have done my best to apply all the feedback gathered from the adoption
>>> call, and I want to draw your attention to the latest draft, and its
>>> primary remaining obstacles for discussion at ietf 120.
>>>
>>> In my haste, I may have destroyed something essential. Apologies to my
>>> co-authors, feel free to roast me at the mic line.
>>>
>>> Be advised the github repo for the working group adopted draft is
>>> currently here, PRs are welcome:
>>>
>>> https://github.com/OR13/draft-ietf-jose-hpke-encrypt
>>>
>>> As you can see from the document history -01 addresses several points of
>>> feedback, and uses the terminology and guidance regarding algorithm names
>>> provided by Ilari and others.
>>>
>>> Major changes in this version:
>>>
>>> - JWK is no longer used for encapsulated keys, but "encrypted_key" JWE
>>> member and "ek" header parameter are.
>>> - HPKE mode (base / auth / psk / psk_auth) is no longer included in
>>> algorithm registrations.
>>> - HPKE Setup info and aad are addressed in a single location for both
>>> integrated and key encryption with hpke.
>>> - "dir" approach has been replaced with "enc": <some registered aead>.
>>> - "jwe aad" examples have been added.
>>> - "psk_id" and "auth_kid" examples have been added.
>>>
>>> I've implemented version -01, and the examples are produced from my
>>> prototype.
>>>
>>> Risk areas, and things which we would like to resolve ASAP.
>>>
>>> ### Fully specified HPKE algorithms
>>>
>>> It would be nice to have confidence that the algorithm names will not
>>> change.
>>>
>>> For example where we currently see:
>>>
>>> ```
>>> "alg": "HPKE-P256-SHA256-A128GCM",
>>> "enc": "A128GCM",
>>> ```
>>>
>>> We might see:
>>>
>>> ```
>>> "alg": "HPKE-P256-SHA256",
>>> "enc": "A128GCM",
>>> ```
>>>
>>> Or whatever the working group decides counts as a "fully specified HPKE
>>> algorithm".
>>>
>>> ```
>>> "alg": "HPKE-P256-SHA256+A128KW", ?
>>> ```
>>>
>>> ### HPKE AAD vs JWE AAD
>>>
>>> I think the current approach is better than computing some custom KDF
>>> info from apu / apv... But is setting the following as HPKE AAD enough?
>>>
>>> hpke-info = empty
>>> hpke-aad = encode-protected-header . aad (when JWE aad is available)
>>>
>>> Where encoded protected header is either the protected header for
>>> hpke jwe integrated encryption, or the protected header used in content
>>> encryption, for which the content encryption key is being encrypted?
>>>
>>> ### Lossy conversions
>>>
>>> It's possible to express things in JSON Serialization that can't be
>>> expressed in Compact serialization.
>>> I tried to make this explicit, but we could decide to simply forbid
>>> conversions from JSON to Compact that lose information, or that would move
>>> things around "ek" to "encrypted_key".
>>>
>>>
>>> Thanks for all the feedback during the adoption call.
>>>
>>> Regards,
>>>
>>> OS
>>>
>>> --
>>>
>>>
>>> ORIE STEELE
>>> Chief Technology Officer
>>> www.transmute.industries
>>>
>>> <https://transmute.industries>
>>> _______________________________________________
>>> jose mailing list -- jose@ietf.org
>>> To unsubscribe send an email to jose-leave@ietf.org
>>>
>>

-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>