IETF Logo Mail Archive

Re: [jose] HPKE Compact JWE Demo

Orie Steele <orie@transmute.industries> Thu, 15 February 2024 14:03 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5E6FC18DB89 for <jose@ietfa.amsl.com>; Thu, 15 Feb 2024 06:03:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 86cZ9832cyPx for <jose@ietfa.amsl.com>; Thu, 15 Feb 2024 06:03:53 -0800 (PST)
Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36B32C18DB8A for <jose@ietf.org>; Thu, 15 Feb 2024 06:03:53 -0800 (PST)
Received: by mail-pg1-x52a.google.com with SMTP id 41be03b00d2f7-5d3907ff128so753589a12.3 for <jose@ietf.org>; Thu, 15 Feb 2024 06:03:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1708005832; x=1708610632; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rzeBMayMeLtWLzvD3X4EyTjhf+mDeqTATHfaZJOKj+w=; b=Mp2cZdn4sqb6fATKeuqa9t1oCN3dJCR1WUFjwNhvwnoownZz9jjNnHEJoJJIMaVlWA AZEeMnchqfL+didsBM1UGaArUqy69sSGcfIML0/9dz3CL4IflksyZ9Gt1+qmZMyUftIt 9upDClDqCxD6Ee9uqk7AQDREPOEEF8xOwyVs5Anq6LCa/XMfpLK/0CdzWW4p/i5u7Sfd BWiDv4M2A48rV8d7cPiC3ABgWSBIb9P/VFKEk0CPo8BZPbU0UO6lEYvQYsXwhIA/2CyY xaZ5UtlBbd1Ea+8oXSlgU3kb6q0YqnVBzkb4kbfgiWM0aEGasdZjK46PX556P+Mfxoup vaqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708005832; x=1708610632; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rzeBMayMeLtWLzvD3X4EyTjhf+mDeqTATHfaZJOKj+w=; b=MuCDMoCpz0Z4UC5D8Mcvlyq9b9ug6Gj/EAW6B4up8VzDklyrYSy/hIJqJ7xukQieS0 X1iPdUatpsliij/C7b5rWy5UVR7gxRXCWkkpmXk+nI9dsmdG7la+0oNVv9Fr11Jtsp0p KYuRY/T4dVBhQHIRsd9Hqr0LD7gr+ehc0xZXCkpnBmD365NqZ+2Zbkk/4CFuggHUz345 GBS8sfGVVGjfhxswKz5X1/Ziw3vy0wUo8rdUW7I34cK7H/9G38LIKt6rP75h0yPdvn3u KjKRJWjlxymyTm6KjeKkkFA1TMEdtQjSSBQg5DKpvukGBQarPp4QRZ9bl88Og+o/ekHc huMw==
X-Gm-Message-State: AOJu0Yxm/vDvaiLNheAFiQ4sd4fcRh3YH0C/oezqsoEqTJDllHEJjhNi wo1uZiMfnMfoxJHQzpcm3jhxRuit0RnleMGmtErK2MFGZvgUn6IEz/aH0CQjtWMov6bRVCRtldX /siC7fgAvi0CMkykRi9WsLWLeXX3T/hFLeHcvKw==
X-Google-Smtp-Source: AGHT+IGVV1//nmPmijGZvjoZv39EQuOh/3m3vMOmdDmccGD+KijDaNzlF6MPP+OSxzmU1HX6BjxBvNhnPNC/PduIcD4=
X-Received: by 2002:a17:90b:24c:b0:296:459d:c96e with SMTP id fz12-20020a17090b024c00b00296459dc96emr1654497pjb.44.1708005832263; Thu, 15 Feb 2024 06:03:52 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_KgcsaY9A4icRhjHAPnEVb8fYu3vzf0=mk_ODkGEVDDtw@mail.gmail.com> <Zce0L9JgcfA2CAE7@LK-Perkele-VII2.locald> <CAN8C-_+aK5U3iVLJxg4RFe09K+OmkPfboROjRJYViwoYzcywRw@mail.gmail.com> <Zcigu0VDAvdeJPT0@LK-Perkele-VII2.locald> <CAN8C-_LpkKDQhDqfrJSmUbf_VSuH+kjsv6COt0mRyEoctVLaFA@mail.gmail.com> <ZcjzJygtsElxxgpw@LK-Perkele-VII2.locald> <CAN8C-_LPoA9iCJ3-YQSj=R1Ycjj+UYb+qQm+zSn7LnJgvw07jg@mail.gmail.com> <ZckwmFC4AR5jAKXR@LK-Perkele-VII2.locald> <CAN8C-_L=Afh3T4Zk+L20+aEeZb5o8S+jHTMOYCB3swpLEYH-wA@mail.gmail.com> <Zc4OClBsipBTq_SX@LK-Perkele-VII2.locald>
In-Reply-To: <Zc4OClBsipBTq_SX@LK-Perkele-VII2.locald>
From: Orie Steele <orie@transmute.industries>
Date: Thu, 15 Feb 2024 08:03:40 -0600
Message-ID: <CAN8C-_KsoeWk++P-kyANvguGAV1D89KSQVj1gzg6HvqRi+4MQQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: JOSE WG <jose@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e82a0c06116c1888"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/nH1Gh-fPljTyOJ9zCFlb9Xo0ezk>
Subject: Re: [jose] HPKE Compact JWE Demo
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Feb 2024 14:03:56 -0000

On Thu, Feb 15, 2024 at 7:14 AM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Sun, Feb 11, 2024 at 06:22:39PM -0600, Orie Steele wrote:
> >
> > On Sun, Feb 11, 2024 at 2:40 PM Ilari Liusvaara <
> ilariliusvaara@welho.com>
> > wrote:
> >
> > > On Sun, Feb 11, 2024 at 12:13:22PM -0600, Orie Steele wrote:
> > > >
> > > > On Sun, Feb 11, 2024, 10:17 AM Ilari Liusvaara <
> ilariliusvaara@welho.com
> > > >
> > > > With HPKE using Key Encryption, those steps are the same, and the
> > > algorithm
> > > > is present in the recipient header.
> > >
> > > If all recipients have the same alg, it can also be in global headers
> > > (protected or unprotected).
> > >
> >
> > That's an unfortunate "or" but I assume we must preserve it?
> >
> > I've added 2 placeholder tests for these cases, if we must preserve this
> > behavior, we will at least provide examples.
>
> JWE section 5.2. step 4:
>
> ------------------------------------------------------------------------
> Otherwise, when using the JWE JSON Serialization, let the JOSE Header be
> the union of the members of the JWE Protected Header, the JWE Shared
> Unprotected Header and the corresponding JWE Per-Recipient Unprotected
> Header, all of which must be completely valid JSON objects.
> ------------------------------------------------------------------------
>
> JWE section 7.2.1:
>
> ------------------------------------------------------------------------
> Some Header Parameters, including the "alg" parameter, can be shared
> among all recipient computations.  Header Parameters in the JWE
> Protected Header and JWE Shared Unprotected Header values are shared
> among all recipients.
> ------------------------------------------------------------------------
>
>
Yes, we got similar comments off list about how we treat the
requirements for header params.

The suggestion was to only comment on parts of HPKE that need to be in
protected headers.

We'll work the text that direction


>
> > > > Key Encryption is already defined by JWE (RFC 7516).
> > > > >
> > > >
> > > > And is our use of the term consistent?
> > >
> > > Yes. Except I think there are some instances of KAwKW should be KE.
> > >
> >
> > I'm not sure how to address this, but it's possible it is better to wait
> > for a new version on the datatracker to see if we cleared it up by then.
>
> Searching for "Key Agreement" or "Key Wrapping" in editor's copy:
>
>
> Section "Overview":
> ------------------------------------------------------------------------
> JSON Web Algorithms (JWA) {{Section 4.6 of RFC7518}} defines two ways to
> use public key cryptography with JWE:
>
> - Direct Key Agreement

- Key Agreement with Key Wrapping
> ------------------------------------------------------------------------
> Two problems with that:
>
> 1) Those modes are defined by JWE, not JWA.
>

How to use them is defined here:

https://datatracker.ietf.org/doc/html/rfc7516#section-5.1


> 2) There is third mode: Key Encryption.
>

Yes, its defined here:
https://datatracker.ietf.org/doc/html/rfc7516#section-2

"""
   Key Encryption
      A Key Management Mode in which the CEK value is encrypted to the
      intended recipient using an asymmetric encryption algorithm.
"""


> Section "Overview":
> ------------------------------------------------------------------------
> This specification describes two modes of use for HPKE in JWE:
>
>   *  Integrated Encryption mode, where HPKE is used with a single
>      recipient. This setup is conceptually similar to Direct Key
>      Agreement, and is only compatible with JWE Compact Serialization.
>
>   *  Key Encryption mode, where HPKE is used with multiple recipients.
>      This setup is conceptually similar to Key Agreement with Key
>      Wrapping, and is only compatible with General JWE JSON
>      Serialization, and Flattened JWE JSON Serialization.
> ------------------------------------------------------------------------
> That looks to need a rewrite.
>
> Maybe something like:
>
> * Integrated Encryption mode, where HPKE is used to directly encrypt
>   the (possibly compressed) message.
>



>
> * Key Encryption mode, where HPKE is used as a recipient to encrypt
>   the CEK. Multiple recipients require General JWE JSON Serialization.
>
>
>
Take a look at https://github.com/tireddy2/JOSE_HPKE/pull/20/files


> Section "Overview":
> ------------------------------------------------------------------------
> We provide the following table for additional clarity:
>
> | Name                   | Recipients | Serializations | Content
> Encryption Key | Similar to
> |---
> | Integrated Encryption  | 1          | Compact        | Derived from
> HPKE      | Direct Key Agreement
> | Key Encryption         | Many       | JSON           | Encrypted by
> HPKE      | Key Agreement with Key Wrapping
> {: #serialization-mode-table align="left" title="JOSE HPKE Serializations
> and Modes"}
> ------------------------------------------------------------------------
> I do not think that table clarifies things.
>
> Maybe something like:
>
> | Name                  | Recipients | HPKE Encrypts
> |---
> | Integrated Encryption | 1          | Message
> | Key Encryption        | >=1        | Content Encryption Key
>

https://github.com/tireddy2/JOSE_HPKE/pull/20/files#r1491040261


>
> Section "Security Considerations":
> ------------------------------------------------------------------------
> HPKE relies on a source of randomness to be available on the device. In
> Key Agreement with Key Wrapping mode, CEK has to be randomly generated
> and it MUST be ensured that the guidelines in {{RFC8937}} for random
> number generations are followed.
> ------------------------------------------------------------------------
> "Key Agreement with Key Wrapping" -> "Key Encryption"
>
>
> And I randomly spotted:
>
> "- Content Encryption Key (CEK), is defined in {{RFC7517}}."
>
> RFC7517 is JWK, I presume that should be RFC7516 (JWE)?
>

Yep, it should be a reference to
https://datatracker.ietf.org/doc/html/rfc7516#section-2


>
>
> > > > > The draft does not register header parameter for that, but a key
> type.
> > > > >
> > > >
> > > > That's correct, because there exists a header parameter that carries
> keys
> > > > called epk.
> > >
> > > However, encapsulated keys are not themselves keys.
> > >
> >
> > In the case of DHKems, they are literally public keys (uncompressed)
> > starting with the 04 prefix, then x component, then y component.
> >
> > Sure HPKE says it's "opaque bytes", are we building a key format that
> > is only for HPKE?
> > In that case kty: EK, ek: enc is as much a key as any other opaque
> > symmetric key.
>
> Modern KEMs have ciphertexts that are byte strings.
>
> E.g., ML-KEM.
>
> And even if those are not, it is easy to map to byte string. JWS and
> COSE_sign both require signatures to be byte strings. ECDSA signatures
> are not (it is integer pair), so those just get mapped to byte strings.
>
>
> > > And what the heck should implementation do with JWK of such type? Key
> > > types are primarily for JWK, it is just that those get reused for
> > > ECDH-ES (which does indeed have ephemeral keys).
> > >
> >
> > JWK supports many different keys, the only required parameter is "kty".
>
> JWK might "support" it but, AFAICT, it makes no sense.
>

This is just "where you add new header params".

This would be a good topic for IETF 119, and we have the deck from the COSE
WG where we asked the same question.

The rough answer from COSE seemed to be to not fracture the "encapsulated
key"... but we did not show a proposal for COSE Key to the group at that
time.


>
>
> > > And then I noticed that all ciphersuites have base mode, but there are
> > > "psk_id" and "auth_kid" parameters, that only make sense for non-base
> > > modes. Do those headers implicitly modify mode, or are there just no
> > > ciphersuites available?
> > >
> >
> > Yep, we added those in advance of actually being able to use them with
> any
> > suites.
> >
> > We will need suites for them.
>
> Lots of suites, yay. :-)
>

Choosing not to distinguish them seems worse, but yeah... : )


>
>
> > > (There is an attack if auth/auth_psk modes are used for key
> encryption).
> > >
> >
> > What is the attack?
>
> The message is not actually authenticated because anyone that gets the
> CEK (e.g, because they are a recipient) can not just to read the
> message, but to also undetectably modify it.
>
> Not sure what is the "official" term for that sort of attack.
>
> And looks like even Integrated Encryption is vulnerable to a weaker
> version: Anyone that manages to somehow obtain the HPKE internal
> symmetric key can undetectably modify the message. That might be
> rather undesirable in some situations...
>
>
>
In order to do this, the attacker needs control of the decryption process
running on the endpoint right? That seems pretty catastrophic.

It sounds like you are wanting something where the JWE ciphertext structure
is bound into the decapsulation operation, so that any changes to the JWE
structure causes the content encryption key to fail to be unwrapped.

I suspect that trying to tackle this would make backwards compatibility
with JWE difficult... I'm not suggesting this, but one way to accomplish
it, might be to canonicalize and hash the JWE and then include a special
header parameter for recipients to use if they want to be protected from
these kinds of changes.


>
>
> -Ilari
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

v2.23.0 | Report a Bug | By Email