IETF Logo Mail Archive

[jose] JOSE/COSE RSA Kem without HPKE?

Orie Steele <orie@transmute.industries> Mon, 12 February 2024 18:42 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85B49C14F5E8 for <jose@ietfa.amsl.com>; Mon, 12 Feb 2024 10:42:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.086
X-Spam-Level:
X-Spam-Status: No, score=-7.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WskoGPuLLg48 for <jose@ietfa.amsl.com>; Mon, 12 Feb 2024 10:42:09 -0800 (PST)
Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BCD8C151096 for <jose@ietf.org>; Mon, 12 Feb 2024 10:42:04 -0800 (PST)
Received: by mail-pg1-x536.google.com with SMTP id 41be03b00d2f7-5c229dabbb6so1988016a12.0 for <jose@ietf.org>; Mon, 12 Feb 2024 10:42:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1707763323; x=1708368123; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=8spohQF9dCE5Xq+5NWJo8IjBZW1eEVXD9Q1/4L5m97w=; b=DX31CU7MUKc1x0EhBTyMGG0GLbc5C75CHgQoo7P7sgtY1xkOnx5XG4QReosMATgHdV 0EQtLHbsI1R687biYqKJteIYPOpYKAzaAUYygA5a7D+av9QCSmzMxxmQsBLCT4RK9i+0 Oas24209EQv+lQsC2MXFgYXWU7r0q1h660cCyO9QQ9XX50haP1DhHZccvs/byoELeJI9 pKkMIn44uMc78xXtP5MJomp10qM8WUYr+u157i2KQb4jmIx3XukIDQiTyal2jE9x/oCO 0odMVwojkqsE+hBYw6KPfmaK35KgxX0EXAcN/QJA5fsBCQW33iQXMUCONyxMC346/1z9 /UfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707763323; x=1708368123; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=8spohQF9dCE5Xq+5NWJo8IjBZW1eEVXD9Q1/4L5m97w=; b=Wa4byirsKgTfIQLiV1y9Lz1Tifmkr45M9tyimtIrx8Ijbav7NU8p3CH43E5eKgUsoA PYzzM/h9KcF6i5ZJEjCxEApwa2NKgcMHzp9FJlJJTyiiPyJUccd2ehfLlcychhaFDkqr ObNx300Dlk1uQ1RbBD33ikJ6mYx8EUftkBcGtHwIuef3ExnaKPSKfy45joSug1yQR+x0 O5M7Kk1e8V/Ql+Q7S7zRcD6vxxzcSBICpOA+Qq9VBS+8uKPYsCgSSBhrkpATTpTuIiTc QpikLSFEC+LsN8uWgRMiwW83zFDzcevXeOp+nvF/7Q3ixMF1LAZI6faae6Z2pTnZy4Bk VKsg==
X-Gm-Message-State: AOJu0YwVL+PnsGc1hQeVSMYiZHz7AY8AQDpLviGDmve+JJx4WMVtUePJ qtcrRqBrsKyjyMAgo6maAL8NI0CeoUMSYqFNHkqXnjz0AiRGw8iDwTCx//eA6CGQn7fLAaEaTwU GSCG6r8TuXH7tj4FYsHaEbPd6pj5KpOND57Yifw==
X-Google-Smtp-Source: AGHT+IG1ubsaqcVi426gv5SXiitBNu9J3FoVK8y9/xHb1XTTmQ1AW3D0LJXttSkhvK7pBcbR832MJGop7opjhV3GwU4=
X-Received: by 2002:a17:90b:2346:b0:296:1e67:8c96 with SMTP id ms6-20020a17090b234600b002961e678c96mr4596497pjb.35.1707763323179; Mon, 12 Feb 2024 10:42:03 -0800 (PST)
MIME-Version: 1.0
From: Orie Steele <orie@transmute.industries>
Date: Mon, 12 Feb 2024 12:41:52 -0600
Message-ID: <CAN8C-_LgRdZ-vXFDQJSghKBfJ_gGZWaUE2+qX63faLdnTHSGGg@mail.gmail.com>
To: cose <cose@ietf.org>, JOSE WG <jose@ietf.org>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="0000000000003d2b7e061133a214"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/pqZ_B5mxZZDGpSNDfwidBDLIpFc>
Subject: [jose] JOSE/COSE RSA Kem without HPKE?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Feb 2024 18:42:13 -0000

See https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc5990bis/

Do we expect to see RSA Kem support in JOSE and COSE without the use of
HPKE?

If so, how do we identify RSA keys for use with KEMS? How do we transport
KEM CT ?

One option would be to reuse what we have in the JOSE HPKE draft, to
transport the KEM CT as an ephemeral encapsulated key:

{
  "protected": "eyJlbmMiOiJBMTI4R0NNIn0",
  "encrypted_key": "W0nlNK0VztBrVSJo23vNEPcUKbSgRWYaisRpeAqHw5M",
  "iv": "BvmzuI3ign3WgUVs",
  "ciphertext": "1iqtwexTYT9lsxppkWVs...Udc0KgLXGvD4l8q_LVvodF",
  "tag": "fJ1Mq0pP1j_ZrNP2kXDUsw",
  "aad": "8J-SgCBhYWQ",
  "recipients": [
    {
      "encrypted_key": "W0nlNK0VztBrVSJo23vNEPcUKbSgRWYaisRpeAqHw5M",
      "header": {
        "kid":
"urn:ietf:params:oauth:jwk-thumbprint:sha-256:iCUZEezL_1kx3t3y9i_AW0LIOmojwr2tBgih7RCy-kE",
        "alg": "HPKE-Base-P256-SHA256-AES128GCM",
        "epk": {
          "kty": "EK", // encapsulated key type
          "ek": "BN1YNlivxeS3DayvCt...3HDoa1Orh1wqPmw3Pp6Y" // encapsulated
key
        }
      }
    },
    // RSA KEM example goes here... looks like HPKE example above?
    {
      "encrypted_key":
"B9X-TifYXbA0fKHpASFT4N1_sLMf1...VmWjVhkfgaOvS9VCOzepEM02jFA",
      "header": {
        "alg": "RSA-OAEP-384"
      }
    },
    {
      "encrypted_key": "MRtJFqzpSDoLwS2AW13dbuGcPWrnRl-r",
      "header": {
        "kid":
"urn:ietf:params:oauth:jwk-thumbprint:sha-256:qXy7xVrE0xm3tS9ilK74GadeD9HF1wnQUzY5ml4pWuY",
        "alg": "ECDH-ES+A128KW",
        "epk": {
          "kty": "EC",
          "crv": "P-256",
          "x": "YzBl6tEBdqvkDxcGS7SWePD-oI4J9jMQX6qh3k7lGTw",
          "y": "s8D6l21rlSCH5IZZF4kjPwGhcoHg3ENGSup3VpE7o_8"
        }
      }
    }
  ]
}

or:

{
        / kid /
        4: h'3031',
        / encapsulated_key /
        -4: h'045df...73e', // new cose header, since cose does not support
transporting encapsulated keys as "epk" (-1).
},


Similar to the discussions we have had for ECDH-ES+A128KW vs HPKE, let us
start a discussion for

RSAES-OAEP w/ SHA-256 vs HPKE or Plain RSA Kem (TBD)

- https://www.rfc-editor.org/rfc/rfc7518.html#section-4.3
- https://www.rfc-editor.org/rfc/rfc8230.html#section-3

The reason I raise this, is that Ilari mentioned wanting to use JOSE HPKE's
Integrated Encryption and Key Encryption modes, without HPKE but with other
KEMs, so considering how RSA Kem might be supported in JOSE and COSE seems
worth discussing.

Is it ok if JOSE uses "epk" and JWK, COSE uses a new header
parameter instead of using "epk" and COSE Key?

Should JOSE do as COSE is doing? or vice versa?

Regards,

OS

-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

v2.23.0 | Report a Bug | By Email