[jose] Re: draft-ietf-jose-hpke-encrypt-01

Orie Steele <orie@transmute.industries> Tue, 09 July 2024 02:52 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F91FC1840F4 for <jose@ietfa.amsl.com>; Mon, 8 Jul 2024 19:52:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fb-WGannvj0p for <jose@ietfa.amsl.com>; Mon, 8 Jul 2024 19:52:11 -0700 (PDT)
Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 999D2C23C63A for <jose@ietf.org>; Mon, 8 Jul 2024 19:52:11 -0700 (PDT)
Received: by mail-pj1-x1035.google.com with SMTP id 98e67ed59e1d1-2c7fa0c9a8cso2657609a91.1 for <jose@ietf.org>; Mon, 08 Jul 2024 19:52:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1720493531; x=1721098331; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=CDJC0ZXrSh6F85xI8ptRSupl+A547COzLAz7QjJ6DS0=; b=aOeWFt45V015hNQF3k4Sm/5XhRAA2bhq37Hcc5pwUP36IOrIoxB2F2rXdCOcQ2X2IP KTKQ+E5xvAhs2Tm6eEUlZAxOdb0fMBA9jJ/Scb2bsGiL1cME/lsrX8ONm3bgYirOXH0g nZ/sGwyCuaKkAmU6UXWPOORtqjFBNFBbzrNm84TsgyM/j3poyobud2CynoQu3/OzGXvu 1y+l9bAKKyCd+Mxvo0Vf6ptd04P4G9axUNT/jNtyNFgX960IBBVegX2eT+gZUaMbDJgk hywB3EBl9Jg1Ro43vCbV7L5mQkG0N90rOn/fjj2Z/8p8RDuNGi/hU1uO+GtLkyocWht/ A7Uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720493531; x=1721098331; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=CDJC0ZXrSh6F85xI8ptRSupl+A547COzLAz7QjJ6DS0=; b=ipj1m9VVj6Qf981qVY957n9KWhxC5U/AfXdOAIuy3jK5RSyY+Oa97RChepXfgTvcBn zWaXRdzU5YPp6SMAUEtoH8OTbHmHRkhGqq4ZHvS7eDN63OgIW87CkR8swEMyWAkz7EiM e6XWzYiCtFj4++riK7cxxg7wFFM62vfkzKuX+8BY0IAaHjs0LLZwdZdCoc2qLIuIJbVX 8UyaQog76PEIEz+IMuugxH0Vu0yxqoNH9AiIX3QRtBDSAuHxLNQFZZXkQSL0mKem/Bmv HJ4mKdYA+gud4JGgi76LHdV2l4zTj/ju+JbkCqk+Zl3zEYsxEYNWSJ48muvumHPNI35K zsPA==
X-Gm-Message-State: AOJu0Yyh2J9hivCIJEX4E8ag0Bfx5ucr6dwc4rfNN1BD+OINazs+DxGp B2SkiS5CtiOpqoxXHLEuVGtrImaTk9447NJQeu3NXQtFh4BDt/QDsNHZxADe+6v2fC+sdEdZXDv Ny1Cq9gaBkqL+xBoDq47DmoC9BcBZ8BLPXhvwcQ==
X-Google-Smtp-Source: AGHT+IFnomXhYoNgcWPwsmpAjhZPdgFr9W6+Gia2Oh1/ne+77SWXSeHSAHaxEW3LA+4r2qVk3citM0eHcbfbnpHc8wg=
X-Received: by 2002:a17:90b:1d8b:b0:2c9:6751:7539 with SMTP id 98e67ed59e1d1-2ca35d535fbmr1102275a91.44.1720493530834; Mon, 08 Jul 2024 19:52:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_KMx_M9vL3kwoohkiVrndU_MohxdGC_vLkBo7R_+-6T2g@mail.gmail.com> <CACVbtYOsf7MkHPOzFgE14JhKrSzAd8EkZ0Sr4X0XRMzdCUtbkA@mail.gmail.com> <CACVbtYOOpwTKZt7dH7JV983SmU7gRbsaXY8ru4Ty-+S081oTEQ@mail.gmail.com> <CAN8C-_Kb9ZOec8SXUkqqd3P7VnEYSDukVm56kpdx+fVEw4KHag@mail.gmail.com> <CACVbtYPauBzeSmXPr8Fyb7Jh3u7ydJgX632B0Fwdn4UPgAfQBg@mail.gmail.com> <CACVbtYOKCrqs_tf2QUqJ1P-WWd7WeKw_VMzqgCyCvaaXmqTppA@mail.gmail.com>
In-Reply-To: <CACVbtYOKCrqs_tf2QUqJ1P-WWd7WeKw_VMzqgCyCvaaXmqTppA@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 08 Jul 2024 21:51:58 -0500
Message-ID: <CAN8C-_JrUM_uiVAprfFf_-ZnZcy86-hm6t5KWp5_2qavn0+zUQ@mail.gmail.com>
To: Les Hazlewood <lhazlewood@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000be808d061cc79de5"
Message-ID-Hash: Q5TYM4K6LSNMJFE5BWCP2H3F6AZ37C7G
X-Message-ID-Hash: Q5TYM4K6LSNMJFE5BWCP2H3F6AZ37C7G
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: JOSE WG <jose@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: draft-ietf-jose-hpke-encrypt-01
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/v_UtKnjHp_HdOUKwlv9fP5Gj_EM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

Thanks again for your comments.

You have highlighted that choosing a different encryption algorithm for the
content encryption could make the examples clearer.

You have also generally captured the intention of the 2 modes.

If we were to register HPKE-P256-SHA256+A256GCM and HPKE-P256-SHA256

It would be essentially the same as ECDH-ES and ECDH-ES+A256KW.

Arguing against fully specified encryption algorithms for a moment... We
might drop the curve and kdf parts, and set the kdf to be always sha-256
for JOSE.

This would reduce number of registrations.

alg: HPKE, enc: A128GCM
alg: HPKE+A256KW, enc: A128GCM

However, we would now not be able to negotiate for post quantum encryption
by algorithm alone.

Key generation would need to be aware of kty and crv... We might not have a
way to easily distinguish between ML-KEM-768 and other KEMs for the same
kty.

A benefit of fully specified HPKE algorithms is that negotiation is
simplified, and key generation can be aligned to what can be negotiated.

If it's important to be able to negotiate for integrated vs key encryption,
it is important that they be implied by the algorithm registrations we
request.

On Mon, Jul 8, 2024, 9:11 PM Les Hazlewood <lhazlewood@gmail.com> wrote:

> Why is JWE HPKE Key Encryption necessary at all?  Since HPKE requires
>> asymmetric keys to be used, what is the use case for encrypting a
>> direct/shared symmetric key when the recipient must decrypt with their
>> private key anyway?
>>
>
> Trying to answer my own question:
>
> "alg": "HPKE-P256-SHA256",
> "enc": "A256GCM"
>
> would mean a JWE content encryption key would be obtained by executing the
> KEM to derive a shared secret which is then made uniform by HKDF-SHA256.
> The output of the HKDF Expand function would be the content encryption key
> used to directly encrypt the payload using AES 256 GCM.
> This would imply that the HKDF's `Expand(prk, info, L)` function's `L`
> input length must be equal to the `enc` required key length (in this
> example, `256`).
>
> Whereas
>
> "alg": "HPKE-P256-SHA256-A256GCM",
> "enc": "A128GCM"
>
> would mean
>   a) an ephemeral AEAD secret key (the CEK) would be generated for the
> `enc` algorithm (e.g. AES 128 GCM)
>   b) this ephemeral AES 128-bit CEK would itself be encrypted using HPKE
> P256-SHA256-A256GCM
>   b) the ephemeral AES 128-bit CEK would be used to encrypt the recipient
> payload, and the CEK ciphertext would be included in the recipient header.
>
> Then the recipient uses HPKE P256-SHA256-A256GCM to decrypt the CEK
> ciphertext, producing the CEK, which is then used to decrypt the payload.
>
> Is that about right?
>
> Les
>
>>