IETF Logo Mail Archive

Re: [jose] HPKE Compact JWE Demo

Orie Steele <orie@transmute.industries> Sun, 11 February 2024 12:48 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30250C14F5FC for <jose@ietfa.amsl.com>; Sun, 11 Feb 2024 04:48:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZAHDOtK6R2Zg for <jose@ietfa.amsl.com>; Sun, 11 Feb 2024 04:48:50 -0800 (PST)
Received: from mail-oo1-xc29.google.com (mail-oo1-xc29.google.com [IPv6:2607:f8b0:4864:20::c29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F342DC14F5E8 for <jose@ietf.org>; Sun, 11 Feb 2024 04:48:49 -0800 (PST)
Received: by mail-oo1-xc29.google.com with SMTP id 006d021491bc7-59a1a03d09aso692517eaf.3 for <jose@ietf.org>; Sun, 11 Feb 2024 04:48:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1707655729; x=1708260529; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=aSATEYRz1dLq5hWSjlZ2Yl+jf9C+N5cXLLkuZ3aJcDA=; b=HLmpZ+zQaiutA5oAyFLClHz9PQpZy9KzQ0TvdGT5MxRTkz24X/dzPQCR9iwngnzG9V mFYpOs0pGPCjR0nzdDu7vc0Cr0VhdUU7ES7RwR/mEAOtC2wW0sm2MrzU5ThNOLotcta8 fBw2p4TVlt+PmPBp05Ljgzi1cXHLWhbfYX1zAi6rQkScqM5PLaZ7NqYS4uDJWANT5IAi eYmwearTa18snDtyKCzEoHXv0ezh7hBkOFVMW8s4Vb/nSBxVFD+zHwceiECJYheth109 0rNvdlxyhEtbgqVHUzIqEuYv2+sCIFmIpkp3E4HIqEpUL5nGdRHWiCmSUIkQa5FddiMB vHJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707655729; x=1708260529; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=aSATEYRz1dLq5hWSjlZ2Yl+jf9C+N5cXLLkuZ3aJcDA=; b=JKRBGUadAjgveA7cZ6P/C/x6E22UZi0R1fKHZokRTmclG3i9HAF1NRh+yqh+YOql/t xp1Lf6Ase5jgYRYih1c/pYZFIZlQBRGSDBspnNdZOeHXwu/IDRWh5X9XggjhdIWeSIV+ lCt8AcHc7Y2U49L71LlLSPv00UuYwxsntgvL4FcoL5A3RuLq5856LmWmQrS0U2y9H6Gb j6V8C6so0DZlDYgkiXhKNOwcoSPLHx5wONu4em+5pNJxcAy0omL0QZJqn39nipqrRMI6 51h6R3X5wBk6p1igQmVXxra6YVkYXfY4em9rtg1yPHGTIhYDKmBSIJXvAnjxnTeJfmIM fclQ==
X-Gm-Message-State: AOJu0Yy3rzAF0tW4Jwwyvf+LxWpYRhAETgX6ZCgAtkMd0dyHrAf8rtGj HY00b0RZoRv0EiavZFX0pkUeiweDa5SXX76/fFYIp4fT+2rsxM6wHR6p51yR6d7WCB8BDSQyl62 V9thUQex01cYDg0JlRsNQCpFWhzgRAJWWt5huKcq9kswzkL5b
X-Google-Smtp-Source: AGHT+IEndZ7uWXKFseLWuEClsWHCj9ecHpabSbXH0qByiwnoahm81BGq2180J/VS4X//9Nztlsnltd8mb+2HaXt0IgM=
X-Received: by 2002:a05:6359:4c0f:b0:179:ff:2486 with SMTP id kj15-20020a0563594c0f00b0017900ff2486mr4897953rwc.29.1707655728778; Sun, 11 Feb 2024 04:48:48 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_KgcsaY9A4icRhjHAPnEVb8fYu3vzf0=mk_ODkGEVDDtw@mail.gmail.com> <Zce0L9JgcfA2CAE7@LK-Perkele-VII2.locald> <CAN8C-_+aK5U3iVLJxg4RFe09K+OmkPfboROjRJYViwoYzcywRw@mail.gmail.com> <Zcigu0VDAvdeJPT0@LK-Perkele-VII2.locald>
In-Reply-To: <Zcigu0VDAvdeJPT0@LK-Perkele-VII2.locald>
From: Orie Steele <orie@transmute.industries>
Date: Sun, 11 Feb 2024 06:48:36 -0600
Message-ID: <CAN8C-_LpkKDQhDqfrJSmUbf_VSuH+kjsv6COt0mRyEoctVLaFA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: JOSE WG <jose@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001ce26b06111a95aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/zWkQRYP56KBWeMlqiZuzaut8JcY>
Subject: Re: [jose] HPKE Compact JWE Demo
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Feb 2024 12:48:54 -0000

Inline

On Sun, Feb 11, 2024, 4:26 AM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Sat, Feb 10, 2024 at 03:15:11PM -0600, Orie Steele wrote:
> > This list feels like mostly complaints about JWE, and not about JOSE
> HPKE.
>
> Sure, JWE has its problems, but that ship has sailed. Debating those
> problems when working with JWE is not productive. One just has to live
> with those.
>
> There is only one complaint about JWE, and that is then immediately
> taken as something one needs to live with. Plenty of other complaints
> just are not relevant here.
>
>
> > With compatibility with ECDH-ES JWE shown, I feel pretty confident that
> the
> > design is on a good track.
>
> That was only a smoke test. Failing it would have been really bad, but
> passing does not mean things are actually working.
>
>
> > If there are problems in the design we have now... those problems are
> > fundamental to JWE.
>
> I disagree. I think things can be vastly improved while modifying JWE
> no more than what is currently done.
>
>
> > We are adding HPKE support to JWE not making an incompatible alternative
> to
> > JWE, that only works with HPKE.
>
> The draft does currently have requirements incompatible with JWE. E.g.,
>
> - Requirement to use JSON serialization for Key Encryption.
>

There is an open issue, before we had JSON Serialization working with
backwords compatibility this was not possible, now that we have it, it's
just matter of moving objects into the spaces between periods right?


- Requirement to put "enc" in protected parameters for Key Encryption.
>

As is don't with Key Agreement with Key Wrapping? Not sure which enc you
are talking about.

- Requirement to put "alg" in per-recipient unprotected header for Key
>   Encryption.
>

It's optional or it's mandatory, which do you think is correct?


> And then arguably also requirement to use compact serialization for
> Integrated Encryption.
>

Integrated encryption is a new mode, as is key encryption ,if you mean that
neither is in JWE that is true.



>
>
>
> As example of just what requirements like this can cause, I once wrote
> support for extensible priorities in HTTP/2 in a reverse proxy. IIRC, I
> explicitly ignored every single requirement that went against base
> HTTP/2. Mostly, because code I was modifying was designed for as
> specified by base HTTP/2.
>

Yep, that's why we added support for epk to transport encapsulated keys...
To keep things as close as possible between key agreement with key wrapping
and key encryption.


>
> > Adding the ability to upgrade to HPKE without major breaking interface
> > changes is the objective, and greenfielding alternatives to JWE just
> delays
> > adoption of KEMs and resilience to harvest now decrypt later.
>
> Greenfielding alternatives to JWE is not an option.
>
> And even stuff that just goes against precedent can cause severe issues.
>
> E.g., Multi-recipient interface with similar design as I used in
> COSE-HPKE test code would seem to work just fine now. But it would be
> a major breaking change to add HPKE as currently specified to it.
>

But both are drafts... Expecting breaking changes in drafts is as it should
be.

I don't have good references to look at for COSE encrypt, so it would be
harder to make progress on it in the same way, but I do think it's work
adding COSE key support for encapsulated keys.

And we will still need to put protected headers in aads.


>
> > The guiding principle is this:
> >
> > Adding HPKE based single recipient and multiple recipient support, with
> as
> > few changes to JWE as possible.
>
> The guiding principles I have:
>
> - Keep things as simple as possible.
> - Minimize disruption caused by JWE changes for single recipient.
>

Agreed

- Zero HPKE-specific modifications to JWE.
>

So no new modes for integrated encryption and key encryption, and just use
the same terms direct key agreement and key agreement with key wrapping?

That seems more confusing to me.

- Zero modifications to JWE for multiple recipient support.
>

I think we are close to solving for this, we only need to address compact
mode for single recipient.


> Note that first two are relative, while the last two are absolute.
> And new header parameters, algorithms, etc. are not "modifications to
> JWE".
>

Agreed.


> The reason for requiring zero modifications for multiple recipients
> is that the interaction between recipients is specified by JWE, and
> trying to change those rules is asking for critical issues.
>

We have achieved zero modifications for multiple recipients, in tests.

But we do use different language to support interop between key agreement
with key wraps and key encryption.


> And some changes to JWE are required in order to add the Integrated
> Encryption mode, I.e., this draft needs to update RFC 7516, but those
> changes must not preclude non-HPKE mechnisms later.
>

I am not sure what you mean, this draft invented the term integrated
encryption, are you saying we should leave it open for others to use it
differently?


> And as example of disruption JWE changes could cause, consider
> implementation that immediately parses JWE doing the first three steps
> of JWE section 5.2. Maybe together with doing step 15. By time that is
> done, original serialization is lost. That is very much code one does
> not want to touch lightly.
>
>
> > This constraint makes our job simple... What parameters go in headers?
> How
> > can we accomplish what is needed with as few HPKE specific changes as
> > possible.
>
> For stuff relevant to HPKE, nothing except alg needs to go in headers.
> This is in contrast to things like Key Agreement ephemeral key, that
> does need to go into headers.
>
> I don't see any need for HPKE-specific changes. Even a new header for
> KEM ciphertext (problematic for other reasons) could be usefully
> repurposed for KEM Key Agreement.
>

I don't understand this.

Are you saying that the header parameters we have registered for "key
encryption" (we haven't registered any new ones) can be used for key
agreement?


>
> > The current draft does the best at this so far, but it's possible in can
> be
> > further improved.
> >
> > I don't think your suggestion to concatenate strings values for enc and
> ct
> > is an improvement.
>
> What other way is there to satisfy:
>
> - Avoid requiring multi-shot HPKE for compact.
>

Why should single shot be used?

- Both modes encode the output in the same way.
>
> ?
>

I'm not sure what you are talking about here.
We don't need to take all of what HPKE defined, especially if it defined
multiple ways to do things that are equivalent, we can pick the one way
that makes sense for the JSON ecosystem.


> I don't think there are any. There is only one output field besides
> headers for Key Encryption, and Integrated Encryption can not use
> headers in compact without requiring multi-shot.
>

I think you are saying you prefer to have single shot and multi shot
supported, over having JWE Protected headers be consistent.

This is a good point.

I do not see a strong enough reason to support single shot HPKE in JOSE, I
don't think the performance improvement (???) Is worth the complexity.

I don't think we should change JWE Protected headers to enable HPKE single
shot.

But perhaps let's create a new thread that is focused only in why single
shot HPKE is essential for JWE / JWT.

Let's make the case for single shot as clear as possible.



>
>
>
> -Ilari
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>

v2.23.0 | Report a Bug | By Email