[jose] Re: draft-ietf-jose-hpke-encrypt-01

Orie Steele <orie@transmute.industries> Tue, 09 July 2024 02:06 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37956C1840C2 for <jose@ietfa.amsl.com>; Mon, 8 Jul 2024 19:06:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yE3T-2e85Llb for <jose@ietfa.amsl.com>; Mon, 8 Jul 2024 19:06:10 -0700 (PDT)
Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4EA2C16943E for <jose@ietf.org>; Mon, 8 Jul 2024 19:06:10 -0700 (PDT)
Received: by mail-pg1-x52d.google.com with SMTP id 41be03b00d2f7-7163489149eso3366686a12.1 for <jose@ietf.org>; Mon, 08 Jul 2024 19:06:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1720490770; x=1721095570; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=FWuSQlYzeqz1eYOTYRzBAwHndZXr9t5C7xbHuM89zIw=; b=PtkTBuEA6L5k7CYbhBC7WwIddYRFnBtL7uilJ1hLtqn2Mg68fLAEFx29vA7QznPFUN cakyfCMhM9sVisPqJnr7+RGfABxv7IjV6FTe5P72D+lek7vizvvLokpJHsprC1OALqLS cFxjT8uMeQn4SpVxl7HCFksXr12FC3X0K7MBYFerabuP0XUvIqkXauO090cj0Py1cstM cWS1fMMQOqsVXKhD4vc++Afnwv24Zlolrohf04ugUi1+/wqzIDLVQyJFVjG1Or6PMO2D MMuh4mt/KozmOImbcw+1uLo7cVcbgzeSaMn9H/FsRrX7cBfzS4nwUeowcNW8BrgzaDBm QdBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720490770; x=1721095570; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=FWuSQlYzeqz1eYOTYRzBAwHndZXr9t5C7xbHuM89zIw=; b=bJ2GSD1GmLG6WnDQ75QqF5uZM4XgN4KMxKWcPkNGSYNcQej2yD+32JA+Dn/jQf0tDR tnQ02l7ECMZvaYJFIzAjlANNUHogzdAfB+1SJ9KVC9D4KST3wxFFjXECZymEyEpCOReK nhofOwkV7zdk5FbnHufvPsIBcNw5tcATz9gLpb6jYN+2qBwhujhIbBhz071fhOzDQ6lm IgggPsfkdKcSoiB6qGIWqFS20Jk6r5OxL3IZC6TkVoQi2V7/PXFP5+TxwAgZj3IZppD9 zJ4X24FikAYc2OcY4wduJXBCJF3HZJwg0IMZ0P/S4STGsjUiCZKd4CJcudegPP/WTA13 Mi7w==
X-Gm-Message-State: AOJu0Yw65dBWuMN90Lwme87VlfpRePQoNlHduLJb/KRigCsgNmfC+1oG 5nUaKWDPPEjoqB74EEP7Kk+QoiejIioiqtZyIas7EgShjc8JjvmwiDc8ncF+0Tc57NSpVM96Cl2 MqQ5Z/pnw2PP36N7ReVmScibvxDopdr7NSUQoqRz9BfS9GkrRlUE=
X-Google-Smtp-Source: AGHT+IEblsv8lEio1OJ46lCdbayuPUR/OwcK6QvCuNnw3ahya/AdFddscgiwdDu5DkHotBOqZmk2/v+eHgri39aXIek=
X-Received: by 2002:a05:6a21:186:b0:1c2:8d2f:65f5 with SMTP id adf61e73a8af0-1c29820b88amr1395183637.15.1720490769611; Mon, 08 Jul 2024 19:06:09 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_KMx_M9vL3kwoohkiVrndU_MohxdGC_vLkBo7R_+-6T2g@mail.gmail.com> <CACVbtYOsf7MkHPOzFgE14JhKrSzAd8EkZ0Sr4X0XRMzdCUtbkA@mail.gmail.com> <CACVbtYOOpwTKZt7dH7JV983SmU7gRbsaXY8ru4Ty-+S081oTEQ@mail.gmail.com> <CAN8C-_Kb9ZOec8SXUkqqd3P7VnEYSDukVm56kpdx+fVEw4KHag@mail.gmail.com> <CACVbtYPauBzeSmXPr8Fyb7Jh3u7ydJgX632B0Fwdn4UPgAfQBg@mail.gmail.com>
In-Reply-To: <CACVbtYPauBzeSmXPr8Fyb7Jh3u7ydJgX632B0Fwdn4UPgAfQBg@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 08 Jul 2024 21:05:58 -0500
Message-ID: <CAN8C-_JyHsr07FcTMwA01+QTkzjxxqvv0fNpFthytSyyP+MgKQ@mail.gmail.com>
To: Les Hazlewood <lhazlewood@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000299a32061cc6f9b7"
Message-ID-Hash: HDKOFSMWI54U76QKIRGFRRJZ46WWHO34
X-Message-ID-Hash: HDKOFSMWI54U76QKIRGFRRJZ46WWHO34
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: JOSE WG <jose@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: draft-ietf-jose-hpke-encrypt-01
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/zzjsmb2o_UYgLznYWnSDcmqr_0s>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>

Inline:

On Mon, Jul 8, 2024 at 6:38 PM Les Hazlewood <lhazlewood@gmail.com> wrote:

> Thinking though this a whole lot more I think I was confused on which
> alg/enc parameters were used in which header elements.  To avoid that
> confusion for myself, I'll refer to them using their RFC 7516 names:
>
> Currently with JWE, `enc` algorithms/IDs are all AEAD algorithms, and I
> think this must remain the same. Consistency, no surprises, everything
> stays the same, lowest possible impact to all existing JOSE
> implementations. And actually, having this value be anything other than an
> AEAD algorithm would violate RFC 7516, Section 4.1.2
> <https://datatracker.ietf.org/doc/html/rfc7516#section-4.1.2> as written:
>  "This algorithm MUST be an AEAD algorithm with a specified key length."
>  Many implementations (mine included) make plenty of assertions that this
> must be an AEAD algorithm that requires secret keys, etc.  Changing this to
> be a different type of algorithm would cause a lot of problems on
> implementations, especially those written in typesafe languages.
>
> In the multi-recipient case, I agree, there doesn't need to be an `enc`
> value in the JWE Per-Recipient Unprotected Header because it's always
> implied by the JWE Protected Header.  This must be the same for all
> recipients anyway.  Nor is an JWE Protected Header `alg` value required
> since that will likely be different per recipient.  The union (JWE JOSE
> Header) for a single recipient and/or JWT must have both header parameters
> however.
>
> For HPKE then, it seems that the `alg` value only needs to include the
> first 2 HPKE cipher suite IDs/tokens and exclude the trailing AEAD id as
> Michael Jones said.  But then Ilari said:
>
> "- The first means to use algorithm "HPKE-P256-SHA256" (presumably Direct
>   Key Agreement) to derive key for "A128GCM" (which is defined by
>   RFC7518) bulk encryption."
>
> I'm probably missing something, but I don't believe this is an issue.
> HPKE does not use nor accept direct shared symmetric key IKM (input key
> material).  That is, HPKE is only to be used for public key derivation of a
> shared secret (KEM) which is then tied to context and made
> cryptographically uniform (HKDF), and that output key is used as the AEAD
> symmetric key.
>
> That means if you have an `enc` value, you only need the HPKE ID trailing
> tokens to be a tuple because you already have the 3rd in the `enc` header
> parameter. That is:
>
> header['alg'] + header['enc'] would always
> equal "HPKE-<KEMID>-<HKDFID>-<AEADID>"
>

Yes. Similar to https://datatracker.ietf.org/doc/html/rfc7520#section-5.5.4
 and https://datatracker.ietf.org/doc/html/rfc7518#appendix-C

"alg" + "enc" = "ECDH-ES" + (missing curve name) (concat kdf) + "A128GCM"
"alg" + "enc" = "ECDH-ES" + (missing curve name) (concat kdf) +
"A128CBC-HS256"


> That is unless you're trying to use HPKE as a key encryption/wrapping
> algorithm, which brings me to my next question:
>
> Why is JWE HPKE Key Encryption necessary at all?  Since HPKE requires
> asymmetric keys to be used, what is the use case for encrypting a
> direct/shared symmetric key when the recipient must decrypt with their
> private key anyway?
>

Support for HPKE alongside other recipient encryption schemes, for example:
https://datatracker.ietf.org/doc/html/rfc7520#section-5.13

Or in other words... the ability to use HPKE to wrap keys with post quantum
or hybrid kems, so that traditional recipients which might be subject to
harvest now and decrypt later attacks on elliptic curve discrete log can
have something to migrate to, without changing out the symmetric encryption
layer (we're less worried about Grover, and more worried about Shor).

It's not that meaningful to move from ECDH-ES+A128KW to
HPKE-P256-SHA256+A128KW ... but it would be more significant to move to
HPKE-ML-KEM-1024-SHA256+A256KW

In order to know how to use an HPKE PQ KEM with multiple recipient JWE, we
need to describe how to do HPKE JWE Key Encryption.

We're also trying to avoid registering lots of algorithms.

I'd love to learn the history of why ECDH-ES+A128KW is not ECDH-ES+A128GCM
... but this ship has sailed, "ECDH-ES+A128KW" is mixed into the concat kdf.
... the logical equivalent of that happens internally to HPKE, here:
https://datatracker.ietf.org/doc/html/rfc9180#section-5.1-9

The difference is that HPKE doesn't give a different algorithm name for
A128KW and A128GCM... it treats them as both 0x0001 see
https://www.iana.org/assignments/hpke/hpke.xhtml#hpke-aead-ids

HPKE doesn't know if it's encrypting a content encryption key or not...
If you want to ensure that in higher order systems this distinction is
authenticated, you need to use setup info or aead aad, see
https://datatracker.ietf.org/doc/html/rfc9180#name-auxiliary-authenticated-app

This leads us back to the current proposal...

- alg: HPKE-P256-SHA256-A128GCM ... enc: A128GCM // in separate headers ->
key encryption
- alg: HPKE-P256-SHA256-A128GCM,  enc: A128GCM   // in the same header  ->
integrated encryption

hpke-info = empty
hpke-aad = protected (.aad) // how the distinction is authenticated

An alternative proposal:

- alg: HPKE-P256-SHA256+A128KW ... enc: A128GCM // -> key encryption
- alg: HPKE-P256-SHA256,  enc: A128GCM          // -> integrated encryption

This doubles the registrations and does not appear to do anything useful.
... unless these different alg values are used as hpke-info to force
different key schedules:
https://datatracker.ietf.org/doc/html/rfc9180#section-5.1-10
... similar to how ECDH-ES and ECDH-ES+A128KW work in concat kdf today.

Hopefully this extra background is helpful.

Thank you for your comments!


> Thanks,
>
> Les
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>