Re: [MLS] DeriveKeyPair IKM size
Simon Ser <contact@emersion.fr> Fri, 15 March 2024 14:07 UTC
Return-Path: <contact@emersion.fr>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC34AC14F681 for <mls@ietfa.amsl.com>; Fri, 15 Mar 2024 07:07:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=emersion.fr
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPN1tCcAAv6w for <mls@ietfa.amsl.com>; Fri, 15 Mar 2024 07:07:47 -0700 (PDT)
Received: from mail-4323.proton.ch (mail-4323.proton.ch [185.70.43.23]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23E9BC14F603 for <mls@ietf.org>; Fri, 15 Mar 2024 07:07:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emersion.fr; s=protonmail3; t=1710511663; x=1710770863; bh=DKzJKlg9wgkB6JqmyeBqarkgMH9F5JwP+djhdribpu0=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=O1cMlrxt5SteAgJQg2FWRzvRwcoZXbgZ7NSHIJ39Wt7USZ0fHKpgBxEetyP1ZpRuI 97cQnGcnWEmykwREFeJ1abhWGx1RJOmc4HwdorvseNrXq8dcUBRN46ZJRNZO5qYALf Nlj+27X1Wne9VauDdkE6ladtZAkm3U4ST/Sthyk3txZkiwJcEzWdc5aLewIhnInAjJ QwlstelGoZTxn8g8JQs1R+BlqtvW0dmmJK/VExh4ivogRMLbgyfsKL13Yki7dlD8y7 1IRPw9AsVSmVfCLItvRxB+cymB+5VvAbTa5mBufSTP8sJCZYEe2Bs46+OJSsmbGlDx mMzvoiMeZfzlQ==
Date: Fri, 15 Mar 2024 14:07:34 +0000
To: Rohan Mahy <rohan.ietf@gmail.com>
From: Simon Ser <contact@emersion.fr>
Cc: "mls@ietf.org" <mls@ietf.org>
Message-ID: <JAUJrf-WGD7yyQOoZSgBv6M6vU_iENbRsTTKK__ZRfQOdnnb7QtO576qe6AOD1LTVVc7lsCc6e0ztBuQ_VaaQsjJglD_vFe2Bhk1UUBPJts=@emersion.fr>
In-Reply-To: <CAKoiRuYKt4jJW4TpH=k+0WU5LUPyV6P04=1-U-P64H9Wc+Sr6w@mail.gmail.com>
References: <kE3ovynJvl22pnmihJkm7J67dybmL4xQHYxBu1vvwabY_U3X2TBJO5V3agUDnNF2aYl7z4aBupEdLteupSa7vjvXNMIdyY-GN2czK6NeDi0=@emersion.fr> <CAKoiRuYKt4jJW4TpH=k+0WU5LUPyV6P04=1-U-P64H9Wc+Sr6w@mail.gmail.com>
Feedback-ID: 1358184:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/87HD6S85wRF9Ov0Rdh3R7PgdnUU>
Subject: Re: [MLS] DeriveKeyPair IKM size
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2024 14:07:52 -0000
On Friday, March 15th, 2024 at 00:52, Rohan Mahy <rohan.ietf@gmail.com> wrote: > The issue you are pointing out is an issue with HPKE (RFC9180) which > was a product of the CFRG research group, and should probably be > discussed there. Hm, I'm not sure I understand. The issue I'm describing is about MLS' usage of HPKE, due to the definition of node_priv: node_secret[n] = DeriveSecret(path_secret[n], "node") node_priv[n], node_pub[n] = KEM.DeriveKeyPair(node_secret[n]) And the definition of DeriveSecret: DeriveSecret(Secret, Label) = ExpandWithLabel(Secret, Label, "", KDF.Nh) Specifically, the issue is that MLS: 1. Specifies that the output of DeriveSecret, which has the length KDF.Nh, is fed into KEM.DeriveKeyPair. 2. Defines a few cipher suites which combine a KEM and KDF resulting in a mismatch between KDF.Nh and KEM.Nsk. Specifically cipher suite 0x05 passes an ikm parameter shorter than HPKE says it SHOULD. > Note that [XWing], also contraindicates the SHOULD in [HPKE] Section > 7.1.3, because 2432 octets of entropy is excessive, and 32 octets is > expected to be sufficient. That's not my reading of the spec: the HPKE RFC says that the "ikm parameter given to DeriveKeyPair() SHOULD have length at least Nsk". The "at least" part is key here: feeding a larger parameter satisfies the SHOULD.
- [MLS] DeriveKeyPair IKM size Simon Ser
- Re: [MLS] DeriveKeyPair IKM size Rohan Mahy
- Re: [MLS] DeriveKeyPair IKM size Simon Ser
- Re: [MLS] DeriveKeyPair IKM size Simon Ser