IETF Logo Mail Archive

Re: [Secdispatch] draft-madden-jose-ecdh-1pu

Neil Madden <neil.madden@forgerock.com> Mon, 17 May 2021 14:57 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 334A43A3ADF for <secdispatch@ietfa.amsl.com>; Mon, 17 May 2021 07:57:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KvMPBfJDAu8g for <secdispatch@ietfa.amsl.com>; Mon, 17 May 2021 07:57:23 -0700 (PDT)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 953323A3ADB for <secdispatch@ietf.org>; Mon, 17 May 2021 07:57:22 -0700 (PDT)
Received: by mail-wm1-x333.google.com with SMTP id k5-20020a05600c4785b0290174b7945d7eso3359441wmo.2 for <secdispatch@ietf.org>; Mon, 17 May 2021 07:57:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=/G8X4xijeWS495wJ2xjEiFg71DsSIaa7vGdcPxrZqWo=; b=T63u4iZbwVePlJW4FoVVzIDekq1DgBVA0DKKK39scT4k9TIjE4Ueo1tmuSswU5Vxfl 8EbqE3LKnEecDmJnrClNEvPgbogMxgypHymXUFM6H4kbwwNjLzkbU1puYVac6wGMo1iL d7D0L5U4wgPdExGnYcDzkDkE6GjEApxR97Cws=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=/G8X4xijeWS495wJ2xjEiFg71DsSIaa7vGdcPxrZqWo=; b=SxtE3xw1Wt/yR2jwuTfTUGMlhP3ug1yuUV/BQ1Tz6YCBxKTHOJfBWumWhcj6IyXTG4 OAWBCJV5nYSfWsZHTLWhds3zPqrb/uBVX4wnTOtH7YEG22NIDzuxUzzBN58MgvmRB7K7 u6aTGkY2+uKBgfRJgw9CEiRUDIrZslUVzXGLhhYGzRf7X8vIyZ2c0WVAQgCDHX2V04p1 5AyMnFG0TVw0+NT+EthMEuvqd3nmWNCgwEtNNo/0oCGie8Uo6O5TLEiLUH/9NogkaWuz ZvRZfP2/0o6QV+Mhv1hgyavMuvc3Xaeq+6NRSdh9Sh0HbE8/95o95oaFclGj+ISMehVV 4nag==
X-Gm-Message-State: AOAM533M4lIz2TTLpa6jHQ9MGtVBB2YRurwc6+VorOMnrLxN7tz4udJ4 dP9R4W72lROiLNM44Q+jP2kiQ2d22Cc/mJ0dSxoXjBE8zdMUGzf2dMPUeDSpmeAH2G1FhDuqZVm Ilycr9J63rOnjtw==
X-Google-Smtp-Source: ABdhPJzLEGvub/1BBc8OMua6W5xTio/I5ekovu9s4xOEgc/OaL2ShxVhig3Ey7rMLDyE5FNluSWKrQ==
X-Received: by 2002:a1c:f614:: with SMTP id w20mr118175wmc.70.1621263438868; Mon, 17 May 2021 07:57:18 -0700 (PDT)
Received: from [10.0.0.8] (252.207.159.143.dyn.plus.net. [143.159.207.252]) by smtp.gmail.com with ESMTPSA id y21sm21864326wmi.15.2021.05.17.07.57.18 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 May 2021 07:57:18 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Message-Id: <00603DAA-BA62-4856-BCD5-E444D27AB187@forgerock.com>
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.6\))
Date: Mon, 17 May 2021 15:57:17 +0100
In-Reply-To: <CAL02cgQXtFuWvUSupxazkqC37jVuQpaczKTFhwn_UFQqrw5-eA@mail.gmail.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, secdispatch@ietf.org
To: Richard Barnes <rlb@ipv.sx>
References: <63EC3EF1-C24B-4EFD-A904-12E510193EB3@forgerock.com> <5069.1621245223@localhost> <CBEDA8D2-1AD0-4DAF-9CBD-4D56FDBB0950@forgerock.com> <CAL02cgQXtFuWvUSupxazkqC37jVuQpaczKTFhwn_UFQqrw5-eA@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.6)
Content-Type: multipart/alternative; boundary="Apple-Mail=_9B09FDBD-93D8-41E7-819E-C34AFE0C871E"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/f1Ajzym0uWIn5tgiFX_z1PysDHw>
Subject: Re: [Secdispatch] draft-madden-jose-ecdh-1pu
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 May 2021 14:57:28 -0000

Thanks, replies inline below:

> On 17 May 2021, at 15:05, Richard Barnes <rlb@ipv.sx> wrote:
> 
> Hi Neil,
> 
> Thanks for bringing up this idea.  I wasn't in the WG for the discussion, but if I were there, I would have been worried about the new crypto construction that is laid out in this draft.
> An interesting alternative approach here might be to use HPKE [1] as the public-key encryption primitive here.  HPKE has been through CFRG review already, and has security proofs.  It is already being used in protocols like TLS ECH [2] and MLS [3], so there's starting to be some support for it in libraries like boringssl [4]. 

ECDH-1PU is broadly similar to the DHKEM HPKE construction: it differs mainly in the key derivation process. The DH AuthEncap/AuthDecap process in section 4.1 is very similar. (It’s also similar to e.g. the Noise K one-way handshake pattern [1]). 

However, HPKE has one serious disadvantage for the use-cases I (and others) want it for, in that it explicitly rules out of scope what the HPKE draft (and related papers) refer to as “Insider-Auth” security [2]. That is, a recipient of a message sent using HPKE can construct a forgery that, to the other recipients of the original message, appears to come from the original sender. This is a critical weakness in, for example, an OAuth system built upon this, as shown in this example:

1. Alice talks to an OAuth authorization server and obtains an access token to access API1, API2, and API3.
2. The authorization server authenticates and encrypts a JWT-based access token using the public keys of API1, API2, and API3.
3. Alice uses the encrypted access token to access API1.

The problem here is that API1 can now construct their own access tokens to access API2 and API3 with whatever scope they wish. As the security analysis in [3] section 5.4 says:

We can show that for any AKEM, KS, and AEAD, the construction APKE[AKEM,KS, AEAD] given in Listing 8 is not (n,qe,qd)-Insider-Auth secure. The inherent reason for this construction to be vulnerable against this attack is that the KEM ciphertext does not depend on the message. Thus, the KEM ciphertext can be reused and the DEM ciphertext can be exchanged by the encryption of any other message. 


ECDH-1PU is not vulnerable to this issue precisely because, in the multi-recipient case, it ensures that the AKEM ciphertext *does* depend on the message, through the use of a compactly-committing AEAD [4] - the tag of which is effectively included as associated data in the KEM.


> And in addition to getting a sender-authenticated mode as you do with 1PE, you would also get to upgrade the base JWE ECDH mode to something with better proofs, and you would get a PSK option, all basically for free.

I don’t think at this point implementers would thank us for changing how the existing ECDH-ES encryption mode of operation works. ECDH-1PU is deliberately kept quite similar to that existing mode, and in fact can be implemented with just a few additional lines of code in a typical existing implementation.

[1]: http://noiseprotocol.org/noise.html#one-way-handshake-patterns <http://noiseprotocol.org/noise.html#one-way-handshake-patterns> 
[2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hpke#section-8.2.2 <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hpke#section-8.2.2> 
[3]: https://eprint.iacr.org/2020/1499.pdf <https://eprint.iacr.org/2020/1499.pdf> 
[4]: https://eprint.iacr.org/2017/664.pdf <https://eprint.iacr.org/2017/664.pdf> 

— Neil

> 
> Cheers,
> --Richard
> 
> [1] https://tools.ietf.org/html/draft-irtf-cfrg-hpke <https://tools.ietf.org/html/draft-irtf-cfrg-hpke>
> [2] https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-07#section-4 <https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-07#section-4>
> [3] https://datatracker.ietf.org/doc/html/draft-ietf-mls-protocol#section-7.7 <https://datatracker.ietf.org/doc/html/draft-ietf-mls-protocol#section-7.7>
> [4] https://boringssl.googlesource.com/boringssl/+/chromium-stable/crypto/hpke/ <https://boringssl.googlesource.com/boringssl/+/chromium-stable/crypto/hpke/>
> On Mon, May 17, 2021 at 6:04 AM Neil Madden <neil.madden@forgerock.com <mailto:neil.madden@forgerock.com>> wrote:
> 
> > On 17 May 2021, at 10:53, Michael Richardson <mcr+ietf@sandelman.ca <mailto:mcr%2Bietf@sandelman.ca>> wrote:
> > 
> > 
> > Neil Madden <neil.madden@forgerock.com <mailto:neil.madden@forgerock.com>> wrote:
> >> The draft was originally created to support work within the OAuth WG
> >> around JWT-format access tokens. However, the WG declined to adopt the
> >> draft, so it’s looking for a new home. I believe the draft is ideally
> > 
> > Did the WG give a reason?
> > 
> 
> The meeting was some time ago now, but as I remember it essentially they felt that it was outside of their charter and area of expertise. Although the OAuth WG have done work around JWTs specifically in the past, they have not ever approved new cryptographic algorithms.
> 
> — Neil
> -- 
> ForgeRock values your Privacy <https://www.forgerock.com/your-privacy <https://www.forgerock.com/your-privacy>>
> 
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org <mailto:Secdispatch@ietf.org>
> https://www.ietf.org/mailman/listinfo/secdispatch <https://www.ietf.org/mailman/listinfo/secdispatch>


-- 
ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>

v2.23.0 | Report a Bug | By Email