IETF Logo Mail Archive

Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + HKDF-256

Akira Tsukamoto <akira.tsukamoto@gmail.com> Thu, 14 December 2023 05:29 UTC

Return-Path: <akira.tsukamoto@gmail.com>
X-Original-To: teep@ietfa.amsl.com
Delivered-To: teep@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC6F4C14CF0D; Wed, 13 Dec 2023 21:29:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kl0p7M0YGzYt; Wed, 13 Dec 2023 21:29:19 -0800 (PST)
Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F0B5C14F602; Wed, 13 Dec 2023 21:29:19 -0800 (PST)
Received: by mail-pl1-x630.google.com with SMTP id d9443c01a7336-1d337dc9697so26765385ad.3; Wed, 13 Dec 2023 21:29:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702531758; x=1703136558; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=D4jThWNIApyzb+uwAHh93jRvkcgIFWRCQ+Tc9oetImI=; b=fRaMENtOIeKSEID97FLL+mtg2QrQPxbC+tqT/5iY+hNUwvKBjLhVoEgG+jiMtbzvoW DqX15GwFnuo2+dUZk0HffQC+SQXj7JYQuXujYQtE9NI9GeS/SEz3BfSU3aGnYprmpe/c XiqTXI42Tv3XeqzHqxXmVfdXmvmAFPqsKDfxDN5oRCZzCu/3atzBhO/MKsQ8o6zR+pdH dxpD1utukyW+eX6bDGBoP3Tm1qlzVgUCl3Po/kyS/6nfOSyf7yJxR9yDCd+LRCYSmR36 zne7vqAElXA4g3MyH2B+tUVV78DlgIhrB/x+4dL6Zqkbfzn4DqGzcMfTxfPWa/kzs0Xx JQMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702531758; x=1703136558; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=D4jThWNIApyzb+uwAHh93jRvkcgIFWRCQ+Tc9oetImI=; b=E/lz277W8oSLPP4mMZsddjY0pGhDlnUJsdHWEd3+RToq2YECgjHf1MZljdHZaE9iBd JePZp8VMxGIel2SjsCE256hhbzzhIYJAwFk9GmDOv/e+i6WY2hgOSOIQ0oAHiL+Q6sHT LllYeVpMzMWxb2UMa/gZN9dt71ipipD7FmxDcMwxLxXqTdlnwwfJat6L+yiah/c4WMI2 /rFGLRPBnoXWxwVKFrU6zeIjkHzEsxSkaN8xxAqeBViTU3KgNKOe7HvTJr6Ykpdxkdf5 fCVvkx+x4E3nyj8UF9tecrmFv/SxZ6XDi7ZwOS5nzJBIi8ehGA7Gl/+706slOX8ZgyFn OH9w==
X-Gm-Message-State: AOJu0Yy9MqXxPMUCTSxuBVlEQVdcs0Gn5UTGS7RTtEEBubYJ2lyqNvIm wtjMGBVaqqEGMfhaRh7CNeg=
X-Google-Smtp-Source: AGHT+IFrnexbc+o+kA4emRUawwqpaQA3yyETDI0LIyjtbDOXh35j+fQAfRVxgShas8+j7uo7OYjdjQ==
X-Received: by 2002:a17:902:e74d:b0:1ce:6669:3260 with SMTP id p13-20020a170902e74d00b001ce66693260mr9771912plf.67.1702531758310; Wed, 13 Dec 2023 21:29:18 -0800 (PST)
Received: from [192.168.1.153] (fp96939820.ap.nuro.jp. [150.147.152.32]) by smtp.gmail.com with ESMTPSA id u14-20020a170902e80e00b001bd28b9c3ddsm11402032plg.299.2023.12.13.21.29.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Dec 2023 21:29:17 -0800 (PST)
Message-ID: <843e1218-8847-48cc-ada5-9b9cc50e17cf@gmail.com>
Date: Thu, 14 Dec 2023 14:29:14 +0900
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Brendan Moran <brendan.moran.ietf@gmail.com>, Russ Housley <housley@vigilsec.com>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Cc: suit@ietf.org, teep@ietf.org, Ken Takayama <ken.takayama.ietf@gmail.com>
References: <08f701da2d9f$c043a6c0$40caf440$@gmx.net> <655A0104-EF30-42E4-862D-6D4D6E4FDDD9@vigilsec.com>
From: Akira Tsukamoto <akira.tsukamoto@gmail.com>
In-Reply-To: <655A0104-EF30-42E4-862D-6D4D6E4FDDD9@vigilsec.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/teep/tH7iBePOf6vyz3pbw_C3AnzAdyM>
Subject: Re: [Teep] [Suit] ECDH-ES + A128KW vs. ECDH-ES + HKDF-256
X-BeenThere: teep@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A Protocol for Dynamic Trusted Execution Environment Enablement <teep.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/teep>, <mailto:teep-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teep/>
List-Post: <mailto:teep@ietf.org>
List-Help: <mailto:teep-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/teep>, <mailto:teep-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Dec 2023 05:29:21 -0000

Hi Brendan,

I am fine changing the MTI with ECDH-ES + A128KW.

Akira

On 12/14/2023 12:08 AM, Russ Housley wrote:
> I think ECDH-ES + A128KW covers more use cases.  It can be used with on recipient or many recipients.  So, I'd like to see that be the MTI.
> 
> Russ
> 
> 
>> On Dec 13, 2023, at 3:38 AM, hannes.tschofenig=40gmx.net@dmarc.ietf.org wrote:
>>
>> Hi all,
>>  
>> In the SUIT firmware encryption draft we have so far used ECDH-ES + A128KW, which is also what we implemented in t_cose to generate the examples.
>>  
>> In a discussion with Ken today we realized that the SUIT-MTI draft has always used ECDH-ES + HKDF-256 instead.
>>  
>> Now, the question is: Should we support both, ECDH-ES + A128KW and ECDH-ES + HKDF-256?
>>  
>> IHMO we definitely need AES-KW for scenarios where we encrypt a firmware with a CEK once and then distribute that encrypted firmware image to many recipients. In this case, we 
>>
>>   * randomly generate a CEK, 
>>   * encrypt the firmware using this CEK, 
>>   * encrypt this CEK with a KEY unique per recipient with a KEK. The KEK is the result of using ECDH-ES with an KDF, as described in Section 6.4 of RFC 9053. 
>>
>>  
>> For scenarios where we send one firmware image to one recipient we could use ECDH-ES + HKDF-256 and currently we have a little bit of overhead here by using ECDH-ES + A128KW.
>>  
>> My preference is to leave the SUIT firmware encryption draft as is and to change the SUIT MTI draft to reference ECDH-ES + A128KW instead of ECDH-ES + HKDF-256.
>>  
>> Thoughts?
>>  
>> Ciao
>> Hannes
>>  
> 
> _______________________________________________
> TEEP mailing list
> TEEP@ietf.org
> https://www.ietf.org/mailman/listinfo/teep

v2.23.0 | Report a Bug | By Email