Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AAD Usage Clarifications #51

Merged
merged 5 commits into from
Feb 14, 2024
Merged
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 50 additions & 32 deletions draft-ietf-cose-hpke.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: Use of Hybrid Public-Key Encryption (HPKE) with CBOR Object Signing and Encryption (COSE)
abbrev: COSE HPKE
docname: draft-ietf-cose-hpke-07
docname: draft-ietf-cose-hpke-08
category: std

ipr: pre5378Trust200902
Expand Down Expand Up @@ -77,20 +77,9 @@ This document defines the use of the HPKE with COSE.

Hybrid public-key encryption (HPKE) {{RFC9180}} is a scheme that
provides public key encryption of arbitrary-sized plaintexts given a
recipient's public key. HPKE utilizes a non-interactive ephemeral-static
Diffie-Hellman exchange to establish a shared secret. The motivation for
standardizing a public key encryption scheme is explained in the introduction
of {{RFC9180}}.
recipient's public key.

The HPKE specification provides a variant of public key encryption of
arbitrary-sized plaintexts for a recipient public key. It also
includes three authenticated variants, including one that authenticates
possession of a pre-shared key, one that authenticates possession of
a key encapsulation mechanism (KEM) private key, and one that
authenticates possession of both a pre-shared key and a KEM private key.

This specification utilizes HPKE as a foundational building block and
carries the output to COSE ({{RFC9052}}, {{RFC9053}}).
This document defines the use of the HPKE with COSE ({{RFC9052}}, {{RFC9053}}).

# Conventions and Terminology

Expand Down Expand Up @@ -151,14 +140,14 @@ indicates the use of HPKE.

The sender MUST place the 'encapsulated_key' parameter into the unprotected
header. Although the use of the 'kid' parameter in COSE_Encrypt0 is
discouraged by RFC 9052, this profile allows the use of the 'kid' parameter
(or other parameters) to identify the static recipient public key used by
the sender. If the COSE_Encrypt0 contains the 'kid' then the recipient may
discouraged by RFC 9052, this documents RECOMMENDS the use of the 'kid' parameter
(or other parameters) to explicitly identify the static recipient public key
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the use or non-use of kid depends on the use case. If you have a use case where the key is known already then it is not needed (not a big deal, but I thought I'd mention it).

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's correct. You don't have to use it but we recommend it in the generic case.

used by the sender. If the COSE_Encrypt0 contains the 'kid' then the recipient may
use it to select the appropriate private key.

HPKE defines an API and this API uses an "aad" parameter as input. When
COSE_Encrypt0 is used then there is no AEAD function executed by COSE
natively and HPKE offers this functionality.
The HPKE specification describes an API and this API uses an "aad" parameter
as input. When COSE_Encrypt0 is used then there is no AEAD function executed
by COSE natively and HPKE offers this functionality.

The "aad" parameter provided to the HPKE API is constructed
as follows (and the design has been re-used from {{RFC9052}}):
Expand Down Expand Up @@ -208,7 +197,7 @@ structure, i.e. one COSE_recipient structure per recipient.
In this approach the following layers are involved:

- Layer 0 (corresponding to the COSE_Encrypt structure) contains the content (plaintext)
encrypted with the CEK. This ciphertext MAY be detached. If not detached, then
encrypted with the CEK. This ciphertext may be detached, and if not detached, then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think detached / non-detached needs to be mention in this document. (not a big deal, but I thought I'd mention it).

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I downgraded the sentence to avoid the use of the MAY to may

it is included in the COSE_Encrypt structure.

- Layer 1 (corresponding to a recipient structure) contains parameters needed for
Expand Down Expand Up @@ -251,6 +240,34 @@ header_map = {

The COSE_Encrypt MAY be tagged or untagged.

When encrypting the content at layer 0 then the instructions in
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems correct to me.

Section 5.3 of {{RFC9052}} MUST to be followed, which includes the
calculation of the authenticated data strcture.

At layer 1 where HPKE is used to encrypt the CEK, the "aad" parameter
provided to the HPKE API is constructed as follows (and the design has
been re-used from {{RFC9052}}):

~~~
Enc_structure = [
context : "Enc_Recipient",
protected : empty_or_serialized_map,
external_aad : bstr
]

empty_or_serialized_map = bstr .cbor header_map / bstr .size 0
~~~

The protected field in the Enc_structure contains the protected attributes
from the COSE_recipient structure at layer 1, encoded in a bstr type.

The external_aad field in the Enc_structure contains the Externally Supplied
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The external_aad field in the Enc_structure contains the Externally Supplied

Data described in Section 4.3 and Section 5.3 in RFC 9052. If this field is
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is restating some of 9052. I kind of thought it's better not to do restatements and if you do, say the original is normative. (not a big deal, but I thought I'd mention it).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with Laurence that there is no need to restate what is written in another spec. However, I also think that this PR should be merged once and editorial corrections can be done later as a PR that resolves the issue (#41) Laurence filed.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Data described in Section 4.3 and Section 5.3 in RFC 9052. If this field is

not supplied, it defaults to a zero-length byte string.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
not supplied, it defaults to a zero-length byte string.


The HPKE APIs also use an "info" parameter as input and the details are
provided in {{info}}.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wish we could improve this a lot. Kind of seems like the user of COSE-HPKE has to do a deep threat analysis of their use case to know what to do here. Probably they have to do a lot less than in regular COSE, because COSE-HPKE internally takes care of a lot of this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, and I think it would be better to solve this with another PR.


An example is shown in {{two-layer-example}}.

## Key Representation {#key-representation}
Expand Down Expand Up @@ -310,20 +327,20 @@ this specification the COSE_KDF_Context structure is repeated in {{cddl-cose-kdf

# Ciphersuite Registration

This specification registers a number of ciphersuites for use with HPKE.
A ciphersuite is thereby a combination of several algorithm configurations:
A ciphersuite is a group of algorithms, often sharing component algorithms
such as hash functions, targeting a security level.
An HPKE ciphersuite, is composed of the following choices:

- HPKE Mode
- KEM algorithm
- KDF algorithm
- AEAD algorithm
- KEM Algorithm
- KDF Algorithm
- AEAD Algorithm

The "KEM", "KDF", and "AEAD" values are conceptually taken from the HPKE IANA
registry {{HPKE-IANA}}. Hence, COSE-HPKE cannot use a algorithm combination
that is not already available with HPKE.
The "KEM", "KDF", and "AEAD" values are chosen from the HPKE IANA
registry {{HPKE-IANA}}.

For better readability of the algorithm combination ciphersuites labels are
build according to the following scheme:
For readability the algorithm ciphersuites labels are built according
to the following scheme:

~~~
HPKE-<Version>-<Mode>-<KEM>-<KDF>-<AEAD>
Expand All @@ -343,7 +360,8 @@ which authenticates using both a PSK and an asymmetric key.

For a list of ciphersuite registrations, please see {{IANA}}. The following
table summarizes the relationship between the ciphersuites registered in this
document and the values registered in the HPKE IANA registry {{HPKE-IANA}}.
document, which all use the "Base" mode and the values registered in the
HPKE IANA registry {{HPKE-IANA}}.

~~~
+--------------------------------------------------+------------------+
Expand Down