Define JOSE-HPKE for other specs

[ilaril]

This attempts to define JOSE-HPKE as a generic mechanism other specifications defining cipher suites can refer to.

This avoids having other specifications adding cipher suites essentially re-define JOSE-HPKE (or leave a lot implicit). Not only is that tedious, it is also error-prone.

This rewrites a large part of section 4. There are quite a bit of technical changes. Most of those changes are to align how Key Encryption works with the requirements in JWE. AAD construction for Key Encryption is also changed, the new construction should pose less implementation difficulties and addresses both cross-mode and oracle attacks, even if JOSE implementation omits mandatory checks. Finally, this also defines how keys (including AKP) work.

Needs a lot of wordsmithing (and I copied text from original that I think needs editorial improvement).

[OR13]

I don't have an objection to this, but ideally we have something similar in the COSE draft, and cross references between the two to make this easier to understand.

[OR13]

I recommend merging this in 1 week, unless there are objections.

[tireddy2]

How is the Recipient Context defined in Section 4.2 used by HPKE ?

[ilaril]

As aad input in the Key Encryption case.

[tireddy2]

If apu and apv in JOSE are pretty much completely broken. why use it in the Recipient context ?
What about the "JWE Additional Authenticated Data encryption parameter" defined in Step 14 of Section 5.1 of RFC7516 ?
It needs to be used for both modes.

[ilaril]

Apu and apv were included before, I guess to maintain parity with Key Agreement.

And both modes do include JWE AAD. It is part of "Additional Authenticated Data encryption parameter", which then gets fed as aad to bulk encryption (either HPKE or JWE native bulk encryption).

[tireddy2]

The problem is JWE AAD is not included in the Key Encryption mode, it is only included in the Integrated Encryption mode. It needs to be fixed; it was included in both modes in the latest published version of the draft.

One possible solution for both modes would be use HPKE Setup info to carry the Recipient Context. In both modes, JWE AAD should be conveyed in HPKE aad.

[ilaril]

No, it does not need to be conveyed in the HPKE aad. JWE handles JWE AAD itself for all its algorithms.

[tireddy2]

Yes, but why did you delete most of the existing text in Section 6 (Key Encryption) ?

[ilaril]

Most of that section was just repeating stuff from JWE, often not quite correctly.

[tireddy2]

I don’t see any issues with removing the redundant content from JWE. However, I will need to review all the changes to ensure that no relevant text is removed. I noticed the following:

1. Section 4.2 is removed.
2. In Key Encryption section, the latest version of the draft says encrypted_key is base64url encoded content
   encryption key but in the PR it says encrypted_key carries the raw enc output.

[ilaril]

Regarding 1., that section was redundant with specified HPKE I/O mappings.

Regarding 2., Note that the PR says "JWE Encrypted Key", not "encrypted_key". JWE specifies that the latter is base64url encoding of the former. So the field ends up base64url-encoded.

For the "ek" parameter, there is no automatic base64url-encoding, so the PR explicitly specifies base64url endec.

[tireddy2]

Why is the Recipient Context not used for JWE Integrated Encryption ?

[ilaril]

Because it is not enough for that case: One needs to authenticate the protected header and JWE AAD.

[tireddy2]

I meant the HPKE Setup info can be used to be carry the Recipient context in case of JWE Integrated Encryption.

[ilaril]

That would require multiplexing that field, since HPKE Setup info is also used for non-broken context binding from application.

[tireddy2]

Yes, if apu and apv are empty then info carries the context binding from the application.

[tireddy2]

I don't see existing JWE spec allows application context to be used as aad. what is the need in JWE HPKE to carry the application specific context ?
If application specific context is required, recipient context can be concatenated to application specific context.

[ilaril]

Someone requested ability to use the HPKE setup info for implicit context binding. The easiest way to implement that is to default the HPKE setup info to empty (using aad for recipient context) unless application specifies a value.

Which is what this PR does.

[tireddy2]

I don’t see any issues raised on GitHub or discussions in the WG regarding the need for application-specific context. Why is this requirement specific to JWE HPKE and not ECDH-ES ?

[ilaril]

It was one mailing list post. However, I think this mechanism does not work correctly, and should be ripped out.

Expanding a bit on the issue: While one could do things like extract the key thumbprint from envelope signature and then use that as implicit context (to bind the message to its origin), that only being supported for HPKE and not other algorithms is a footgun.

If application wants to bind message to its origin, it should stick whatever context data it is using to either JWE AAD or to protected headers and then check that on decryption.

(Applicability to COSE: everything meant to be usable at layer0 should support external aad, e.g. by using Enc_structure; HPKE in COSE / COSE-HPKE does that.)

[tireddy2]

Agreed. I will post a message on the JOSE WG mailing list after the holidays to close the issue.

[tireddy2]

Why is the HPKE Setup info not used to convey the JOSE context-specific data (enc, apu and apv) ?
For example TLS ECH uses both aad and info, and the size of HPKE setup info is much larger than 64 bytes. TLS ECH is already supported by browsers.

[ilaril]

That is to leave the HPKE setup info free for application to use for actual context binding. Apu and apv in JOSE are pretty much completely broken.

Also, it is unsound to allow any aad,info pair to be valid for both Integrated Encryption and Key Encryption.

[tireddy2]

If apu and apv is broken, why use it for key encryption mode ?

[ilaril]

I included because it was there before, I can only speculate why it was there.

[tireddy2]

I prefer including them in both modes to maintain consistency with Section 4.6.2 of RFC 7518, or alternatively, not including them with an explanation that it is broken.

[tireddy2]

I don't see any specification stating that apu and apv are useless in JWE. Until there is consensus in the WG, we will need to include apu and apv in both modes. As an alternative, we could consider explicitly documenting the decision to exclude apu and apv and explain that they are not necessary for HPKE in JWE. This would provide clarity to implementers and trigger further discussion within the WG

[ilaril]

No current Key Encryption algorithm supports apu nor apv. That would be one reason to exclude those.

[tireddy2]

As per Section 4.6.2 of RFC 7518, both apu and apv are used to derive the key which is used to encrypt the CEK.

[ilaril]

And there is an attack that exploits precisely that behavior (and there is an analog of that against HPKE that can not be fixed). Basically, apu and apv in JWE are broken beyond repair.

The apu and apv stuff should just be ripped out.

Expanding a bit on the issue: There is no authentication on the apu and apv values, so an attacker that has the public key of the victim can just set those fields to arbitrary values Then if using Key Agreement with Key Wrapping (or HPKE), the attacker can also set CEK to arbitrary value.

Party U Info and Party V Info are only usable with ECDH-SS (or some authenticated ECDH construction), where attacker can not just specify arbitrary values. And it is really only useful for ECDH-SS, which otherwise would have directional symmetry, that could allow attacks (that symmetry is quoted as the reason for Party U Info and Party V Info).

(Applicability to COSE: COSE does support ECDH-SS, where PartyUInfo and PartyVInfo are actually useful, and PartyUInfo.nonce is crucial for security. However, for everything else, those fields are useless.)

[tireddy2]

I will raise an issue on GitHub and start a thread on the JOSE WG mailing list after the holidays.

[tireddy2]

I prefer to use "MUST NOT" instead of "SHOULD NOT". I don't think "authentication key" is defined anywhere in this doc and HPKE draft. It needs to be defined.

[ilaril]

Looking at HPKE RFC, I think it should be "sender key" instead of "authentication key".

[tireddy2]

I can't find the term "sender key" in HPKE RFC.

[ilaril]

I got that from reading section 5.1.3...

The notation section implies that the terms are "sender role" and "recipient role". So presumably the statement should be:

A single key SHOULD NOT be used in both sender and recipient roles, as this has not been proven to be safe.

[tireddy2]

Why would an application use the same key for sender and recipient roles ?
I don't see this attack discussed in HPKE.

[ilaril]

I guess application could use the same key for sender and recipient roles because it is easier. It is not good cryptographic practice.

Last paragraph of section 9.2.3. The paragraph talks about using key in multiple "modes", but the only possible issue is with using the same key in both sender and recipient roles. Most likely that is not an issue, but there is no proof of that.

[tireddy2]

Agreed, I propose to update the text as follows::
A single key MUST NOT be used in both sender and recipient roles. Avoiding the use of the same key for both sender and recipient roles ensures clear cryptographic boundaries and minimizes unintended interactions.

[tireddy2]

If the key is compromised in one of the modes, it will impact the other mode, what is the use case to allow the same key for both Integrated Encryption and Key Encryption ?

[ilaril]

Restricting key to one mode does not help against key compromise, as any such compromise must involve mechanisms outside JOSE-HPKE.

Integrated Encryption is more straightforward for one recipient, but can not handle multiple recipients.

[tireddy2]

Why a key needs to be used for both Integrated Encryption and Key Encryption modes ?

It would also introduce additional complexity of multiple key_ops (derivebits and wrapKey).
I don't see any such rule defined in in JWE which allows a key to be re-used for direct key agreement and key encryption modes.

[ilaril]

It is operationally easier to allow both. And AFAIK there is no good reasons to disallow it (where "it might not be safe", e.g., mixing sender and recipient roles, would count as a good reason).

I think key_ops are just totally busted. And it would not need multiple key_ops: Both invoke HPKE, which I think is derivebits (not sure given the mess that is key_ops).

[tireddy2]

I prefer to keep it simple, managing keys for multiple purposes within the same system increases the complexity of key management and raises the risk of implementation errors.

[tireddy2]

I prefer to prioritize simplicity: each key should have a well-defined, single purpose. This approach minimizes risk and aligns with the principle of least privilege in cryptographic systems. If there is a strong operational need to allow key reuse, it should be clearly documented along with the associated trade-offs, potential risks and use of multiple key_ops.

[ilaril]

AFACIT, there are no trade-offs and no risks beyond those inherit in having an implementation for both.

And what key_ops does HPKE use anyway? I know some implementation used DeriveBits because that was required to enable the needed interfaces.

[tireddy2]

I disagree. Combining multiple key_ops (e.g., encryption and derivation) can lead to unintended consequences in certain scenarios, such as algorithm confusion or key misuse across contexts. I suggest raising this issue on the WG mailing list for further discussion.

[ilaril]

Neither algorithm confusion nor key misuse across contexts is possible with JOSE-HPKE recipient role keys. To get either, one would have to use the same key with sender role, or with something else, and both are NOT RECOMMENDED.

[tireddy2]

Is it a common practice to reuse the key in different modes, ?
what is the use case to use the same key for JWE Integrated Encryption and Key Encryption ?

[tireddy2]

please elaborate on the insecurity issue.

[ilaril]

Anyone that has access to CEK can alter the message by just encrypting a new one and replacing the protected headers / ciphertext.

[tireddy2]

It is not clear to me why the Authenticated HPKE mode cannot be used
with Key Encryption ?

[ilaril]

Put another way, using Authenticated HPKE with Key Encryption would authenticate the CEK. Which does not even indirectly authenticate the actual message.

Whereas Authenticated HPKE with Integrated Encryption does authenticate protected headers, JWE AAD and the message plaintext.

[tireddy2]

Authenticated HPKE already authenticates the CEK, ensuring it originates from the sender. The plaintext is then encrypted using AEAD, which provides both confidentiality and authentication for the message.

Why does the receiver need stronger assurances that the plaintext itself is cryptographically bound to the sender's identity? The CEK is authenticated, and the AEAD encryption protects the plaintext's integrity and confidentiality.

Could you clarify the specific threat model where this additional assurance becomes critical?

I don’t see the threat.

[ilaril]

If there are multiple recipients in the original message, the message authentication breaks down since any other recipient might have forged the message.

Checking for one recipient does not work: The number of recipients is not authenticated, so attacker might have stripped all recipients except the target, so the message appears to have just a single recipient.

[tireddy2]

Yes, if any recipient acts as a MiTM to modify the message or strip the recipient list, such an attack cannot be detected in JWE, even when Authenticated HPKE is not used.

[ilaril]

Such message does not even pretend to be authenticated (unless done by external means like signatures).

[tireddy2]

I propose to modify the text as follows:
Authenticated HPKE modes MUST NOT be used for Key Encryption, as the message is not authenticated. Any recipient could act as a man-in-the-middle (MitM) and modify the message.

[tireddy2]

Replace "SHALL" with "MUST"

[tireddy2]

Replace "SHALL" with "MUST"

[tireddy2]

Replace all occurrences of "SHALL" with "MUST" (lines 183 to 192).

[ilaril]

Thinking about it, switching between keywords with no defined or obvious pattern (but in this case there is a pattern) looks odd.

[tireddy2]

Yes, while "SHALL" and "MUST" both indicate mandatory requirements, I prefer sticking to one term in the document which would improve consistency and clarity.

[tireddy2]

I will merge the PR and raise another PR for further updates to the draft.