[jose] JOSE/COSE RSA Kem without HPKE?

[Orie Steele]

See https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc5990bis/

Do we expect to see RSA Kem support in JOSE and COSE without the use of
HPKE?

If so, how do we identify RSA keys for use with KEMS? How do we transport
KEM CT ?

One option would be to reuse what we have in the JOSE HPKE draft, to
transport the KEM CT as an ephemeral encapsulated key:

{
  "protected": "eyJlbmMiOiJBMTI4R0NNIn0",
  "encrypted_key": "W0nlNK0VztBrVSJo23vNEPcUKbSgRWYaisRpeAqHw5M",
  "iv": "BvmzuI3ign3WgUVs",
  "ciphertext": "1iqtwexTYT9lsxppkWVs...Udc0KgLXGvD4l8q_LVvodF",
  "tag": "fJ1Mq0pP1j_ZrNP2kXDUsw",
  "aad": "8J-SgCBhYWQ",
  "recipients": [
    {
      "encrypted_key": "W0nlNK0VztBrVSJo23vNEPcUKbSgRWYaisRpeAqHw5M",
      "header": {
        "kid":
"urn:ietf:params:oauth:jwk-thumbprint:sha-256:iCUZEezL_1kx3t3y9i_AW0LIOmojwr2tBgih7RCy-kE",
        "alg": "HPKE-Base-P256-SHA256-AES128GCM",
        "epk": {
          "kty": "EK", // encapsulated key type
          "ek": "BN1YNlivxeS3DayvCt...3HDoa1Orh1wqPmw3Pp6Y" // encapsulated
key
        }
      }
    },
    // RSA KEM example goes here... looks like HPKE example above?
    {
      "encrypted_key":
"B9X-TifYXbA0fKHpASFT4N1_sLMf1...VmWjVhkfgaOvS9VCOzepEM02jFA",
      "header": {
        "alg": "RSA-OAEP-384"
      }
    },
    {
      "encrypted_key": "MRtJFqzpSDoLwS2AW13dbuGcPWrnRl-r",
      "header": {
        "kid":
"urn:ietf:params:oauth:jwk-thumbprint:sha-256:qXy7xVrE0xm3tS9ilK74GadeD9HF1wnQUzY5ml4pWuY",
        "alg": "ECDH-ES+A128KW",
        "epk": {
          "kty": "EC",
          "crv": "P-256",
          "x": "YzBl6tEBdqvkDxcGS7SWePD-oI4J9jMQX6qh3k7lGTw",
          "y": "s8D6l21rlSCH5IZZF4kjPwGhcoHg3ENGSup3VpE7o_8"
        }
      }
    }
  ]
}

or:

{
        / kid /
        4: h'3031',
        / encapsulated_key /
        -4: h'045df...73e', // new cose header, since cose does not support
transporting encapsulated keys as "epk" (-1).
},


Similar to the discussions we have had for ECDH-ES+A128KW vs HPKE, let us
start a discussion for

RSAES-OAEP w/ SHA-256 vs HPKE or Plain RSA Kem (TBD)

- https://www.rfc-editor.org/rfc/rfc7518.html#section-4.3
- https://www.rfc-editor.org/rfc/rfc8230.html#section-3

The reason I raise this, is that Ilari mentioned wanting to use JOSE HPKE's
Integrated Encryption and Key Encryption modes, without HPKE but with other
KEMs, so considering how RSA Kem might be supported in JOSE and COSE seems
worth discussing.

Is it ok if JOSE uses "epk" and JWK, COSE uses a new header
parameter instead of using "epk" and COSE Key?

Should JOSE do as COSE is doing? or vice versa?

Regards,

OS

-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose