Re: [jose] Fully-specified ECDH algorithms

[Neil Madden]

On 10 Apr 2024, at 16:21, Michael Jones <michael_b_jo...@hotmail.com> wrote:  At IETF 119, we’d been asked to describe to the working group what including fully-specified ECDH algorithms would look like.  Please let us know if you’re in favor of addressing this in draft-ietf-jose-fully-specified-algorithms or not, and whether you agree with the characterization of how to do so below, or if there are specific changes you’d suggest.   These registered JOSE algorithms are polymorphic, because they do not include the algorithm to be used for the ephemeral key:   ECDH-ES ECDH-ES using Concat KDF ECDH-ES+A128KW ECDH-ES using Concat KDF and "A128KW" wrapping ECDH-ES+A192KW ECDH-ES using Concat KDF and "A192KW" wrapping ECDH-ES+A256KW ECDH-ES using Concat KDF and "A256KW" wrapping   Fully-specified versions of these algorithms using combinations that “make sense”, per Brian Campbell’s suggestion, would be:   ECDH-ES-P-256 ECDH-ES using Concat KDF and P-256 ECDH-ES-P-384 ECDH-ES using Concat KDF and P-384 ECDH-ES-P-521 ECDH-ES using Concat KDF and P-521 ECDH-ES-X25519 ECDH-ES using Concat KDF and X25519 ECDH-ES-X448 ECDH-ES using Concat KDF and X448 ECDH-ES-P-256+A128KW ECDH-ES using Concat KDF and P-256 and "A128KW" wrapping ECDH-ES-X25519+A128KW ECDH-ES using Concat KDF and X25519 and "A128KW" wrapping ECDH-ES-P-384+A192KW ECDH-ES using Concat KDF and P-384 and "A192KW" wrapping ECDH-ES-P-521+A256KW ECDH-ES using Concat KDF and P-521 and "A256KW" wrapping ECDH-ES-X448+A256KW ECDH-ES using Concat KDF and X448 and "A256KW" wrapping   I appreciate the attempt to somewhat limit the explosion in algorithms, but I think this still has some issues.  It seems a bit weird to “strength match” the key-wrap algorithm but then not also “fully-specify” the content encryption algorithm. Is it ok to use eg A128GCM with ECDH-ES-P-521+A256KW? I’m generally not a huge fan of strength matching, as eg it ends up with things like ES256 where the fastest curve is paired with the slowest hash (on 64-bit systems at least). In this case, if you are mandated to use AES-256 (eg by CNSA [1]) then you are also forced to use P-521, which is atrociously slow—hence why NSA match AES-256 with P-384 instead, despite them not being “strength matched”.  (I’ll leave out discussion of what strength-matching means exactly given that AES-KW has only 64-bit authentication security, regardless of key size, single vs multi-target security models etc).  [1]: https://en.m.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite — Neil

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose