Re: [Cfrg] [jose] Use of authenticated encryption for key wrapping
John Bradley <ve7jtb@ve7jtb.com> Sun, 17 March 2013 22:40 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A77C721F8A43 for <cfrg@ietfa.amsl.com>; Sun, 17 Mar 2013 15:40:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.405
X-Spam-Level:
X-Spam-Status: No, score=-0.405 tagged_above=-999 required=5 tests=[AWL=-1.064, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, J_CHICKENPOX_43=0.6, RCVD_IN_PBL=0.905, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qw10WV7cr7Vy for <cfrg@ietfa.amsl.com>; Sun, 17 Mar 2013 15:40:33 -0700 (PDT)
Received: from mail-qc0-x229.google.com (mail-qc0-x229.google.com [IPv6:2607:f8b0:400d:c01::229]) by ietfa.amsl.com (Postfix) with ESMTP id E41DC21F8A3F for <cfrg@ietf.org>; Sun, 17 Mar 2013 15:40:32 -0700 (PDT)
Received: by mail-qc0-f169.google.com with SMTP id t2so2496449qcq.28 for <cfrg@ietf.org>; Sun, 17 Mar 2013 15:40:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=f6go32YwU6Q9PQ+LmP7MNc4K/CgNXhtns4lvRozu9U0=; b=J5ElAgy4xp/OBWu+xxjKqJScxR4gXcCyYjPdXfEXEMWjMfEYmr7cx5EWoZGbOCi5lA YHJYmjBy+2e/+/g4pclXywnX13hl+Z2yujIwvAkcmVCHZPXS/5TboG8xlnJbzcN38ogY voyoUTNlaszxMzCzEJIozclvbVm3JET0BpVDQ5aaf3SjL+uVy5LTdJwL3Han85Ec6G0p TDABh7t6XXsjwV0ar9xG7Pju7CwC1uFeesarD6dwpS4sCcPRZRPpO0QRNP5bWoMihum+ I4SKOePut+DhtIo1X3KOz0fW8EUPHltV2zOI/mMlH0HExpaW8g6y1E+tDc0AzJe7iTSS R2KQ==
X-Received: by 10.229.106.162 with SMTP id x34mr3893112qco.90.1363560032210; Sun, 17 Mar 2013 15:40:32 -0700 (PDT)
Received: from [192.168.1.37] (190-20-39-218.baf.movistar.cl. [190.20.39.218]) by mx.google.com with ESMTPS id u4sm22763678qao.13.2013.03.17.15.40.28 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 17 Mar 2013 15:40:30 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_3B564EEC-78E5-4225-96DB-21DD142282BB"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <BDE5BBCC-D6B4-4A3F-890E-498079C6F9C5@vigilsec.com>
Date: Sun, 17 Mar 2013 18:40:21 -0400
Message-Id: <0A3D2079-279F-4D6C-AEE9-2B4BBF97B609@ve7jtb.com>
References: <31556AB6-899F-4D81-9FBC-40708864EA55@cisco.com> <BDE5BBCC-D6B4-4A3F-890E-498079C6F9C5@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQnGau9lphlKY65QOIrHztmpL4sJiYn8jjrwbvDXwlxzzH5LEY9GWSLusdpVzzIYoTKBNs5S
Cc: Brian Weis <bew@cisco.com>, cfrg@ietf.org, jose@ietf.org
Subject: Re: [Cfrg] [jose] Use of authenticated encryption for key wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2013 22:40:33 -0000
That is true. However the main reason AES-GWC would be used is to allow transport of keys (RSA, EC and Symmetric) that are intended for use outside the crypto module. Where I agree, is that it is probably not such a good idea to start using AESKW on the message body just because that body contains a JWK with a private key. I think that is where this particular question started. Some people thought that only AES-KW was appropriate for encrypting keys. My preference is to keep AES-KW for wrapping session keys,and not change to the newer version that would allow us to encrypt arbitrary length messages. That at least still provides some additional protection for session keys in that the KW alg remains internal, so can not be used to expose session keys accidentally if that is what you are getting at. Regards, John B. On 2013-03-15, at 2:42 PM, Russ Housley <housley@vigilsec.com> wrote: > There are some system design issues to be considered. The use of different modes for encryption of user data and keying material makes it easier to prevent the decryption of keying material outside of the crypto module. > > Russ > > > On Mar 15, 2013, at 11:42 AM, Brian Weis wrote: > >> Jim Schaad gave a presentation on JOSE to CFRG today (<http://www.ietf.org/proceedings/86/slides/slides-86-cfrg-5.pdf>). The question came up as to whether AES key wrap was necessarily the only method that was safe for key wrapping in JOSE. The other algorithm under consideration is AES-GCM. >> >> Section 3.1 of NIST 800-38F (Methods for Key Wrapping) says: >> >> "Previously approved authenticated-encryption modes—as well as combinations of an approved encryption mode with an approved authentication method—are approved for the protection of cryptographic keys, in addition to general data." >> >> So if one considers that to be good enough advice, AES-GCM would indeed be an acceptable method of key wrapping. The chairs asked me to cross-post this for discussion. >> >> Brian > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Use of authenticated encryption for key wr… Brian Weis
- Re: [Cfrg] [jose] Use of authenticated encryption… Russ Housley
- Re: [Cfrg] [jose] Use of authenticated encryption… John Bradley
- Re: [Cfrg] Use of authenticated encryption for ke… David McGrew (mcgrew)
- Re: [Cfrg] Use of authenticated encryption for ke… Dan Harkins