IETF Logo Mail Archive

Re: [Cfrg] [jose] GCM nonce reuse question

Richard Barnes <rlb@ipv.sx> Mon, 15 April 2013 15:25 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4DDF21F93EC for <cfrg@ietfa.amsl.com>; Mon, 15 Apr 2013 08:25:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SWwKenM-8uqa for <cfrg@ietfa.amsl.com>; Mon, 15 Apr 2013 08:25:57 -0700 (PDT)
Received: from mail-oa0-f48.google.com (mail-oa0-f48.google.com [209.85.219.48]) by ietfa.amsl.com (Postfix) with ESMTP id 8F5E621F93C8 for <cfrg@irtf.org>; Mon, 15 Apr 2013 08:25:57 -0700 (PDT)
Received: by mail-oa0-f48.google.com with SMTP id j1so4534527oag.21 for <cfrg@irtf.org>; Mon, 15 Apr 2013 08:25:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=wli3klY2CK5b1cQr/cy4xn7tq3cRaTccszlY4OcknZo=; b=NK2PAkxNmSiqH7n+SRw6JO5GXTXBfVZG8rWGiuV/L+Dc2HmuYtmEgpzjue96+cH31I ZnPsc77VS9qL8lHcUmz/l7NfFXbvGM/D7iPFFfKabuRuwqN/NOhk1f/t4C2x/5pU/Qzz mxGBT3Bk6dM9sn/J+sEJKTQ89DvJGQHulG3DTnUNkn2DKKAxTcucgHBNlBvecrk5FsNz +W5i+IwSMOZcJQz9SfsfrQ3EYJqkLUvR3cII6acmGyr3XmK57OzuHF9W+uX5tUeSofM5 va4uVL+WJarIIDy/Ky4zbToaIctRH2/5ZqhxzjUTb1ySGzEy4vb6GlAod22GPWF7/pKv F5UQ==
MIME-Version: 1.0
X-Received: by 10.60.62.39 with SMTP id v7mr2429326oer.5.1366039556989; Mon, 15 Apr 2013 08:25:56 -0700 (PDT)
Received: by 10.60.25.196 with HTTP; Mon, 15 Apr 2013 08:25:56 -0700 (PDT)
X-Originating-IP: [66.207.95.33]
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1150C74DDCF@WSMSG3153V.srv.dir.telstra.com>
References: <006a01ce2b3c$8f0d03b0$ad270b10$@augustcellars.com> <747787E65E3FBD4E93F0EB2F14DB556B183EF2E3@xmb-rcd-x04.cisco.com> <4E1F6AAD24975D4BA5B1680429673943675A0978@TK5EX14MBXC283.redmond.corp.microsoft.com> <004e01ce2fb9$74979730$5dc6c590$@augustcellars.com> <4EC6AC2C-8EE6-4433-8302-E884DD0B3C06@ve7jtb.com> <734D4714-BEF1-4E0C-8DB4-6753083F0F11@bbn.com> <255B9BB34FB7D647A506DC292726F6E1150C74DDCF@WSMSG3153V.srv.dir.telstra.com>
Date: Mon, 15 Apr 2013 11:25:56 -0400
Message-ID: <CAL02cgQwz4136CTEoz-RBude+pwAxB1pUFBzh6y=pMtL4ZuVLw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: multipart/alternative; boundary="089e013a005a8b409104da67dec7"
X-Gm-Message-State: ALoCoQkdvqFjBZtUfLXxgQCs+kYWoRnjcQYDP+jI5kG1l+aILWv8FVMQGb5l1qc7HRINI6rYhC8T
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [Cfrg] [jose] GCM nonce reuse question
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 15:25:58 -0000

On Sun, Apr 14, 2013 at 9:55 PM, Manger, James H <
James.H.Manger@team.telstra.com> wrote:

> I think there are more options for handling multiple recipients of
> AEAD-secured content:
>
>
> Option 3: Put all per-recipient info into one header; keep this header
> under the AEAD integrity check; have one nonce.
>   COST: All recipients need to be known (and their key exchange info
> created) before the AEAD algorithm is applied.
>   COST: The JWE JSON header structure needs to be adjusted (eg to have an
> array of recipient info) so it is not backward compatible with current
> drafts.
>   COST: Doesn't help use cases where one recipient forwards an
> AEAD-secured message on to a new recipient (eg an XMPP system receives a
> message secured for a user and re-secures it for a specific device of that
> user). Changing recipients requires reapplying the AEAD operations.
>   COST: Each recipient needs to see key exchange info of all recipients
> (privacy impact?).
>   POSSIBLE-BENEFIT: Recipients, key exchanges, parameters, and content is
> secured as a complete unit.
>
>
> Option 2b: Remove per-recipient info from AEAD integrity check; but add
> AEAD details to each key exchange. For instance, info about an AEAD
> operation (alg id, key id etc) potentially even including the whole
> ciphertext is used as the "label" for the RSAES-OAEP-ENCRYPT operation that
> encrypts the AEAD secret key for a recipient.
>   BENEFIT: The key exchange is tied to a specific AEAD operation.
>   COST: Crypto is not typically done like this; uncertain as to what exact
> security properties you are getting. Perhaps there are some similarities to
> NIST Concat KDF that adds "context" to key derivation: this adds "context"
> about an AEAD operation to the key exchange.
>
>
> I agree with Richard Barnes that the per-recipient key exchange details
> should be outside the AEAD operation (not covered by the AEAD integrity
> check). Go with option 2 or 2b.
> Then, separately, we can decide which details of the AEAD operation should
> be bound to each key exchange: none? AEAD key length? AEAD alg id? whole
> AEAD header? AEAD ciphertext? other context?
>
>
> --
> James Manger
>
>

Hey James,

Thanks for this.  I agree that Option 3 is a valid possibility, but not a
desirable one.

Option 2b is an interesting possibility.  Effectively, you would be
including a hash of the JWE (sans key) under the key wrap integrity check,
binding the key to the JWE.   I would note that we're already talking about
adding the ability to bind attributes to wrapped keys (for WebCrypto).  In
light of that, the "JWE digest" could just be included as one of those
attributes.

At the same time, this attribute should be optional, since I think there
are use cases where the CMK is not entirely ephemeral.  For example, I
think the current XMPP e2e document uses it as a session key rather than an
individual message key, so you wouldn't want to limit the key to a single
JWE.

So I think that lands us back at Option 2, with one more reason to make JWE
key wrapping the same as general key wrapping
[draft-barnes-jose-key-wrapping].

--Richard




> > ----------
> > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
> > Richard Barnes
> > Sent: Wednesday, 3 April 2013 4:55 AM
> > …
> > The problem here is JWE, specifically the fact that the header (with
> > per-recipient data) is covered by the integrity check.  If you remove
> > the per-recipient data from the integrity check, then this problem goes
> > away.  In that case, there is only one invocation of GCM (not one per
> > recipient), so there's no problem.
> >
> > So the choice that JOSE faces is from the following options:
> >
> > Option 0. Outlaw GCM for multiple recipients.
> >   COST: GCM
> >
> > Option 1. Keep per-recipient info under integrity check, and require a
> > fresh nonce for each recipient
> >   COST: Removes all savings in the multiple recipient case
> >   BENEFIT: Doesn't break backward compatibility with current, single-
> > recipient JWE
> >
> > Option 2. Remove per-recipient info from integrity check
> >   COST: Breaks backward compatibility with current, single-recipient
> > JWE
> >   BENEFIT: Increases savings in multiple-recipient case (since no per-
> > recipient integrity check value)
> >
> > Option 0 is clearly not acceptable.  So basically, this is a choice
> > about how much we want to let deployed code keep us from sensible
> > architecture.
> >
> > To me, the choice is clear.  Changing code is minor, short-term pain.
> > Getting architecture wrong is major, long-term pain.  Let's do option
> > (2).
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email