Re: [jose] #4: Remove wrapped keys from integrity check (allow separation of keys from data)
"jose issue tracker" <trac+jose@trac.tools.ietf.org> Thu, 04 April 2013 03:52 UTC
Return-Path: <trac+jose@trac.tools.ietf.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A860111E80A5 for <jose@ietfa.amsl.com>; Wed, 3 Apr 2013 20:52:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.299
X-Spam-Level:
X-Spam-Status: No, score=-102.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_34=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DLt7fqTFDPog for <jose@ietfa.amsl.com>; Wed, 3 Apr 2013 20:52:15 -0700 (PDT)
Received: from grenache.tools.ietf.org (grenache.tools.ietf.org [IPv6:2a01:3f0:1:2::30]) by ietfa.amsl.com (Postfix) with ESMTP id 1985611E80A4 for <jose@ietf.org>; Wed, 3 Apr 2013 20:52:15 -0700 (PDT)
Received: from localhost ([127.0.0.1]:34503 helo=grenache.tools.ietf.org ident=www-data) by grenache.tools.ietf.org with esmtp (Exim 4.80) (envelope-from <trac+jose@trac.tools.ietf.org>) id 1UNbDd-0003Av-Pm; Thu, 04 Apr 2013 05:52:09 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: jose issue tracker <trac+jose@trac.tools.ietf.org>
X-Trac-Version: 0.12.3
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.3, by Edgewall Software
To: draft-ietf-jose-json-web-encryption@tools.ietf.org, sakimura@gmail.com, rlb@ipv.sx, michael.jones@microsoft.com
X-Trac-Project: jose
Date: Thu, 04 Apr 2013 03:52:09 -0000
X-URL: http://tools.ietf.org/jose/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/jose/trac/ticket/4#comment:4
Message-ID: <069.60ce5f2cb8cad16f3467698752bb1b5a@trac.tools.ietf.org>
References: <054.24cd2b074db2dc2bbbcb828a8456fbe9@trac.tools.ietf.org>
X-Trac-Ticket-ID: 4
In-Reply-To: <054.24cd2b074db2dc2bbbcb828a8456fbe9@trac.tools.ietf.org>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Rcpt-To: draft-ietf-jose-json-web-encryption@tools.ietf.org, sakimura@gmail.com, rlb@ipv.sx, michael.jones@microsoft.com, jose@ietf.org
X-SA-Exim-Mail-From: trac+jose@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on grenache.tools.ietf.org); SAEximRunCond expanded to false
Resent-To: ekr@rtfm.com, jhildebr@cisco.com, mbj@microsoft.com
Resent-Message-Id: <20130404035215.1985611E80A4@ietfa.amsl.com>
Resent-Date: Wed, 03 Apr 2013 20:52:15 -0700
Resent-From: trac+jose@trac.tools.ietf.org
Cc: jose@ietf.org
Subject: Re: [jose] #4: Remove wrapped keys from integrity check (allow separation of keys from data)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2013 03:52:15 -0000
#4: Remove wrapped keys from integrity check (allow separation of keys from data) Comment (by rlb@ipv.sx): Responding to each of your paragraphs in parallel... You are correct. In "wrapped key", I meant to include the parameters involved in key wrapping along with the actual octets of the wrapped key. Russ Housley nicely summarized on CFRG why these "algorithm substitution attacks" are not actually attacks. <http://www.ietf.org/mail-archive/web/cfrg/current/msg03376.html> Whether or not cryptographically binding header information to the ciphertext is a "very good thing" depends on your application. Certainly, there are applications that do not care at all about this binding -- for example, applications that just want to use the header to carry encryption parameters, such as the current XMPP e2e proposal. Applications that do care should just wrap the JWE in a JWS to achieve that binding, instead of burdening every application in the world with their requirements. Header parameters specify inputs to encryption algorithms. If there is an attack that can be accomplished by changing the parameters of an algorithm, that is a flaw in the algorithm, and there's nothing this format can do to help. It's also rather naïve to claim that by adding integrity protection, you've taken away the attacker's ability to change things. The attacker can still change things and cause the recipient to perform unintended cryptographic operations, it's just that this will be detected later on. For example, suppose that an attacker intercepts an object encrypted with GCM, and changes it to use CBC+HMAC. The recipient will pull the "enc" parameter out of the header (the bad one, that says CBC+HMAC) and process the entire object before realizing that he's done the wrong thing. So all you've really done is shift from one class of oracle attacks to another. Taking all the above into consideration, we still have yet to hear a concrete security benefit to header integrity protection. On the other side, the recent CFRG thread demonstrates that there is real harm in header integrity protection, in that it is incompatible with GCM. GCM is not an acceptable cost. We should kill header integrity protection instead. -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-jose-json-web- rbarnes@bbn.com | encryption@tools.ietf.org Type: defect | Status: new Priority: major | Milestone: Component: json-web- | Version: encryption | Resolution: Severity: Active WG | Document | Keywords: | -------------------------+------------------------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/4#comment:4> jose <http://tools.ietf.org/jose/>
- [jose] #4: Impossible to separate wrapped key fro… jose issue tracker
- Re: [jose] #4: Impossible to separate wrapped key… jose issue tracker
- Re: [jose] #4: Impossible to separate wrapped key… Richard Barnes
- Re: [jose] #4: Impossible to separate wrapped key… Mike Jones
- Re: [jose] #4: Impossible to separate wrapped key… Richard Barnes
- Re: [jose] #4: Remove wrapped keys from integrity… jose issue tracker
- Re: [jose] #4: Remove wrapped keys from integrity… jose issue tracker
- Re: [jose] #4: Remove wrapped keys from integrity… jose issue tracker
- Re: [jose] #4: Remove wrapped keys from integrity… jose issue tracker
- Re: [jose] #4: Remove wrapped keys from integrity… jose issue tracker
- Re: [jose] #4: Remove wrapped keys from integrity… jose issue tracker