Re: [jose] #55: Mandatory entropy in ECC KDF inputs
Brian Campbell <bcampbell@pingidentity.com> Sat, 05 October 2013 14:41 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BEB721F8E85 for <jose@ietfa.amsl.com>; Sat, 5 Oct 2013 07:41:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.976
X-Spam-Level:
X-Spam-Status: No, score=-5.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6WyxFnPoBeOc for <jose@ietfa.amsl.com>; Sat, 5 Oct 2013 07:41:42 -0700 (PDT)
Received: from na3sys009aog107.obsmtp.com (na3sys009aog107.obsmtp.com [74.125.149.197]) by ietfa.amsl.com (Postfix) with ESMTP id 4C2A921F89FF for <jose@ietf.org>; Sat, 5 Oct 2013 07:41:41 -0700 (PDT)
Received: from mail-ie0-f177.google.com ([209.85.223.177]) (using TLSv1) by na3sys009aob107.postini.com ([74.125.148.12]) with SMTP ID DSNKUlAlJYEzKUotI17GgEN2fjXVbdadqNMU@postini.com; Sat, 05 Oct 2013 07:41:42 PDT
Received: by mail-ie0-f177.google.com with SMTP id qd12so11673145ieb.22 for <jose@ietf.org>; Sat, 05 Oct 2013 07:41:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=NDkThB5CXtp1wVI6V5ceraJJT3f7L6jLN0WSzV1YXu4=; b=RcsEhwhFJO1qTQQ/x2rLtD6T2RIZhOoBYdSfJacMYwLtEYy98Ev39264CZKgmiGhZN UFIRC03wxTd72MqFMLG59USlKdVjLCwn31XD8ieieVXYJQf1K3b/g7ttgpyAHfS1YKmD D8H4RU/gBzOCUidbqoQNR4Vq7vVmpfEf3rAUNwKmNYJq9ooX+Ca5kpBLtkENB15zKhL8 QOYM5fCwjr+bF6A9RAoQ1VWDFW0G4C1vD3X6UJ9Gt3skY3CUrpLVsE+GrQK9Y/n5LBuC kUlMyBPZc41LSM/NVpakNYQX21F0pipTJp9Neve/TaCztWxStC+uzWlG4k9j3ndX+d9p xH/w==
X-Gm-Message-State: ALoCoQmS8Iu2gO95sl6P+T8Hcx+PJ2PVMBUZoKJS1wcSukyfNrgtX1Dm/ATXxkboPMwqV0Aabv9mJX506I6g0kumwvBZgc56lIcYgeJrXPn9oyMaToBVnZW/c0oV0cvX87dNbm+FQwbSNqEo8Xelz8LqbsnjofLRrg==
X-Received: by 10.50.115.5 with SMTP id jk5mr10433208igb.47.1380984101292; Sat, 05 Oct 2013 07:41:41 -0700 (PDT)
X-Received: by 10.50.115.5 with SMTP id jk5mr10433193igb.47.1380984100937; Sat, 05 Oct 2013 07:41:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.232.229 with HTTP; Sat, 5 Oct 2013 07:41:10 -0700 (PDT)
In-Reply-To: <CAL02cgSFn3RnqCU_D97mYa-DDEsb27S7RiEEWKMEb9Pm9WLRLw@mail.gmail.com>
References: <049.b688513f0138e33716b51cf1754cfde4@trac.tools.ietf.org> <CAL02cgTVztVqT1pQ7wgYc5PK5yt=x4S0HGweXu=a8cGnxB374w@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436C2EF023@TK5EX14MBXC291.redmond.corp.microsoft.com> <CA+k3eCTzQbXykhTCR=u45piiPCuMtE83KC1YT3zuhr-SWn28Pg@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436C2EF41F@TK5EX14MBXC291.redmond.corp.microsoft.com> <CA+k3eCQv_MHxbqfAWhe=nGgOO9AvOcDMCciqnc8vUspKCcMq3A@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436C2EF911@TK5EX14MBXC291.redmond.corp.microsoft.com> <CA+k3eCSMd6wrDX1kN0Ps1Us_C=uKf8jGgqr1_cbYuFJeJxazkw@mail.gmail.com> <CAL02cgSFn3RnqCU_D97mYa-DDEsb27S7RiEEWKMEb9Pm9WLRLw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sat, 05 Oct 2013 07:41:10 -0700
Message-ID: <CA+k3eCR6w8ZKMd9L-1R-F7+9gCDjhpO+dtGz-xxoFH_FfoCh4w@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="089e01184232c6f8cd04e7ff6abe"
Cc: Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] #55: Mandatory entropy in ECC KDF inputs
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Oct 2013 14:41:47 -0000
WFM On Fri, Oct 4, 2013 at 11:11 AM, Richard Barnes <rlb@ipv.sx> wrote: > I'm fine removing the MUST (this doesn't really seem like a 2119 thing). > How about this? > > """ > Each application should specify how senders populate the "apu" and "apv" > parameters in the context of that application. Applications wishing to > conform to [NIST.800-56A] need to provide values that meet the requirements > of that document, e.g., by using values that identify the sender and > recipient. Alternatively, applications MAY conduct key derivation in a > manner similar to [RFC2631]: In that case, the "apu" field MAY either be > omitted or represent a random 512-bit value (analogous to PartyAInfo in > Ephemeral-Static mode in [RFC2631]) and the "apv" field should not be > present. > """ > > > On Wed, Sep 11, 2013 at 2:55 PM, Brian Campbell < > bcampbell@pingidentity.com> wrote: > >> Much improved, thanks. >> >> I'm still not crazy about the first sentence though. Really the sender >> specifies the "apu" and "apv" values simply by sending them or omitting >> them (James made a similar point last week). I think that as far as JOSE >> should go with it normatively. Applications may specify additional >> constraints on the use and values for "apu" and "apv", if appropriate for >> their context. Can it say something more like that? Or at least drop that >> first MUST? >> >> >> >> On Thu, Sep 5, 2013 at 6:31 PM, Mike Jones <Michael.Jones@microsoft.com>wrote: >> >>> Thanks for doing this research, Brian. We only support >>> ephemeral-static mode, so your findings are quite pertinent. I therefore >>> propose that we further revise the text as follows:**** >>> >>> ** ** >>> >>> Applications MUST specify what values should be used in the "apu" and >>> "apv" parameters. Applications wishing to conform to [NIST.800-56A] need >>> to provide values that meet the requirements of that document, e.g., by >>> using values that identify the sender and recipient. Alternatively, >>> applications MAY conduct key derivation in a manner similar to [RFC2631]: >>> In that case, the "apu" field MAY either be omitted or represent a >>> random 512-bit value (analogous to PartyAInfo in Ephemeral-Static modein [RFC2631]) and the "apv" field should not be present. >>> **** >>> >>> ** ** >>> >>> -- Mike* >>> *** >>> >>> ** ** >>> >>> -----Original Message----- >>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of >>> Brian Campbell >>> Sent: Thursday, September 05, 2013 5:21 PM >>> To: Mike Jones >>> Cc: Richard Barnes; jose issue tracker; < >>> draft-ietf-jose-json-web-algorithms@tools.ietf.org>; jose@ietf.org >>> Subject: Re: [jose] #55: Mandatory entropy in ECC KDF inputs >>> >>> ** ** >>> >>> RFC 2631 requires the 512 bits of partyAInfo only for Static-Static mode >>> while using it for Ephemeral-Static is just a 'MAY'.**** >>> >>> ** ** >>> >>> I guess that's what the proposed JOSE text says too. But the MAY >>> followed by the conditional SHOULD reads kind of funny. And as someone >>> who's asked for some more clarity and guidance on the use of "apu" and >>> "apv" that text didn't leave me felling sure of what to do with them but >>> made me feel like I probably needed to put 512 bits of stuff in there.** >>> ** >>> >>> ** ** >>> >>> On Thu, Sep 5, 2013 at 2:25 PM, Mike Jones <Michael.Jones@microsoft.com> >>> wrote:**** >>> >>> > I also stated on the call that the 512 additional bits of entropy >>> don't any value to the randomness already present in the ephemeral key.* >>> *** >>> >>> >** ** >>> >>> > I perceive the 512 bit text as being there to make people who are >>> enamored of RFC 2631 key agreement happy, by telling them how they could do >>> the same thing in this case. I personally believe we're better off if >>> applications just say what they expect to be in "apu" and "apv" (if >>> anything) and ignore the 2631 backup plan.**** >>> >>> >** ** >>> >>> > -- Mike**** >>> >>> >** ** >>> >>> > -----Original Message-----**** >>> >>> > From: Brian Campbell [mailto:bcampbell@pingidentity.com<bcampbell@pingidentity.com> >>> ]**** >>> >>> > Sent: Thursday, September 05, 2013 2:20 PM**** >>> >>> > To: Mike Jones**** >>> >>> > Cc: Richard Barnes; jose issue tracker; jose@ietf.org; ** ** >>> >>> > <draft-ietf-jose-json-web-algorithms@tools.ietf.org>**** >>> >>> > Subject: Re: [jose] #55: Mandatory entropy in ECC KDF inputs**** >>> >>> >** ** >>> >>> > Is there anyone who can explain where the 512 bits comes from and what >>> value it adds for JOSE's use of ECDH-ES case?**** >>> >>> >** ** >>> >>> > My sense from the call yesterday was that I wasn't the only one that >>> didn't grok what value these additional inputs into the KDF really provide. >>> **** >>> >>> >** ** >>> >>> > For the compact serialization, if possible/reasonable, I'd like to >>> avoid the overhead of adding 512 more bits that will be base64url encoded >>> twice.**** >>> >>> >** ** >>> >>> >** ** >>> >>> >** ** >>> >>> >** ** >>> >>> >** ** >>> >>> >** ** >>> >>> >** ** >>> >>> >** ** >>> >>> >** ** >>> >>> > On Thu, Sep 5, 2013 at 12:28 PM, Mike Jones < >>> Michael.Jones@microsoft.com> wrote:**** >>> >>> >> Thanks for the new text, Richard. Slight consistency edits proposed >>> **** >>> >>> >> below...**** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >> Applications MUST specify what values should be used in the "apu" and >>> "apv"**** >>> >>> >> parameters. Applications wishing to conform to [NIST.800-56A] need * >>> *** >>> >>> >> to provide values that meet the requirements of that document, e.g., >>> **** >>> >>> >> by choosing values that identify the sender and recipient.**** >>> >>> >> Alternatively, applications MAY conduct key derivation in a manner ** >>> ** >>> >>> >> similar to [RFC2631]: In that case, the "apu" field SHOULD represent >>> **** >>> >>> >> a random 512-bit value (analogous to PartyAInfo in [RFC2631]) and the >>> **** >>> >>> >> "apv" field should not be present.**** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >> -- Mike** >>> ** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >> From: Richard Barnes [mailto:rlb@ipv.sx <rlb@ipv.sx>]**** >>> >>> >> Sent: Thursday, September 05, 2013 8:23 AM**** >>> >>> >> To: jose issue tracker**** >>> >>> >> Cc: <draft-ietf-jose-json-web-algorithms@tools.ietf.org>;**** >>> >>> >> jose@ietf.org**** >>> >>> >> Subject: Re: [jose] #55: Mandatory entropy in ECC KDF inputs**** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >> As promised on the call yesterday, here's some proposed revision to * >>> *** >>> >>> >> Section**** >>> >>> >> 4.7.2:**** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >> OLD:**** >>> >>> >>** ** >>> >>> >> """**** >>> >>> >>** ** >>> >>> >> Note: The Diffie-Hellman Key Agreement Method [RFC2631] uses a key >>> **** >>> >>> >>** ** >>> >>> >> derivation function similar to the Concat KDF, but with fewer**** >>> >>> >>** ** >>> >>> >> parameters. Rather than having separate PartyUInfo and PartyVInfo >>> **** >>> >>> >>** ** >>> >>> >> parameters, it uses a single PartyAInfo parameter, which is a **** >>> >>> >> random**** >>> >>> >>** ** >>> >>> >> string provided by the sender, that contains 512 bits of **** >>> >>> >> information,**** >>> >>> >>** ** >>> >>> >> when provided. It has no SuppPrivInfo parameter. Should it be*** >>> * >>> >>> >>** ** >>> >>> >> appropriate for the application, key agreement can be performed in >>> **** >>> >>> >> a**** >>> >>> >>** ** >>> >>> >> manner akin to RFC 2631 by using the PartyAInfo value as the "apu" >>> **** >>> >>> >>** ** >>> >>> >> (Agreement PartyUInfo) header parameter value, when provided, and >>> **** >>> >>> >> by**** >>> >>> >>** ** >>> >>> >> using no "apv" (Agreement PartyVInfo) header parameter.**** >>> >>> >>** ** >>> >>> >> """**** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >> NEW:**** >>> >>> >>** ** >>> >>> >> """**** >>> >>> >>** ** >>> >>> >> Applications must specify what values should be populated in the "apu" >>> **** >>> >>> >> and "apv" parameters. Applications wishing to conform to **** >>> >>> >> [NIST.800-56A] need to provide values that meet the requirements of * >>> *** >>> >>> >> that document, e.g., by choosing values that identify the sender and >>> **** >>> >>> >> recipient. Otherwise, it is RECOMMENDED that applications conduct ** >>> ** >>> >>> >> key derivation in a manner similar to**** >>> >>> >> [RFC2631]: The "apu" field should be set to a random 512-bit value ** >>> ** >>> >>> >> (analogous to PartyAInfo in [RFC2631]) and the "apv" field should be >>> **** >>> >>> >> left empty.**** >>> >>> >>** ** >>> >>> >> """**** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >> On Sun, Aug 11, 2013 at 6:56 PM, jose issue tracker ** ** >>> >>> >> <trac+jose@trac.tools.ietf.org> wrote:**** >>> >>> >>** ** >>> >>> >> #55: Mandatory entropy in ECC KDF inputs**** >>> >>> >>** ** >>> >>> >> At the interim, there was agreement to require at least 512 bits of >>> **** >>> >>> >> entropy in the "apu" field, in order to ensure sufficient entropy in >>> **** >>> >>> >> the resulting key. That requirement has been lost in a subsequent >>> revision.**** >>> >>> >>** ** >>> >>> >> --**** >>> >>> >> -------------------------+------------------------------------------- >>> **** >>> >>> >> -------------------------+-**** >>> >>> >> -------------------------+-----**** >>> >>> >> Reporter: rlb@ipv.sx | Owner: draft-ietf-jose-json-web-**** >>> >>> >> Type: defect | algorithms@tools.ietf.org**** >>> >>> >> Priority: major | Status: new**** >>> >>> >> Component: json-web- | Milestone:**** >>> >>> >> algorithms | Version:**** >>> >>> >> Severity: - | Keywords:**** >>> >>> >> -------------------------+------------------------------------------- >>> **** >>> >>> >> -------------------------+-**** >>> >>> >> -------------------------+-----**** >>> >>> >>** ** >>> >>> >> Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/55>**** >>> >>> >> jose <http://tools.ietf.org/jose/>**** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >>** ** >>> >>> >> _______________________________________________**** >>> >>> >> jose mailing list**** >>> >>> >> jose@ietf.org**** >>> >>> >> https://www.ietf.org/mailman/listinfo/jose**** >>> >>> >>** ** >>> >>> _______________________________________________**** >>> >>> jose mailing list**** >>> >>> jose@ietf.org**** >>> >>> https://www.ietf.org/mailman/listinfo/jose**** >>> >> >> >
- [jose] #55: Mandatory entropy in ECC KDF inputs jose issue tracker
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Manger, James H
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Axel.Nennker
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Richard Barnes
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Axel.Nennker
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Richard Barnes
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Mike Jones
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Brian Campbell
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Mike Jones
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Brian Campbell
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Mike Jones
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Manger, James H
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Richard Barnes
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Richard Barnes
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Mike Jones
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Brian Campbell
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Richard Barnes
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… Brian Campbell
- Re: [jose] #55: Mandatory entropy in ECC KDF inpu… jose issue tracker