IETF Logo Mail Archive

Re: [jose] #14: Support longer wrapped keys than OAEP allows

Richard Barnes <rlb@ipv.sx> Tue, 19 March 2013 13:55 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E7C921F8B51 for <jose@ietfa.amsl.com>; Tue, 19 Mar 2013 06:55:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.309
X-Spam-Level:
X-Spam-Status: No, score=-2.309 tagged_above=-999 required=5 tests=[AWL=0.667, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ARlOuIMwv8qx for <jose@ietfa.amsl.com>; Tue, 19 Mar 2013 06:55:31 -0700 (PDT)
Received: from mail-oa0-f53.google.com (mail-oa0-f53.google.com [209.85.219.53]) by ietfa.amsl.com (Postfix) with ESMTP id 34EBF21F8BF8 for <jose@ietf.org>; Tue, 19 Mar 2013 06:55:29 -0700 (PDT)
Received: by mail-oa0-f53.google.com with SMTP id m1so470638oag.26 for <jose@ietf.org>; Tue, 19 Mar 2013 06:55:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=TWDWMxi3Gh5ERQYeHl1JoNV/BBGE0riPTDO5Kb6sygs=; b=ayiouV3lu+ktYvp50p3VNHhYGvQLM+0Ouo0m6RD1k4/tpBOF2CTbnQkaLVcRrIUJjE Fli6MXxbflSe7cgadVnS1hUekq5ynQuxZge7ixUZrW+ecz9VvwVBPP1bkDhitaiZseKW ZAKKwIb7OZzLs6eZhaRI/B9FVb/epOzDqo+GMID9W71xCYHt0bpoHhyoDLoCIfF5hRJ/ aJsu1Cdafwn4bge8VSpREg7vjbderKRMOF++06kroBtPEehzkU1W8tnpt+Th0iT6BY2W 2CNshRgWHlitOtCxS0UKcpGTmfCPgTRq8h+PPznuPkuIUDO7pe+b5MZEmsRKruG9OGzM tYQQ==
MIME-Version: 1.0
X-Received: by 10.182.59.20 with SMTP id v20mr1314025obq.80.1363701327972; Tue, 19 Mar 2013 06:55:27 -0700 (PDT)
Received: by 10.60.40.233 with HTTP; Tue, 19 Mar 2013 06:55:27 -0700 (PDT)
X-Originating-IP: [192.1.255.184]
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436755CB51@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436755CB51@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Tue, 19 Mar 2013 09:55:27 -0400
Message-ID: <CAL02cgRnSZpvVVsruFTAzq2wrN4TPTjF2zSwu=a06KYvQ9+OvA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="14dae93a0db13bef4c04d8477513"
X-Gm-Message-State: ALoCoQmcoKGXRLncBZGlZSouZXYgj2WAA2SPqha1ZjYUTWKxKxUn3Xr74kZrFd9wXy+BEpIy3uPr
Cc: Jim Schaad <ietf@augustcellars.com>, James H Manger <James.H.Manger@team.telstra.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] #14: Support longer wrapped keys than OAEP allows
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 13:55:33 -0000

I agree that it's a fair question to ask.  As I'm writing this key wrapping
document (as requested in Orlando), I'm trying to develop a comparison of
the costs of various wrapping schemes.

It would be interesting to get feedback on the group as to how you would
measure cost in this case?  For example:
-- Which algorithms can/cannot be supported
-- How large the encrypted object is
-- How many encryption formats a JOSE library has to support

On the latter point, the request to use GCM for key wrapping has gotten me
thinking that perhaps we should just make JWE self-similar, by using a JWE
to wrap the key for a JWE*.  That would reduce the number of encryption
code paths from two (JWE, key wrapping) to one (JWE).  Again, I'll try to
make a concrete proposal in the forthcoming document.

--Richard




On Mon, Mar 18, 2013 at 11:23 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:

>  Since you message appears to take it as given that “there should be only
> one way of encrypting keys”, I’ll point out that I don’t think that it’s
> reasonable to assume that.  JOSE is first and foremost an engineering
> exercise, where the cost/benefit generality/complexity tradeoffs matter,
> and the goal is a ubiquitously implemented crypto format for the Web that
> solves the problems that people actually have, rather than a mathematical
> exercise, where the goal is completeness and generality.  Complexity is the
> enemy of adoption.
>
> So it’s fair game to ask “What are the costs and benefits of having only
> one way to encrypt keys”, versus taking that as a given.
>
> I happen to personally believe that encrypting a bare symmetric
> ephemeral Content Master Key is sufficiently different than encrypting a
> key that may be public, private, or symmetric and may have additional
> attributes, that it’s at least worth asking the engineering question
> whether special-casing the encryption of this bare symmetric ephemeral key
> results in engineering benefits.
>
> Encrypting a key with attributes for storage or dissemination is not the
> same kind of operation as wrapping an ephemeral symmetric key to be used
> for block encryption.  I’m personally fine with this being done
> differently.  The engineering benefit if we do it differently in the way
> that Matt’s draft proposed, at least as I see it, is that we have to invent
> nothing new.  We already have a great format for encrypting arbitrary data,
> and keys with attributes are a whole lot like arbitrary data.
>
> I respect that some with disagree with my personal view, but I’d also ask
> you to respect that the engineering tradeoffs may favor having two ways to
> do things that on the surface may seem similar, but are actually fairly
> different in nature.
>
> Best wishes,
> -- Mike
>
>  *From:* Richard Barnes
> *Sent:* March 18, 2013 7:36 PM
> *To:* Jim Schaad
> *CC:* Manger, James H, jose@ietf.org
>
> *Subject:* Re: [jose] #14: Support longer wrapped keys than OAEP allows
>
> Well, I got to 788 by doing math incorrectly*.
>
>  Mike was correct on the other thread that 768 is the right number.
>  However, that's still too big for a 1024-bit RSA key and SHA1, since 768 +
> 320 = 1088 > 1024.
>
>  Regardless, there is clearly an issue here when wrapping a JWK, which is
> much larger, possibly containing an RSA key itself.  So if we accept the
> goal that there should be one way of encrypting keys, then we'll need to
> deal with getting around the OAEP size limitations.
>
>  --Richard
>
> * This is why my degree is in mathematics, and not accounting.
>
>
> On Mon, Mar 18, 2013 at 8:40 PM, Jim Schaad <ietf@augustcellars.com>wrote:
>
>> Think in terms of encrypting a JWK directly not an intermediate key.
>>
>> > -----Original Message-----
>> > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
>>  > Manger, James H
>> > Sent: Monday, March 18, 2013 5:17 PM
>> > To: rlb@ipv.sx; jose@ietf.org
>> > Subject: Re: [jose] #14: Support longer wrapped keys than OAEP allows
>> >
>> > Richard,
>> >
>> > How do you get a 788-bit key length?
>> >
>> > draft-mcgrew-aead-aes-cbc-hmac-sha2 defines 5 combinations of AES-
>> > 128/192/256 and SHA-1/256/384/512. The total key lengths range from 256
>> > bits to 512 bits.
>> >
>> > Keys for two of the algorithms (AEAD_AES_128_CBC_HMAC_SHA_256 and
>> > AEAD_AES_128_CBC_HMAC_SHA1) fit within OAEP with a 1024-bit RSA key.
>> >
>> > Keys for all of the algorithms fit within OAEP with a 2048-bit RSA key.
>> JWA
>> > already says RSA key sizes MUST be at least 2048 bits.
>> >
>> > This already looks sufficient.
>> >
>> > --
>> > James Manger
>> >
>> >
>> > > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf
>> > > Of Richard Barnes
>> > > Sent: Tuesday, 19 March 2013 10:25 AM
>> > > Subject: [jose] WebCrypto feedback on key wrapping
>> > >
>> > > 2. Mark Watson (Netflix) noted that if we use RSA directly to encrypt
>> wrapped
>> > key objects, then we would need something other than OAEP in order to
>> carry
>> > arbitrary-length payloads.  I agreed, and suggested that something like
>> RSA-
>> > KEM would be necessary.  Ryan Sleevi (Google) and Vijay observed that
>> KEM
>> is
>> > troublesome due to the lack of support by native crypto libraries.
>> > >
>> > > Point number 2 likely applies for some scenarios of JWE, especially if
>> we
>> > adopt the McGrew approach.  For example, if using HMAC-SHA1 and AES with
>> > a 256-bit key, the total key length is 788 bits, which is too long to be
>> encrypted
>> > with OAEP under a 1,024-bit RSA key.  I'm not sure how to resolve it.
>>  The
>> best
>> > idea I've got is to allow wrapped keys to nest, so that you can wrap a
>> key
>> inside
>> > of another wrapped key.
>> > >
>> > > --Richard
>> >
>> >
>> > >> ----------
>> > >> Sent: Tuesday, 19 March 2013 10:23 AM
>> > >> Subject: [jose] #14: Support longer wrapped keys than OAEP allows
>> > >>
>> > >> #14: Support longer wrapped keys than OAEP allows
>> > >>
>> > >>  The use of RSA-OAEP for key wrapping imposes a limit on the length
>> > >> of  the key package being wrapped. With SHA1, this length is N-320,
>> > >> where  N is the length of the RSA modulus.  Especially with larger
>> > >> hash  functions, and especially for wrapping private keys, the size
>> > >> of key  packages will be larger than this bound.  We should
>> > >> incorporate a  mechanism to accommodate these situations.
>> > >>
>> > >>
>> > >> Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/14>
>>  > _______________________________________________
>> > jose mailing list
>> > jose@ietf.org
>> > https://www.ietf.org/mailman/listinfo/jose
>>
>>
>

v2.23.0 | Report a Bug | By Email