[jose] WebCrypto feedback on key wrapping
Richard Barnes <rlb@ipv.sx> Mon, 18 March 2013 23:25 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA0D721F84C1 for <jose@ietfa.amsl.com>; Mon, 18 Mar 2013 16:25:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.024
X-Spam-Level:
X-Spam-Status: No, score=-1.024 tagged_above=-999 required=5 tests=[AWL=-0.599, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dUa88ehiaAb7 for <jose@ietfa.amsl.com>; Mon, 18 Mar 2013 16:25:20 -0700 (PDT)
Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id 3851021F84B9 for <jose@ietf.org>; Mon, 18 Mar 2013 16:25:20 -0700 (PDT)
Received: by mail-ob0-f179.google.com with SMTP id un3so5926763obb.38 for <jose@ietf.org>; Mon, 18 Mar 2013 16:25:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:date:message-id:subject :from:to:content-type:x-gm-message-state; bh=2lrGS2moO9MxH55buVklKRCQchokSpgKlhYInnTDDhA=; b=lVjYdBvYP9vjfGSP/ijmEhhA+HbCTMFEUzutAoWxMMATe17k8Y3fqm8USGTRPgdWKi OjBCkzbP24vKuINeXg8a8YBtGTbGxs7oP9Rg09x9oEYaGSdCYzlUEwJT0ddN0Ohk5uSd w52gg9gxIKM+Ghoq4tapgAcIp4nk6AtejjfBoj/C/Mf69H+AlejJn5bEn9yuC5r3T0vJ sSb4BZzrE96LynhGvnlP0eXUmNjm6Yanf4gcbftXvHk7djmkm9b9qaa1NoKNln1AYdcR 46/5+qYQS8yN/IzXqiDYJ/AI0vC4xtSkc0S4WmH6UG82uxaVDM3a0gZRV7FJBEv4FwqG nx1Q==
MIME-Version: 1.0
X-Received: by 10.60.172.80 with SMTP id ba16mr7723205oec.116.1363649119746; Mon, 18 Mar 2013 16:25:19 -0700 (PDT)
Received: by 10.60.40.233 with HTTP; Mon, 18 Mar 2013 16:25:19 -0700 (PDT)
X-Originating-IP: [192.1.51.16]
Date: Mon, 18 Mar 2013 19:25:19 -0400
Message-ID: <CAL02cgQQ4YejJOS_BHJWDYwy4SChQ4XfinTG+6px4=JN1=UCBQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: jose@ietf.org
Content-Type: multipart/alternative; boundary="bcaec5523bb661db3404d83b4d4e"
X-Gm-Message-State: ALoCoQm3DcB88vueV+4aWOUFimeQa8lamGzn8t0rya2tuLpHRerj395Ph+PhTFG8yWedmelpZja9
Subject: [jose] WebCrypto feedback on key wrapping
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2013 23:25:21 -0000
On today's call with the W3C WebCrypto working group, I reported on the
discussion of JOSE key wrapping at the last IETF. I was asked to relay a
few bits of feedback:
1. Vijay Bharadwaj (Microsoft) observed that AES key wrap has fallen out of
favor with some parts of the cryptographic community. People prefer to be
able to use AEAD algorithms for key wrapping, since they are perceived to
be faster and offer a higher level of security than AES-KW. He gave the
example that IEEE 802.1 uses AES CCM.
2. Mark Watson (Netflix) noted that if we use RSA directly to encrypt
wrapped key objects, then we would need something other than OAEP in order
to carry arbitrary-length payloads. I agreed, and suggested that something
like RSA-KEM would be necessary. Ryan Sleevi (Google) and Vijay observed
that KEM is troublesome due to the lack of support by native crypto
libraries.
It seems to me that these comments have impacts on JWE and JWS (pending
ISSUE-2), as well as the wrapping discussion. The former has more impact
than the latter.
Point number 1 implies that we should offer AEAD for key wrapping in JWE as
well as for wrapped keys. It seems to me that the simplest approach to
this would be to make the "alg" field contain an object that is
semantically equivalent to an AlgorithmIdentifier in CMS/PKCS8. For
example, { name: "A128GCM", iv: "PCIGJe0DjunuM7s0" }. This syntax,
incidentally, is roughly the same form that algorithm identifiers have in
the WebCrypto API. Note that this type of key wrapping is supported in CMS
by the use of an AEAD AlgorithmIdentifier in the KEKRecipientInfo
structure.
Point number 2 likely applies for some scenarios of JWE, especially if we
adopt the McGrew approach. For example, if using HMAC-SHA1 and AES with a
256-bit key, the total key length is 788 bits, which is too long to be
encrypted with OAEP under a 1,024-bit RSA key. I'm not sure how to resolve
it. The best idea I've got is to allow wrapped keys to nest, so that you
can wrap a key inside of another wrapped key.
I will try to take these points into account in my forthcoming key wrapping
draft, and I've filed two issues against JWE to track them.
--Richard
- [jose] WebCrypto feedback on key wrapping Richard Barnes
- Re: [jose] WebCrypto feedback on key wrapping Mike Jones
- Re: [jose] WebCrypto feedback on key wrapping Jim Schaad
- Re: [jose] WebCrypto feedback on key wrapping Richard Barnes
- Re: [jose] WebCrypto feedback on key wrapping Mike Jones
- Re: [jose] WebCrypto feedback on key wrapping Richard Barnes
- Re: [jose] WebCrypto feedback on key wrapping Mark Watson
- Re: [jose] WebCrypto feedback on key wrapping Mike Jones
- Re: [jose] WebCrypto feedback on key wrapping Vijay Bharadwaj
- Re: [jose] WebCrypto feedback on key wrapping Mark Watson