Re: [jose] Draft describing encrypting JWK key representations, with JWE
Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 15 March 2013 19:45 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E4E221F8873 for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 12:45:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.148
X-Spam-Level:
X-Spam-Status: No, score=-97.148 tagged_above=-999 required=5 tests=[AWL=-3.245, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FRT_BEFORE=1.272, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_HEAD=1.334, J_CHICKENPOX_53=0.6, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BS7q3rAI-qlu for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 12:45:40 -0700 (PDT)
Received: from mail-ea0-x229.google.com (mail-ea0-x229.google.com [IPv6:2a00:1450:4013:c01::229]) by ietfa.amsl.com (Postfix) with ESMTP id 366A021F8904 for <jose@ietf.org>; Fri, 15 Mar 2013 12:45:39 -0700 (PDT)
Received: by mail-ea0-f169.google.com with SMTP id z7so1751428eaf.28 for <jose@ietf.org>; Fri, 15 Mar 2013 12:45:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:user-agent:in-reply-to:references:mime-version :content-type:subject:from:date:to:cc:message-id; bh=P1Bd9our7zTj/hOvsHafWdzKPRuc3DF4S+nopcVBMz8=; b=V7KEVt4gIgAhSS8h5AiFPSfPdHQEFE3o3hGXUpw9VlxtbUU+1Mn3BNwJqlpCVA9rGF ldF6PC5MuXyq3R8qsF9XtXftYM8N5EVhp4aanldp3o9w/i1FZsTpp47SCwLY8oYcADa/ W7vHrXWsFqgtKpdKN3qd2kTEwIorFCRJH/LswRjnHRm1Xq+LcFCvRm4uYTeBZ2jI5gzW 4POvChkzh2bVip6Us2QcQ5AxkQ9+X0OaC5pqoTyucxnb4seitza25Jf91sZoxGmT38Uj TN5oXha0poPL5BkoJvbxFzc7AyIqCtpOfXUdr5Xnc/Oxt6K7YSjftQ28vfYusMgoBP3T 7SWA==
X-Received: by 10.14.209.131 with SMTP id s3mr21318713eeo.26.1363376737965; Fri, 15 Mar 2013 12:45:37 -0700 (PDT)
Received: from [10.209.190.56] ([95.35.60.56]) by mx.google.com with ESMTPS id a1sm12019630eep.2.2013.03.15.12.45.35 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 15 Mar 2013 12:45:37 -0700 (PDT)
User-Agent: K-9 Mail for Android
In-Reply-To: <07c801ce21ab$f63d74b0$e2b85e10$@augustcellars.com>
References: <mailman.4019.1363356696.3432.cfrg@irtf.org> <51433B12.1020703@gmail.com> <4E1F6AAD24975D4BA5B168042967394367526568@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgQ8=yKwArwvR228Z=xi0N3U6yvoOHt6M-3EuCD_HYkyww@mail.gmail.com> <4E1F6AAD24975D4BA5B168042967394367526789@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgRbh7EYLwp01t0yMMPHbhtVsQjY8379YF9_gRgGeO08eQ@mail.gmail.com> <8B4C063947CD794BB6FF90C78BAE9B321EFD5DFC@IMCMBX04.MITRE.ORG> <07c801ce21ab$f63d74b0$e2b85e10$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----YXTMSIONN0BDIJ4N2082HKWH1H2BKB"
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Date: Fri, 15 Mar 2013 21:45:30 +0200
To: Jim Schaad <ietf@augustcellars.com>, "'Peck, Michael A'" <mpeck@mitre.org>, 'Richard Barnes' <rlb@ipv.sx>, 'Mike Jones' <Michael.Jones@microsoft.com>
Message-ID: <6769e08f-8bae-41de-a723-409f7bfae4f2@email.android.com>
X-Mailman-Approved-At: Fri, 15 Mar 2013 16:33:13 -0700
Cc: cfrg@irtf.org, jose@ietf.org
Subject: Re: [jose] Draft describing encrypting JWK key representations, with JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 19:45:43 -0000
no way to generate a strong key in JavaScript. So you also need a way to use a key directly. But I'm by no means a JOSE expert, they may have different assumptions. Thanks, Yaron Jim Schaad <ietf@augus Jim Schaad <ietf@augustcellars.com> wrote: >Use PBKDF2 as a general key wrap mechanism seems to be a bad idea. >Take the >key and use it as a key wrap key for randomly generated content >encryption >key. Thus alg should be "AES128KW" rather than direct. > > > >Jim > > > > > >From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of >Peck, Michael A >Sent: Friday, March 15, 2013 12:59 PM >To: Richard Barnes; Mike Jones >Cc: Yaron Sheffer; cfrg@irtf.org; jose@ietf.org >Subject: Re: [jose] Draft describing encrypting JWK key >representations, >with JWE > > > >+1 > > > >NIST Special Publication 800-132 provides recommendations for the >parameters >that the group may find useful. > >http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf > > > >It may also be worth thinking about using PBKDF2 instead of the "dir" >(Direct Encryption with a Shared Symmetric Key) mechanism described in >draft-ietf-jose-json-web-algorithms-08 section 4.6. The shared >symmetric >key would be used as the PBKDF2 "password", and this would force a new >key >to be used for each encryption, rather than the current "dir" approach >of >using the same encryption key repeatedly. > > > >Mike > > > > > >From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of >Richard Barnes >Sent: Friday, March 15, 2013 12:53 PM >To: Mike Jones >Cc: Yaron Sheffer; cfrg@irtf.org; jose@ietf.org >Subject: Re: [jose] Draft describing encrypting JWK key >representations, >with JWE > > > >Do I count as an expert? :) > > > >As I understand it, PBDKF2 is completely fine for key protection. >PBKDF2 >has mechanisms to mitigate the dictionary attack risks, e.g., having a >high >number of iterations. We might want to make some recommendations as to >how >you set those parameters. And the actual key wrapping is done with >something >like AES-KW, so that step is fine. > > > >So I would be completely fine with adding this to JWE / JWA. We should >do >this. > > > >--Richard > > > > > >On Fri, Mar 15, 2013 at 12:48 PM, Mike Jones ><Michael.Jones@microsoft.com> >wrote: > >That's up to the working group. I'm actually hoping that experts on >the >lists will respond to Yaron's comments before we make a decision on >whether >PBKDF2 as specified is an appropriate key wrapping algorithm or not. > > > >Assuming that the content in Matt's draft eventually becomes an RFC or >part >of one, the PBKDF2 definition would end up in the algorithms registry >either >way, even if it's not part of the JWA spec itself. > > > > Cheers, > > -- Mike > > > >From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of >Richard Barnes >Sent: Friday, March 15, 2013 9:43 AM >To: Mike Jones >Cc: Yaron Sheffer; cfrg@irtf.org; jose@ietf.org >Subject: Re: [jose] Draft describing encrypting JWK key >representations, >with JWE > > > >So, Mike, would you be OK with adding PBE to JWE / JWA, as a new key >wrapping algorithm? > > > >--Richard > > > > > > > >On Fri, Mar 15, 2013 at 12:14 PM, Mike Jones ><Michael.Jones@microsoft.com> >wrote: > >[Adding JOSE mailing list to the thread] > >For clarification, PBKDF2 is not the only algorithm that could be used >to >wrap keys in this scheme. This draft *adds* PBKDF2 to the set of >algorithms >already specified for use with encryption in the JSON Web Algorithms >(JWA) >specification >(http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-08). >In >particular, other algorithms such as AES Key Wrap and AES GCM are also >present there. > >I'll let others who are experts in PBKDF2 and password-based encryption >respond to Yaron's specific comment. > > -- Mike > >-----Original Message----- >From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com] >Sent: Friday, March 15, 2013 8:16 AM >To: cfrg@irtf.org; Mike Jones >Subject: Re: Draft describing encrypting JWK key representations, with >JWE > >Hi Mike, > >I'm probably missing something, but I'm worried about the security of >this >scheme (though I do appreciate the usability/convenience of passwords). > >PBKDF2 is meant to make dictionary attacks on stored passwords harder, >as a >second line defense, once the server has been breached. Using it to >encrypt >data and then sending the data on the wire, makes the data vulnerable >to >this same dictionary attack (in this case the effort comes to the space >of >all possible passwords - say 1 million - times 1000). >Moreover, this also puts the password itself in danger. > >Thanks, > Yaron > >> >> ------------------------------ >> >> Message: 5 >> Date: Fri, 15 Mar 2013 14:10:32 +0000 >> From: Mike Jones <Michael.Jones@microsoft.com> >> To: "cfrg@irtf.org" <cfrg@irtf.org> >> Subject: [Cfrg] Draft describing encrypting JWK key representations >> with JWE >> Message-ID: >> >> ><4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.redmond.corp. ><mailto:4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.redmond.corp >.%0b> >> microsoft.com> >> >> Content-Type: text/plain; charset="us-ascii" >> >> http://tools.ietf.org/html/draft-miller-jose-jwe-protected-jwk-01 >> >> This also adds password-based encryption to the algorithm registry. >> >> -- Mike >> >> -------------- next part -------------- An HTML attachment was >> scrubbed... >> URL: >> ><http://www.irtf.org/mail-archive/web/cfrg/attachments/20130315/02e36b >> 24/attachment.htm> >> >> ------------------------------ >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> http://www.irtf.org/mailman/listinfo/cfrg >> >> >> End of Cfrg Digest, Vol 95, Issue 3 >> *********************************** >> >_______________________________________________ >jose mailing list >jose@ietf.org >https://www.ietf.org/mailman/listinfo/jose > > > > -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
- Re: [jose] Draft describing encrypting JWK key re… Mike Jones
- Re: [jose] Draft describing encrypting JWK key re… Richard Barnes
- Re: [jose] Draft describing encrypting JWK key re… Mike Jones
- Re: [jose] Draft describing encrypting JWK key re… Richard Barnes
- Re: [jose] Draft describing encrypting JWK key re… Peck, Michael A
- Re: [jose] Draft describing encrypting JWK key re… Mike Jones
- Re: [jose] Draft describing encrypting JWK key re… Peck, Michael A
- Re: [jose] Draft describing encrypting JWK key re… Yaron Sheffer
- Re: [jose] Draft describing encrypting JWK key re… Yaron Sheffer
- Re: [jose] Draft describing encrypting JWK key re… Jim Schaad
- Re: [jose] Draft describing encrypting JWK key re… Matt Miller (mamille2)
- Re: [jose] Draft describing encrypting JWK key re… Yaron Sheffer
- Re: [jose] Draft describing encrypting JWK key re… Yaron Sheffer
- Re: [jose] Draft describing encrypting JWK key re… Ryan Sleevi
- Re: [jose] Draft describing encrypting JWK key re… Yaron Sheffer