IETF Logo Mail Archive

Re: [jose] Draft describing encrypting JWK key representations, with JWE

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 15 March 2013 19:45 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E4E221F8873 for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 12:45:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.148
X-Spam-Level:
X-Spam-Status: No, score=-97.148 tagged_above=-999 required=5 tests=[AWL=-3.245, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FRT_BEFORE=1.272, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_HEAD=1.334, J_CHICKENPOX_53=0.6, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BS7q3rAI-qlu for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 12:45:40 -0700 (PDT)
Received: from mail-ea0-x229.google.com (mail-ea0-x229.google.com [IPv6:2a00:1450:4013:c01::229]) by ietfa.amsl.com (Postfix) with ESMTP id 366A021F8904 for <jose@ietf.org>; Fri, 15 Mar 2013 12:45:39 -0700 (PDT)
Received: by mail-ea0-f169.google.com with SMTP id z7so1751428eaf.28 for <jose@ietf.org>; Fri, 15 Mar 2013 12:45:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:user-agent:in-reply-to:references:mime-version :content-type:subject:from:date:to:cc:message-id; bh=P1Bd9our7zTj/hOvsHafWdzKPRuc3DF4S+nopcVBMz8=; b=V7KEVt4gIgAhSS8h5AiFPSfPdHQEFE3o3hGXUpw9VlxtbUU+1Mn3BNwJqlpCVA9rGF ldF6PC5MuXyq3R8qsF9XtXftYM8N5EVhp4aanldp3o9w/i1FZsTpp47SCwLY8oYcADa/ W7vHrXWsFqgtKpdKN3qd2kTEwIorFCRJH/LswRjnHRm1Xq+LcFCvRm4uYTeBZ2jI5gzW 4POvChkzh2bVip6Us2QcQ5AxkQ9+X0OaC5pqoTyucxnb4seitza25Jf91sZoxGmT38Uj TN5oXha0poPL5BkoJvbxFzc7AyIqCtpOfXUdr5Xnc/Oxt6K7YSjftQ28vfYusMgoBP3T 7SWA==
X-Received: by 10.14.209.131 with SMTP id s3mr21318713eeo.26.1363376737965; Fri, 15 Mar 2013 12:45:37 -0700 (PDT)
Received: from [10.209.190.56] ([95.35.60.56]) by mx.google.com with ESMTPS id a1sm12019630eep.2.2013.03.15.12.45.35 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 15 Mar 2013 12:45:37 -0700 (PDT)
User-Agent: K-9 Mail for Android
In-Reply-To: <07c801ce21ab$f63d74b0$e2b85e10$@augustcellars.com>
References: <mailman.4019.1363356696.3432.cfrg@irtf.org> <51433B12.1020703@gmail.com> <4E1F6AAD24975D4BA5B168042967394367526568@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgQ8=yKwArwvR228Z=xi0N3U6yvoOHt6M-3EuCD_HYkyww@mail.gmail.com> <4E1F6AAD24975D4BA5B168042967394367526789@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgRbh7EYLwp01t0yMMPHbhtVsQjY8379YF9_gRgGeO08eQ@mail.gmail.com> <8B4C063947CD794BB6FF90C78BAE9B321EFD5DFC@IMCMBX04.MITRE.ORG> <07c801ce21ab$f63d74b0$e2b85e10$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----YXTMSIONN0BDIJ4N2082HKWH1H2BKB"
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Date: Fri, 15 Mar 2013 21:45:30 +0200
To: Jim Schaad <ietf@augustcellars.com>, "'Peck, Michael A'" <mpeck@mitre.org>, 'Richard Barnes' <rlb@ipv.sx>, 'Mike Jones' <Michael.Jones@microsoft.com>
Message-ID: <6769e08f-8bae-41de-a723-409f7bfae4f2@email.android.com>
X-Mailman-Approved-At: Fri, 15 Mar 2013 16:33:13 -0700
Cc: cfrg@irtf.org, jose@ietf.org
Subject: Re: [jose] Draft describing encrypting JWK key representations, with JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 19:45:43 -0000

no way to generate a strong key in JavaScript. So you also need a way to use a key directly. But I'm by no means a JOSE expert, they may have different assumptions. 

Thanks, Yaron 

Jim Schaad <ietf@augus



Jim Schaad <ietf@augustcellars.com> wrote:

>Use PBKDF2 as a general key wrap mechanism seems to be a bad idea. 
>Take the
>key and use it as a key wrap key for randomly generated content
>encryption
>key.  Thus alg should be "AES128KW" rather than direct.
>
> 
>
>Jim
>
> 
>
> 
>
>From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
>Peck, Michael A
>Sent: Friday, March 15, 2013 12:59 PM
>To: Richard Barnes; Mike Jones
>Cc: Yaron Sheffer; cfrg@irtf.org; jose@ietf.org
>Subject: Re: [jose] Draft describing encrypting JWK key
>representations,
>with JWE
>
> 
>
>+1
>
> 
>
>NIST Special Publication 800-132 provides recommendations for the
>parameters
>that the group may find useful.
>
>http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
>
> 
>
>It may also be worth thinking about using PBKDF2 instead of the "dir"
>(Direct Encryption with a Shared Symmetric Key) mechanism described in
>draft-ietf-jose-json-web-algorithms-08 section 4.6.  The shared
>symmetric
>key would be used as the PBKDF2 "password", and this would force a new
>key
>to be used for each encryption, rather than the current "dir" approach
>of
>using the same encryption key repeatedly.
>
> 
>
>Mike
>
> 
>
> 
>
>From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
>Richard Barnes
>Sent: Friday, March 15, 2013 12:53 PM
>To: Mike Jones
>Cc: Yaron Sheffer; cfrg@irtf.org; jose@ietf.org
>Subject: Re: [jose] Draft describing encrypting JWK key
>representations,
>with JWE
>
> 
>
>Do I count as an expert?  :)
>
> 
>
>As I understand it, PBDKF2 is completely fine for key protection. 
>PBKDF2
>has mechanisms to mitigate the dictionary attack risks, e.g., having a
>high
>number of iterations. We might want to make some recommendations as to
>how
>you set those parameters. And the actual key wrapping is done with
>something
>like AES-KW, so that step is fine.
>
> 
>
>So I would be completely fine with adding this to JWE / JWA.  We should
>do
>this.
>
> 
>
>--Richard
>
> 
>
> 
>
>On Fri, Mar 15, 2013 at 12:48 PM, Mike Jones
><Michael.Jones@microsoft.com>
>wrote:
>
>That's up to the working group.  I'm actually hoping that experts on
>the
>lists will respond to Yaron's comments before we make a decision on
>whether
>PBKDF2 as specified is an appropriate key wrapping algorithm or not.
>
> 
>
>Assuming that the content in Matt's draft eventually becomes an RFC or
>part
>of one, the PBKDF2 definition would end up in the algorithms registry
>either
>way, even if it's not part of the JWA spec itself.
>
> 
>
>                                                            Cheers,
>
>                                                            -- Mike
>
> 
>
>From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
>Richard Barnes
>Sent: Friday, March 15, 2013 9:43 AM
>To: Mike Jones
>Cc: Yaron Sheffer; cfrg@irtf.org; jose@ietf.org
>Subject: Re: [jose] Draft describing encrypting JWK key
>representations,
>with JWE
>
> 
>
>So, Mike, would you be OK with adding PBE to JWE / JWA, as a new key
>wrapping algorithm?
>
> 
>
>--Richard
>
> 
>
> 
>
> 
>
>On Fri, Mar 15, 2013 at 12:14 PM, Mike Jones
><Michael.Jones@microsoft.com>
>wrote:
>
>[Adding JOSE mailing list to the thread]
>
>For clarification, PBKDF2 is not the only algorithm that could be used
>to
>wrap keys in this scheme.  This draft *adds* PBKDF2 to the set of
>algorithms
>already specified for use with encryption in the JSON Web Algorithms
>(JWA)
>specification
>(http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-08). 
>In
>particular, other algorithms such as AES Key Wrap and AES GCM are also
>present there.
>
>I'll let others who are experts in PBKDF2 and password-based encryption
>respond to Yaron's specific comment.
>
>                                -- Mike
>
>-----Original Message-----
>From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com]
>Sent: Friday, March 15, 2013 8:16 AM
>To: cfrg@irtf.org; Mike Jones
>Subject: Re: Draft describing encrypting JWK key representations, with
>JWE
>
>Hi Mike,
>
>I'm probably missing something, but I'm worried about the security of
>this
>scheme (though I do appreciate the usability/convenience of passwords).
>
>PBKDF2 is meant to make dictionary attacks on stored passwords harder,
>as a
>second line defense, once the server has been breached. Using it to
>encrypt
>data and then sending the data on the wire, makes the data vulnerable
>to
>this same dictionary attack (in this case the effort comes to the space
>of
>all possible passwords - say 1 million - times 1000).
>Moreover, this also puts the password itself in danger.
>
>Thanks,
>        Yaron
>
>>
>> ------------------------------
>>
>> Message: 5
>> Date: Fri, 15 Mar 2013 14:10:32 +0000
>> From: Mike Jones <Michael.Jones@microsoft.com>
>> To: "cfrg@irtf.org" <cfrg@irtf.org>
>> Subject: [Cfrg] Draft describing encrypting JWK key representations
>>       with JWE
>> Message-ID:
>>
>>
><4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.redmond.corp.
><mailto:4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.redmond.corp
>.%0b> 
>> microsoft.com>
>>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> http://tools.ietf.org/html/draft-miller-jose-jwe-protected-jwk-01
>>
>> This also adds password-based encryption to the algorithm registry.
>>
>>                                                              -- Mike
>>
>> -------------- next part -------------- An HTML attachment was
>> scrubbed...
>> URL:
>>
><http://www.irtf.org/mail-archive/web/cfrg/attachments/20130315/02e36b
>> 24/attachment.htm>
>>
>> ------------------------------
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>>
>>
>> End of Cfrg Digest, Vol 95, Issue 3
>> ***********************************
>>
>_______________________________________________
>jose mailing list
>jose@ietf.org
>https://www.ietf.org/mailman/listinfo/jose
>
> 
>
> 

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

v2.23.0 | Report a Bug | By Email