Re: [jose] Draft describing encrypting JWK key representations, with JWE
"Peck, Michael A" <mpeck@mitre.org> Fri, 15 March 2013 17:55 UTC
Return-Path: <mpeck@mitre.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A28F921F8959 for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 10:55:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5PNL-Z4k6EJ for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 10:55:46 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 6566721F8910 for <jose@ietf.org>; Fri, 15 Mar 2013 10:55:46 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 0BEC31F03F4; Fri, 15 Mar 2013 13:55:46 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id EDE5C1F03F2; Fri, 15 Mar 2013 13:55:45 -0400 (EDT)
Received: from IMCMBX04.MITRE.ORG ([169.254.4.94]) by IMCCAS03.MITRE.ORG ([129.83.29.80]) with mapi id 14.02.0342.003; Fri, 15 Mar 2013 13:55:46 -0400
From: "Peck, Michael A" <mpeck@mitre.org>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Thread-Topic: [jose] Draft describing encrypting JWK key representations, with JWE
Thread-Index: AQHOIaVNCf0r3dt6lkWnLIyRUNEE4ZinB6HA
Date: Fri, 15 Mar 2013 17:55:45 +0000
Message-ID: <8B4C063947CD794BB6FF90C78BAE9B321EFD5FBC@IMCMBX04.MITRE.ORG>
References: <mailman.4019.1363356696.3432.cfrg@irtf.org> <51433B12.1020703@gmail.com> <4E1F6AAD24975D4BA5B168042967394367526568@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgQ8=yKwArwvR228Z=xi0N3U6yvoOHt6M-3EuCD_HYkyww@mail.gmail.com> <4E1F6AAD24975D4BA5B168042967394367526789@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgRbh7EYLwp01t0yMMPHbhtVsQjY8379YF9_gRgGeO08eQ@mail.gmail.com> <8B4C063947CD794BB6FF90C78BAE9B321EFD5DFC@IMCMBX04.MITRE.ORG> <51435D7A.7050800@gmail.com>
In-Reply-To: <51435D7A.7050800@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [129.83.31.52]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Richard Barnes <rlb@ipv.sx>, Mike Jones <Michael.Jones@microsoft.com>, "cfrg@irtf.org" <cfrg@irtf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Draft describing encrypting JWK key representations, with JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 17:55:47 -0000
I'll try to clarify (and hopefully not dig a deeper hole). JWE currently provides a "dir" mechanism allowing a symmetric key previously agreed to out of band to be used for content encryption. All of the other JWE mechanisms use a fresh symmetric key for each encryption. My suggestion was that instead of directly using the pre-shared symmetric key to encrypt content, if JWE makes the PBKDF2 mechanism available the symmetric key could be used as the PBKDF2 "password", resulting in a fresh key generated for each content encryption. In this particular case the password input to PBKDF2 would hopefully be very random - I would think there would be no more risk than using the pre-shared key directly, rather less risk. General password considerations are a different matter. Passwords have lots of issues but if we're stuck with them we should at least advise how to do the best we can. Mike >-----Original Message----- >From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com] >Sent: Friday, March 15, 2013 1:42 PM >To: Peck, Michael A >Cc: Richard Barnes; Mike Jones; cfrg@irtf.org; jose@ietf.org >Subject: Re: [jose] Draft describing encrypting JWK key representations, with >JWE > >Hi Mike and Mike, > >The NIST SP is about using PBKDF2 for storage encryption (which I'm not >thrilled with, either). Not for sending the encrypted blob over the >wire, for an attacker to intercept and decrypt off-line. And if we read >the NIST document, let's adopt the whole thing - quoting from sec. A.1: >"Passwords shorter than 10 characters are usually considered to be >weak." Are we going to make this recommendation too? Well I guess not. > >*Please* do not mix passwords with cryptographic keys. If the WG goes >through the risk vs. benefit analysis and decides to have a >password-based mechanism, fine. But please leave the shared-key >mechanism as-is. It's important that readers of JOSE specs are very >clear about the difference between randomly generated keys and >user-memorable (or even -generated) passwords. > >Let's be clear: even a single use of a user-generated password for >on-the-wire encryption is risky. So-called key rotation of actual >cryptographic keys is a whole different matter. > >Thanks, > Yaron > > >On 03/15/2013 06:58 PM, Peck, Michael A wrote: >> +1 >> >> NIST Special Publication 800-132 provides recommendations for the >> parameters that the group may find useful. >> >> http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf >> >> It may also be worth thinking about using PBKDF2 instead of the "dir" >> (Direct Encryption with a Shared Symmetric Key) mechanism described in >> draft-ietf-jose-json-web-algorithms-08 section 4.6. The shared >> symmetric key would be used as the PBKDF2 "password", and this would >> force a new key to be used for each encryption, rather than the current >> "dir" approach of using the same encryption key repeatedly. >> >> Mike >> >> *From:*jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf >> Of *Richard Barnes >> *Sent:* Friday, March 15, 2013 12:53 PM >> *To:* Mike Jones >> *Cc:* Yaron Sheffer; cfrg@irtf.org; jose@ietf.org >> *Subject:* Re: [jose] Draft describing encrypting JWK key >> representations, with JWE >> >> Do I count as an expert? :) >> >> As I understand it, PBDKF2 is completely fine for key protection. >> PBKDF2 has mechanisms to mitigate the dictionary attack risks, e.g., >> having a high number of iterations. We might want to make some >> recommendations as to how you set those parameters. And the actual key >> wrapping is done with something like AES-KW, so that step is fine. >> >> So I would be completely fine with adding this to JWE / JWA. We should >> do this. >> >> --Richard >> >> On Fri, Mar 15, 2013 at 12:48 PM, Mike Jones >> <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> >wrote: >> >> That's up to the working group. I'm actually hoping that experts on the >> lists will respond to Yaron's comments before we make a decision on >> whether PBKDF2 as specified is an appropriate key wrapping algorithm or >not. >> >> Assuming that the content in Matt's draft eventually becomes an RFC or >> part of one, the PBKDF2 definition would end up in the algorithms >> registry either way, even if it's not part of the JWA spec itself. >> >> Cheers, >> >> -- Mike >> >> *From:*jose-bounces@ietf.org <mailto:jose-bounces@ietf.org> >> [mailto:jose-bounces@ietf.org <mailto:jose-bounces@ietf.org>] *On >Behalf >> Of *Richard Barnes >> *Sent:* Friday, March 15, 2013 9:43 AM >> *To:* Mike Jones >> *Cc:* Yaron Sheffer; cfrg@irtf.org <mailto:cfrg@irtf.org>; jose@ietf.org >> <mailto:jose@ietf.org> >> *Subject:* Re: [jose] Draft describing encrypting JWK key >> representations, with JWE >> >> So, Mike, would you be OK with adding PBE to JWE / JWA, as a new key >> wrapping algorithm? >> >> --Richard >> >> On Fri, Mar 15, 2013 at 12:14 PM, Mike Jones >> <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> >wrote: >> >> [Adding JOSE mailing list to the thread] >> >> For clarification, PBKDF2 is not the only algorithm that could be used >> to wrap keys in this scheme. This draft *adds* PBKDF2 to the set of >> algorithms already specified for use with encryption in the JSON Web >> Algorithms (JWA) specification >> (http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-08). In >> particular, other algorithms such as AES Key Wrap and AES GCM are also >> present there. >> >> I'll let others who are experts in PBKDF2 and password-based encryption >> respond to Yaron's specific comment. >> >> -- Mike >> >> -----Original Message----- >> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com >> <mailto:yaronf.ietf@gmail.com>] >> Sent: Friday, March 15, 2013 8:16 AM >> To: cfrg@irtf.org <mailto:cfrg@irtf.org>; Mike Jones >> Subject: Re: Draft describing encrypting JWK key representations, with JWE >> >> Hi Mike, >> >> I'm probably missing something, but I'm worried about the security of >> this scheme (though I do appreciate the usability/convenience of >passwords). >> >> PBKDF2 is meant to make dictionary attacks on stored passwords harder, >> as a second line defense, once the server has been breached. Using it to >> encrypt data and then sending the data on the wire, makes the data >> vulnerable to this same dictionary attack (in this case the effort comes >> to the space of all possible passwords - say 1 million - times 1000). >> Moreover, this also puts the password itself in danger. >> >> Thanks, >> Yaron >> >> > >> > ------------------------------ >> > >> > Message: 5 >> > Date: Fri, 15 Mar 2013 14:10:32 +0000 >> > From: Mike Jones <Michael.Jones@microsoft.com >> <mailto:Michael.Jones@microsoft.com>> >> > To: "cfrg@irtf.org <mailto:cfrg@irtf.org>" <cfrg@irtf.org >> <mailto:cfrg@irtf.org>> >> > Subject: [Cfrg] Draft describing encrypting JWK key representations >> > with JWE >> > Message-ID: >> > >> > ><4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.redmon >d.corp. >> ><mailto:4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.r >edmond.corp.%0b>> >> microsoft.com <http://microsoft.com>> >> > >> > Content-Type: text/plain; charset="us-ascii" >> > >> > http://tools.ietf.org/html/draft-miller-jose-jwe-protected-jwk-01 >> > >> > This also adds password-based encryption to the algorithm registry. >> > >> > -- Mike >> > >> > -------------- next part -------------- An HTML attachment was >> > scrubbed... >> > URL: >> > <http://www.irtf.org/mail- >archive/web/cfrg/attachments/20130315/02e36b >> > 24/attachment.htm> >> > >> > ------------------------------ >> > >> > _______________________________________________ >> > Cfrg mailing list >> > Cfrg@irtf.org <mailto:Cfrg@irtf.org> >> > http://www.irtf.org/mailman/listinfo/cfrg >> > >> > >> > End of Cfrg Digest, Vol 95, Issue 3 >> > *********************************** >> > >> _______________________________________________ >> jose mailing list >> jose@ietf.org <mailto:jose@ietf.org> >> https://www.ietf.org/mailman/listinfo/jose >>
- Re: [jose] Draft describing encrypting JWK key re… Mike Jones
- Re: [jose] Draft describing encrypting JWK key re… Richard Barnes
- Re: [jose] Draft describing encrypting JWK key re… Mike Jones
- Re: [jose] Draft describing encrypting JWK key re… Richard Barnes
- Re: [jose] Draft describing encrypting JWK key re… Peck, Michael A
- Re: [jose] Draft describing encrypting JWK key re… Mike Jones
- Re: [jose] Draft describing encrypting JWK key re… Peck, Michael A
- Re: [jose] Draft describing encrypting JWK key re… Yaron Sheffer
- Re: [jose] Draft describing encrypting JWK key re… Yaron Sheffer
- Re: [jose] Draft describing encrypting JWK key re… Jim Schaad
- Re: [jose] Draft describing encrypting JWK key re… Matt Miller (mamille2)
- Re: [jose] Draft describing encrypting JWK key re… Yaron Sheffer
- Re: [jose] Draft describing encrypting JWK key re… Yaron Sheffer
- Re: [jose] Draft describing encrypting JWK key re… Ryan Sleevi
- Re: [jose] Draft describing encrypting JWK key re… Yaron Sheffer