IETF Logo Mail Archive

Re: [jose] Draft describing encrypting JWK key representations, with JWE

"Peck, Michael A" <mpeck@mitre.org> Fri, 15 March 2013 17:55 UTC

Return-Path: <mpeck@mitre.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A28F921F8959 for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 10:55:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5PNL-Z4k6EJ for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 10:55:46 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 6566721F8910 for <jose@ietf.org>; Fri, 15 Mar 2013 10:55:46 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 0BEC31F03F4; Fri, 15 Mar 2013 13:55:46 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id EDE5C1F03F2; Fri, 15 Mar 2013 13:55:45 -0400 (EDT)
Received: from IMCMBX04.MITRE.ORG ([169.254.4.94]) by IMCCAS03.MITRE.ORG ([129.83.29.80]) with mapi id 14.02.0342.003; Fri, 15 Mar 2013 13:55:46 -0400
From: "Peck, Michael A" <mpeck@mitre.org>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Thread-Topic: [jose] Draft describing encrypting JWK key representations, with JWE
Thread-Index: AQHOIaVNCf0r3dt6lkWnLIyRUNEE4ZinB6HA
Date: Fri, 15 Mar 2013 17:55:45 +0000
Message-ID: <8B4C063947CD794BB6FF90C78BAE9B321EFD5FBC@IMCMBX04.MITRE.ORG>
References: <mailman.4019.1363356696.3432.cfrg@irtf.org> <51433B12.1020703@gmail.com> <4E1F6AAD24975D4BA5B168042967394367526568@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgQ8=yKwArwvR228Z=xi0N3U6yvoOHt6M-3EuCD_HYkyww@mail.gmail.com> <4E1F6AAD24975D4BA5B168042967394367526789@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgRbh7EYLwp01t0yMMPHbhtVsQjY8379YF9_gRgGeO08eQ@mail.gmail.com> <8B4C063947CD794BB6FF90C78BAE9B321EFD5DFC@IMCMBX04.MITRE.ORG> <51435D7A.7050800@gmail.com>
In-Reply-To: <51435D7A.7050800@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [129.83.31.52]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Richard Barnes <rlb@ipv.sx>, Mike Jones <Michael.Jones@microsoft.com>, "cfrg@irtf.org" <cfrg@irtf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Draft describing encrypting JWK key representations, with JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 17:55:47 -0000

I'll try to clarify (and hopefully not dig a deeper hole).

JWE currently provides a "dir" mechanism allowing a symmetric key previously agreed to out of band to be used for content encryption.
All of the other JWE mechanisms use a fresh symmetric key for each encryption.

My suggestion was that instead of directly using the pre-shared symmetric key to encrypt content, if JWE makes the PBKDF2 mechanism available the symmetric key could be used as the PBKDF2 "password", resulting in a fresh key generated for each content encryption.  In this particular case the password input to PBKDF2 would hopefully be very random - I would think there would be no more risk than using the pre-shared key directly, rather less risk.

General password considerations are a different matter.  Passwords have lots of issues but if we're stuck with them we should at least advise how to do the best we can.

Mike

>-----Original Message-----
>From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com]
>Sent: Friday, March 15, 2013 1:42 PM
>To: Peck, Michael A
>Cc: Richard Barnes; Mike Jones; cfrg@irtf.org; jose@ietf.org
>Subject: Re: [jose] Draft describing encrypting JWK key representations, with
>JWE
>
>Hi Mike and Mike,
>
>The NIST SP is about using PBKDF2 for storage encryption (which I'm not
>thrilled with, either). Not for sending the encrypted blob over the
>wire, for an attacker to intercept and decrypt off-line. And if we read
>the NIST document, let's adopt the whole thing - quoting from sec. A.1:
>"Passwords shorter than 10 characters are usually considered to be
>weak." Are we going to make this recommendation too? Well I guess not.
>
>*Please* do not mix passwords with cryptographic keys. If the WG goes
>through the risk vs. benefit analysis and decides to have a
>password-based mechanism, fine. But please leave the shared-key
>mechanism as-is. It's important that readers of JOSE specs are very
>clear about the difference between randomly generated keys and
>user-memorable (or even -generated) passwords.
>
>Let's be clear: even a single use of a user-generated password for
>on-the-wire encryption is risky. So-called key rotation of actual
>cryptographic keys is a whole different matter.
>
>Thanks,
>	Yaron
>
>
>On 03/15/2013 06:58 PM, Peck, Michael A wrote:
>> +1
>>
>> NIST Special Publication 800-132 provides recommendations for the
>> parameters that the group may find useful.
>>
>> http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
>>
>> It may also be worth thinking about using PBKDF2 instead of the "dir"
>> (Direct Encryption with a Shared Symmetric Key) mechanism described in
>> draft-ietf-jose-json-web-algorithms-08 section 4.6.  The shared
>> symmetric key would be used as the PBKDF2 "password", and this would
>> force a new key to be used for each encryption, rather than the current
>> "dir" approach of using the same encryption key repeatedly.
>>
>> Mike
>>
>> *From:*jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf
>> Of *Richard Barnes
>> *Sent:* Friday, March 15, 2013 12:53 PM
>> *To:* Mike Jones
>> *Cc:* Yaron Sheffer; cfrg@irtf.org; jose@ietf.org
>> *Subject:* Re: [jose] Draft describing encrypting JWK key
>> representations, with JWE
>>
>> Do I count as an expert?  :)
>>
>> As I understand it, PBDKF2 is completely fine for key protection.
>>   PBKDF2 has mechanisms to mitigate the dictionary attack risks, e.g.,
>> having a high number of iterations. We might want to make some
>> recommendations as to how you set those parameters. And the actual key
>> wrapping is done with something like AES-KW, so that step is fine.
>>
>> So I would be completely fine with adding this to JWE / JWA.  We should
>> do this.
>>
>> --Richard
>>
>> On Fri, Mar 15, 2013 at 12:48 PM, Mike Jones
>> <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>>
>wrote:
>>
>> That's up to the working group.  I'm actually hoping that experts on the
>> lists will respond to Yaron's comments before we make a decision on
>> whether PBKDF2 as specified is an appropriate key wrapping algorithm or
>not.
>>
>> Assuming that the content in Matt's draft eventually becomes an RFC or
>> part of one, the PBKDF2 definition would end up in the algorithms
>> registry either way, even if it's not part of the JWA spec itself.
>>
>>                                                              Cheers,
>>
>>                                                              -- Mike
>>
>> *From:*jose-bounces@ietf.org <mailto:jose-bounces@ietf.org>
>> [mailto:jose-bounces@ietf.org <mailto:jose-bounces@ietf.org>] *On
>Behalf
>> Of *Richard Barnes
>> *Sent:* Friday, March 15, 2013 9:43 AM
>> *To:* Mike Jones
>> *Cc:* Yaron Sheffer; cfrg@irtf.org <mailto:cfrg@irtf.org>; jose@ietf.org
>> <mailto:jose@ietf.org>
>> *Subject:* Re: [jose] Draft describing encrypting JWK key
>> representations, with JWE
>>
>> So, Mike, would you be OK with adding PBE to JWE / JWA, as a new key
>> wrapping algorithm?
>>
>> --Richard
>>
>> On Fri, Mar 15, 2013 at 12:14 PM, Mike Jones
>> <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>>
>wrote:
>>
>> [Adding JOSE mailing list to the thread]
>>
>> For clarification, PBKDF2 is not the only algorithm that could be used
>> to wrap keys in this scheme.  This draft *adds* PBKDF2 to the set of
>> algorithms already specified for use with encryption in the JSON Web
>> Algorithms (JWA) specification
>> (http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-08).  In
>> particular, other algorithms such as AES Key Wrap and AES GCM are also
>> present there.
>>
>> I'll let others who are experts in PBKDF2 and password-based encryption
>> respond to Yaron's specific comment.
>>
>>                                  -- Mike
>>
>> -----Original Message-----
>> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com
>> <mailto:yaronf.ietf@gmail.com>]
>> Sent: Friday, March 15, 2013 8:16 AM
>> To: cfrg@irtf.org <mailto:cfrg@irtf.org>; Mike Jones
>> Subject: Re: Draft describing encrypting JWK key representations, with JWE
>>
>> Hi Mike,
>>
>> I'm probably missing something, but I'm worried about the security of
>> this scheme (though I do appreciate the usability/convenience of
>passwords).
>>
>> PBKDF2 is meant to make dictionary attacks on stored passwords harder,
>> as a second line defense, once the server has been breached. Using it to
>> encrypt data and then sending the data on the wire, makes the data
>> vulnerable to this same dictionary attack (in this case the effort comes
>> to the space of all possible passwords - say 1 million - times 1000).
>> Moreover, this also puts the password itself in danger.
>>
>> Thanks,
>>          Yaron
>>
>>  >
>>  > ------------------------------
>>  >
>>  > Message: 5
>>  > Date: Fri, 15 Mar 2013 14:10:32 +0000
>>  > From: Mike Jones <Michael.Jones@microsoft.com
>> <mailto:Michael.Jones@microsoft.com>>
>>  > To: "cfrg@irtf.org <mailto:cfrg@irtf.org>" <cfrg@irtf.org
>> <mailto:cfrg@irtf.org>>
>>  > Subject: [Cfrg] Draft describing encrypting JWK key representations
>>  >       with JWE
>>  > Message-ID:
>>  >
>>  >
><4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.redmon
>d.corp.
>>
><mailto:4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.r
>edmond.corp.%0b>>
>> microsoft.com <http://microsoft.com>>
>>  >
>>  > Content-Type: text/plain; charset="us-ascii"
>>  >
>>  > http://tools.ietf.org/html/draft-miller-jose-jwe-protected-jwk-01
>>  >
>>  > This also adds password-based encryption to the algorithm registry.
>>  >
>>  >                                                              -- Mike
>>  >
>>  > -------------- next part -------------- An HTML attachment was
>>  > scrubbed...
>>  > URL:
>>  > <http://www.irtf.org/mail-
>archive/web/cfrg/attachments/20130315/02e36b
>>  > 24/attachment.htm>
>>  >
>>  > ------------------------------
>>  >
>>  > _______________________________________________
>>  > Cfrg mailing list
>>  > Cfrg@irtf.org <mailto:Cfrg@irtf.org>
>>  > http://www.irtf.org/mailman/listinfo/cfrg
>>  >
>>  >
>>  > End of Cfrg Digest, Vol 95, Issue 3
>>  > ***********************************
>>  >
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org <mailto:jose@ietf.org>
>> https://www.ietf.org/mailman/listinfo/jose
>>

v2.23.0 | Report a Bug | By Email