IETF Logo Mail Archive

Re: [jose] Use of AES-HMAC algorithm

Mike Jones <Michael.Jones@microsoft.com> Thu, 28 March 2013 00:39 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2A8F21F938F for <jose@ietfa.amsl.com>; Wed, 27 Mar 2013 17:39:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Z2Fc9WUfY8w for <jose@ietfa.amsl.com>; Wed, 27 Mar 2013 17:39:13 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0208.outbound.protection.outlook.com [207.46.163.208]) by ietfa.amsl.com (Postfix) with ESMTP id DD8E521F938E for <jose@ietf.org>; Wed, 27 Mar 2013 17:39:12 -0700 (PDT)
Received: from BL2FFO11FD022.protection.gbl (10.1.15.202) by BY2FFO11HUB030.protection.gbl (10.1.14.115) with Microsoft SMTP Server (TLS) id 15.0.651.3; Thu, 28 Mar 2013 00:39:09 +0000
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD022.mail.protection.outlook.com (10.173.161.101) with Microsoft SMTP Server (TLS) id 15.0.651.3 via Frontend Transport; Thu, 28 Mar 2013 00:39:10 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.224]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.02.0318.003; Thu, 28 Mar 2013 00:39:01 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Dick Hardt <dick.hardt@gmail.com>
Thread-Topic: [jose] Use of AES-HMAC algorithm
Thread-Index: Ac4nS9Dlxfl1UeEXRp6aXJeHoQZF0QD+cy9AAAFxb4AAAAnDEA==
Date: Thu, 28 Mar 2013 00:39:01 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394367590D06@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <006801ce2b39$52595700$f70c0500$@augustcellars.com> <4E1F6AAD24975D4BA5B168042967394367590C2F@TK5EX14MBXC283.redmond.corp.microsoft.com> <1D2E2774-4A20-43AE-A2D6-30FF797DAAAF@gmail.com>
In-Reply-To: <1D2E2774-4A20-43AE-A2D6-30FF797DAAAF@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.78]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464002)(24454001)(199002)(189002)(377454001)(50986001)(47976001)(81342001)(66066001)(51856001)(47446002)(63696002)(47736001)(49866001)(46102001)(69226001)(20776003)(47776003)(54316002)(50466001)(74502001)(4396001)(65816001)(46406002)(44976002)(53806001)(59766001)(54356001)(76482001)(31966008)(56816002)(77982001)(5343635001)(55846006)(56776001)(74662001)(33656001)(15202345001)(5343655001)(80022001)(561944001)(79102001)(16406001)(23726001); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB030; H:TK5EX14HUBC101.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0799B1B2D7
Cc: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Use of AES-HMAC algorithm
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2013 00:39:13 -0000

I think the reason the working group is thinking about this algorithm is a combination of three things:

1.  Using the KDF could lead to interoperability problems.  Some early implementations have gotten this wrong.

2.  Apparently we're not using the Concat KDF for an approved use, as "approved" is defined by the NIST specs.  If we stop using it, this criticism would go away.

3.  Some have pushed back on us "inventing a new cryptographic algorithm".  While I believe that the composition of two establish algorithms - AES-CBC and HMAC SHA-2 is easily defensible, with David McGrew being the co-chair of the Crypto Forum Research Group (CFRG) - the group that IETF people go to when wanting to validate the use of crypto algorithms - if his algorithm is approved, using it would likely be considered to be above reproach, in terms of getting JWE through the IETF approval processes.

So it's really "spec approval" reasons - not security reasons that the change is being considered.

				-- Mike

P.S.  For what it's worth, you could distinguish the two algorithms by the key sizes if you wanted to run both algorithms side-by-side for a while.
 
-----Original Message-----
From: Dick Hardt [mailto:dick.hardt@gmail.com] 
Sent: Wednesday, March 27, 2013 5:30 PM
To: Mike Jones
Cc: Jim Schaad; jose@ietf.org
Subject: Re: [jose] Use of AES-HMAC algorithm


On Mar 27, 2013, at 5:21 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:

> Per your point 1, I don't think anyone was advocating doubling the key size.  The proposal in John's slides for issue #3 (http://trac.tools.ietf.org/wg/jose/trac/ticket/3) was to use a CMK that is the concatenation of the AES-CBC and HMAC-SHA-2 keys, as draft-mcgrew-aead-aes-hmac-sha2 does.  For instance, when using A128CBC with HS256, the key size would be 384 bits and when using A256CBC with HS512, the key size would be 768 bits.  This would multiply the current key sizes by 1.5, with the compensating benefit being the elimination of the use of the KDF.

Was this because people thought KDF was hard? I managed to implement it in JavaScript, can't be that hard! ;-) ... or was there a security reason?

This is a breaking change to my implementation. 

FWIW: I cache the results of the KDF so that I only incur the calculation the first time I see a key.

v2.23.0 | Report a Bug | By Email