IETF Logo Mail Archive

Re: [jose] Support for Wrapped Keys?

Mike Jones <Michael.Jones@microsoft.com> Wed, 31 October 2012 15:17 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F77D21F8857 for <jose@ietfa.amsl.com>; Wed, 31 Oct 2012 08:17:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8kVFZo01pvdS for <jose@ietfa.amsl.com>; Wed, 31 Oct 2012 08:17:02 -0700 (PDT)
Received: from NA01-BY2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.26]) by ietfa.amsl.com (Postfix) with ESMTP id 76DF121F8829 for <jose@ietf.org>; Wed, 31 Oct 2012 08:17:02 -0700 (PDT)
Received: from BL2FFO11FD010.protection.gbl (10.173.161.202) by BL2FFO11HUB010.protection.gbl (10.173.161.112) with Microsoft SMTP Server (TLS) id 15.0.545.8; Wed, 31 Oct 2012 15:16:59 +0000
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD010.mail.protection.outlook.com (10.173.161.16) with Microsoft SMTP Server (TLS) id 15.0.545.8 via Frontend Transport; Wed, 31 Oct 2012 15:16:58 +0000
Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([169.254.3.15]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.02.0318.003; Wed, 31 Oct 2012 15:16:39 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Matt Miller (mamille2)" <mamille2@cisco.com>
Thread-Topic: [jose] Support for Wrapped Keys?
Thread-Index: AQHNsixtFQh89Wn5MUGS4dRC2YkxtZfI+/JAgAlQRoCAAUQEoA==
Date: Wed, 31 Oct 2012 15:16:39 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394366884C37@TK5EX14MBXC285.redmond.corp.microsoft.com>
References: <BF7E36B9C495A6468E8EC573603ED94115074062@xmb-aln-x11.cisco.com> <4E1F6AAD24975D4BA5B16804296739436687BED7@TK5EX14MBXC285.redmond.corp.microsoft.com> <BF7E36B9C495A6468E8EC573603ED94115076C03@xmb-aln-x11.cisco.com>
In-Reply-To: <BF7E36B9C495A6468E8EC573603ED94115076C03@xmb-aln-x11.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.35]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464001)(54094002)(377454001)(52314002)(24454001)(51704002)(47976001)(50986001)(53806001)(47736001)(50466001)(47776002)(44976002)(74502001)(54356001)(49866001)(5343635001)(16406001)(48376001)(5343655001)(4396001)(54316001)(51856001)(33656001)(74662001)(46102001)(550184003)(31966008)(47446002); DIR:OUT; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 06515DA04B
Cc: "<jose@ietf.org>" <jose@ietf.org>
Subject: Re: [jose] Support for Wrapped Keys?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2012 15:17:03 -0000

I believe that this is an important discussion.  I'd be interested to hear other's opinions about direct key encryption.  For instance, while the working group decided that all plaintext encryption algorithms we used would also provide integrity, does the working group believe that integrity is necessary in Matt's case as well?

				-- Mike

-----Original Message-----
From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Matt Miller (mamille2)
Sent: Tuesday, October 30, 2012 7:54 AM
To: Mike Jones
Cc: <jose@ietf.org>
Subject: Re: [jose] Support for Wrapped Keys?


On Oct 24, 2012, at 4:03 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:

> Per our discussions, there's an approach we could discuss that's very close to what you're already doing.  JWE already has a way to encrypt a key.  This key is then currently always used to encrypt the plaintext.
> 
> One obvious solution then appears to be to have no plaintext and only perform the first of the two steps - create a JWE Encrypted Key value, leaving the JWE Initialization Vector, JWE Ciphertext, and JWE Integrity value fields empty.
> 

That would work, but I wonder if this complicates implementation interfaces too much.

Here's what I mean:  As far as I can tell, there's no real need for a user of a JWE implementation to actually know about the CMK.  For encryption, the implementation could generate it using a suitable RNG based on the (header) parameters, and encode it with the one key provided by the user.  For decryption, it uses parameters from the header and some determination of the "alg" key (passed in, from a keystore, etc etc), decrypts the CMK with that key, then decrypts the ciphertext with the CMK.

In this instance, decryption requires at a bare minimum multiple outputs: plaintext plus the CMK.  It might be nice for an implementation to provide the rest (header, integrity), but these are easily obtained from the input data in the first place.

Personally, I think it would be ideal if there were a way to say "use this asymmetric key to encrypt the plaintext, but don't worry about a CMK."

I think what we had talked about in Vancouver was effectively to use an "alg" of "dir" and an "enc" of "RSA-OAEP", which I'm sure has its own set of objections (aside from currently being disallowed).

> The objection that I'm sure people would raise to this obvious solution is that then the contents of the header and encrypted key are not integrity protected.  One potential solution to this would be to use an "enc" algorithm that only provides integrity but performs no encryption.
> 
> The most simple such solution would be to use a cryptographic hash function such as SHA-256 to compute an integrity value over the other fields.  You could look at this as a degenerate AEAD algorithm, accepting an "additional authenticated data" input and producing an "authentication tag" output, but with no plaintext input or ciphertext output.
> 
> That would give you an integrity-protected encrypted key, doing the key encryption in the same way that the JWE "alg" values already do.
> 

Personally, I don't really care if there is integrity protection here.  I'm probably alone (with Richard) on this one, though.

> Anyway, hopefully the above will at least seed a productive discussion of the possibilities.  I do completely understand the value of Matt's use case and want us to think about how to best solve it.
> 


- m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.

> 				-- Mike
> 
> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Matt Miller (mamille2)
> Sent: Wednesday, October 24, 2012 2:14 PM
> To: <jose@ietf.org>
> Subject: [jose] Support for Wrapped Keys?
> 
> This is a topic that has been discussed some off-list between myself, Mike Jones, John Bradley, and Nat Sakimura.
> 
> For XMPP E2E, there is a need to disseminate a "session" master (symmetric) key between the sender and recipients as a wrapped key.  To date, this is done in a very custom manner by encrypting the session key with the recipient's public key, and packaging as a partial (read: broken) JWE value.
> 
> Ideally, I would like a nice way of handling wrapped keys in JWE.  The more standardized alternatives I can see are:
> 
> * Follow JWE, using the session key for both the content key and the content plaintext (feels very awkward)
> * Follow JWE, generating yet-another-CMK and using the session key as the content plaintext (feels very wasteful)
> 
> Does anyone else think this is worth supporting?
> 
> 
> - m&m
> 
> Matt Miller < mamille2@cisco.com >
> Cisco Systems, Inc.
> 
> PS: JSMS supports wrapped keys, as does CMS.
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email