Re: [jose] Platform Support for JWA Crypto Algorithms
Mike Jones <Michael.Jones@microsoft.com> Mon, 29 October 2012 16:25 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31D1C21F8718 for <jose@ietfa.amsl.com>; Mon, 29 Oct 2012 09:25:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fUpfp5Qo8erm for <jose@ietfa.amsl.com>; Mon, 29 Oct 2012 09:25:42 -0700 (PDT)
Received: from NA01-BY2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.27]) by ietfa.amsl.com (Postfix) with ESMTP id DE86821F86C3 for <jose@ietf.org>; Mon, 29 Oct 2012 09:25:41 -0700 (PDT)
Received: from BY2FFO11FD006.protection.gbl (10.1.15.201) by BY2FFO11HUB013.protection.gbl (10.1.14.85) with Microsoft SMTP Server (TLS) id 15.0.545.8; Mon, 29 Oct 2012 16:25:39 +0000
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD006.mail.protection.outlook.com (10.1.14.127) with Microsoft SMTP Server (TLS) id 15.0.545.8 via Frontend Transport; Mon, 29 Oct 2012 16:25:38 +0000
Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([169.254.3.15]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.02.0318.003; Mon, 29 Oct 2012 16:25:13 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Axel.Nennker@telekom.de" <Axel.Nennker@telekom.de>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: Platform Support for JWA Crypto Algorithms
Thread-Index: Ac21npPqwtcuERVxRaibRdRS35KObwANGVoQAAd5tsA=
Date: Mon, 29 Oct 2012 16:25:12 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436688123A@TK5EX14MBXC285.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B168042967394366880D09@TK5EX14MBXC285.redmond.corp.microsoft.com> <CE8995AB5D178F44A2154F5C9A97CAF40252198DCF55@HE111541.emea1.cds.t-internal.com>
In-Reply-To: <CE8995AB5D178F44A2154F5C9A97CAF40252198DCF55@HE111541.emea1.cds.t-internal.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.35]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436688123ATK5EX14MBXC285r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(69234002)(377454001)(4196001)(16406001)(49866001)(5343665001)(8716001)(5343655001)(53806001)(4396001)(51856001)(512954001)(3846001)(47446002)(5343635001)(74502001)(15202345001)(74662001)(31966008)(54316001)(20776001)(1076001)(33656001)(50986001)(47736001)(16696001)(16826001)(46102001)(54356001)(44976002)(47976001)(316001)(6606295001)(3556001)(550254004)(3746001); DIR:OUT; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 064903DDDC
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Subject: Re: [jose] Platform Support for JWA Crypto Algorithms
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Oct 2012 16:25:44 -0000
No, Concat often isn't natively supported, but it's very easy to implement given implementations of SHA-256 and SHA-512, as shown in http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-06#appendix-A.4 and http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-06#appendix-A.5. When the table was discussed at the WebCrypto F2F, it was pointed out that a shortcoming of the current table is that it doesn't indicate which of the "NO" values are effectively show-stoppers and which are easy to build implementations of, and so not a problem in practice. As shown in the appendices, I believe that Concat is in the latter category. Given the ease of implementation, it's certainly not worth adding space to the JWEs to work around. -- Mike From: Axel.Nennker@telekom.de [mailto:Axel.Nennker@telekom.de] Sent: Monday, October 29, 2012 6:03 AM To: Mike Jones; jose@ietf.org Cc: public-webcrypto@w3.org Subject: RE: Platform Support for JWA Crypto Algorithms As one can see from this table the KDF is unsupported on all platforms (except one). http://self-issued.info/presentations/Platform_Support_for_JWA-04_Crypto_Algorithms.xlsx JWE kdf CS256 Concat Key Derivation Function (KDF) NO Win7 NO NO NO NO NO NO NO NO NO NO NO JWE kdf CS384 Concat Key Derivation Function (KDF) NO Win7 NO NO NO NO NO NO NO NO NO NO NO JWE kdf CS512 Concat Key Derivation Function (KDF) NO Win7 NO NO NO NO NO NO NO NO NO NO NO Isn't this an indication that we should look at alternatives? e.g.: we could generate the integrity protection key randomly instead of deriving it from the content encryption key. This would add some more bytes (e.g. about 32) to the jwt but is very easy to implement on all platforms. One way to do it would be to generate enough bytes "Bytes" in "JWE Encrypted Key" for encryption and integrity. The CEK is then "Bytes[0 .. cekLength-1]" and the CIK "Bytes[cekLength .. cekLength+cikLength-1]" Axel [On some platforms (Firefox/NSS) it might even be nearly impossible to implement (without extending the platform's functions) because the build-in digest function is always reset when finalize (doFinal) is called. The spec of the Concat-KDF says that bytes are generated in a loop but the digest is NOT reset in the loop.] From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones Sent: Monday, October 29, 2012 7:28 AM To: jose@ietf.org<mailto:jose@ietf.org> Subject: [jose] Platform Support for JWA Crypto Algorithms FYI, I posted the table describing support for the JWA algorithms in common Web development platforms that we discussed at IETF 84. See http://self-issued.info/?p=884. -- Mike
- [jose] Platform Support for JWA Crypto Algorithms Mike Jones
- Re: [jose] Platform Support for JWA Crypto Algori… Axel.Nennker
- Re: [jose] Platform Support for JWA Crypto Algori… Mike Jones
- Re: [jose] Platform Support for JWA Crypto Algori… Axel.Nennker
- Re: [jose] Platform Support for JWA Crypto Algori… Matt Miller (mamille2)
- Re: [jose] Platform Support for JWA Crypto Algori… Mike Jones
- Re: [jose] Platform Support for JWA Crypto Algori… Axel Nennker
- [jose] NIST Concat KDF Manger, James H
- Re: [jose] Platform Support for JWA Crypto Algori… Matt Miller (mamille2)
- Re: [jose] Platform Support for JWA Crypto Algori… Axel Nennker
- Re: [jose] Platform Support for JWA Crypto Algori… Matt Miller (mamille2)
- Re: [jose] Platform Support for JWA Crypto Algori… Wan-Teh Chang
- Re: [jose] Platform Support for JWA Crypto Algori… Axel Nennker
- Re: [jose] Platform Support for JWA Crypto Algori… Mike Jones
- Re: [jose] NIST Concat KDF Manger, James H
- Re: [jose] NIST Concat KDF Richard L. Barnes
- Re: [jose] NIST Concat KDF Michael Jones
- Re: [jose] NIST Concat KDF Manger, James H
- Re: [jose] NIST Concat KDF Michael Jones
- Re: [jose] NIST Concat KDF Richard L. Barnes