Re: [jose] comments on draft-jones-json-web-signature and draft-jones-json-web-encryption
Nat Sakimura <sakimura@gmail.com> Wed, 16 November 2011 04:14 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A1C811E80AA for <jose@ietfa.amsl.com>; Tue, 15 Nov 2011 20:14:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.09
X-Spam-Level:
X-Spam-Status: No, score=-3.09 tagged_above=-999 required=5 tests=[AWL=-0.092, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_34=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6vlmdoZSvIIV for <jose@ietfa.amsl.com>; Tue, 15 Nov 2011 20:14:37 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id 80C491F0C47 for <jose@ietf.org>; Tue, 15 Nov 2011 20:14:36 -0800 (PST)
Received: by faap16 with SMTP id p16so1270912faa.31 for <jose@ietf.org>; Tue, 15 Nov 2011 20:14:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Xpmh/lWLi92wP9qddsioQEaXgP+MCd87qUsR/ve2eOE=; b=GUmbVYBHSqBe+KzrJ0ot08T3oCa50AORi6+aimoey3DLbcCRZfGtT9mIUg2Vacbwuk OcQZMPT4LwojjAU9oWmVvteihPnY3atfd8WN7CLGv/44WOEJgXFcboEoue0QuOs82rGv aAe9kx61p/3Z6KcG95946/Tgc2TWE3bQb1CP8=
MIME-Version: 1.0
Received: by 10.152.104.130 with SMTP id ge2mr19292715lab.43.1321416874310; Tue, 15 Nov 2011 20:14:34 -0800 (PST)
Received: by 10.152.4.34 with HTTP; Tue, 15 Nov 2011 20:14:34 -0800 (PST)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F7113A8@TK5EX14MBXC285.redmond.corp.microsoft.com>
References: <9509AB72-10CC-4BA6-A61C-AD9C4AC7944A@cisco.com> <B26C1EF377CB694EAB6BDDC8E624B6E73A8BEDC2@SN2PRD0304MB235.namprd03.prod.outlook.com> <4E1F6AAD24975D4BA5B16804296739435F7113A8@TK5EX14MBXC285.redmond.corp.microsoft.com>
Date: Wed, 16 Nov 2011 12:14:34 +0800
Message-ID: <CABzCy2C15cytLubOBEGd2+Zc4Qz4MzMY2wB5xxyUdPOq6VWsBg@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="f46d0408d3c164bac804b1d25728"
Cc: Anthony Nadalin <tonynad@microsoft.com>, David McGrew <mcgrew@cisco.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] comments on draft-jones-json-web-signature and draft-jones-json-web-encryption
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Nov 2011 04:14:41 -0000
+1 Also, Re:David's proposal for use of word "Authentication": I am ok with "Message Authentication" but against just using stand alone "Authentication". It is a way too overloaded word and causes unnecessary confusion. On Wed, Nov 16, 2011 at 9:57 AM, Mike Jones <Michael.Jones@microsoft.com>wrote: > Upon reflection since Monday's meeting, I believe that the draft title > should stay "JSON Web Signature" (as Tony pointed out, "Signing" is in the > WG's name!) but the text should be clear that the spec describes both how > to perform digital signatures and how to perform HMAC operations). It will > no longer use the term "signing" when referring to HMAC operations. > > As Eric Rescorla pointed out during the meeting, the problem with > splitting out HMAC into a different spec is that the preparation of the > content is essentially identical between the two kinds of operations. The > amount of duplication resulting wouldn't be doing the users of the specs > any favors. > > -- Mike > > -----Original Message----- > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of > Anthony Nadalin > Sent: Tuesday, November 15, 2011 5:50 PM > To: David McGrew; jose@ietf.org > Subject: Re: [jose] comments on draft-jones-json-web-signature and > draft-jones-json-web-encryption > > At the same time we don't want to confuse folks the other way to have them > think we are not addressing signature. The WG name does have signing in it. > One option would be to split out the MAC from the signing > > -----Original Message----- > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of > David McGrew > Sent: Tuesday, November 15, 2011 4:40 AM > To: jose@ietf.org > Subject: [jose] comments on draft-jones-json-web-signature and > draft-jones-json-web-encryption > > Hi > > I would like to contribute the following comments. I have not been > closely following the WG, so apologies in advance if I'm rehashing > something. > > The json-web-signature draft should be changed by using the more generic > "authentication" instead of "signature", as suggested in > Section 9. HMAC is a (symmetric) message authentication code, and > not an (asymmetric) digital signature algorithm. See RFC 4949 for > instance for the appropriate definitions. Calling HMAC a signature method > will confuse readers going forward and potentially set incorrect > expectations. I suggest the following changes (not because I think these > are the only good alternatives, but because I want to be > constructive): > > "JSON Web Signature" -> "JSON Web Authentication" > "sign" -> "authenticate" > "signing" -> "authenticating" > "signature" -> "authentication data" > > The security considerations of json-web-signature should explain the > difference between symmetric and asymmetric encryption. > > Section 9 mentions the possibility of including an unkeyed checksum based > on SHA-256. If that is done, then that will potentially confuse the issue > further. What would the value of that checksum be, and > would it be a security mechanism? If it is defined, I suggest that > it be done in a different draft. > > Why are we allowing unauthenticated encryption in draft-jones-json-web- > encryption? Authenticated Encryption with Associated Data (AEAD) is > recommended (in the form of AES-GCM) in the draft, and it avoids all sorts > of security issues that are present with unauthenticated encryption > (besides being theoretically vulnerable, it has fallen victim to practical > attacks [1][2][3][4][5][6][7][8]). Note that some of these attacks apply > when encryption is loosely bound to authentication. I suggest that AEAD be > the only encryption method, and that an RFC 5116 interface be included. > Since GCM is recommended, the interface is already there, but not called > out. Omitting unauthenticated encryption will simplify the spec, and > improve security. If there is some percieved issue with AES-GCM, there are > other AEAD algorithms that can be used, AES-SIV (synthetic IV mode) > for instance, or a generic CBC+HMAC composition. In any case, I > offer to help craft and/or review this text. > > A minor point: JWE recommends AES-GCM; why not have json-web-signature > recommend AES-GMAC? > > json-web-signature says that "Related encryption capabilities are > described in the separate JSON Web Encryption (JWE) specification". > The JWE specification says that "In general, senders SHOULD sign the > message and then encrypt the result (thus encrypting the > signature)". There ought to be better recommendations for security. > For instance, encryption without authentication should be disallowed. > > regards, > > David > > -- > > > [1] Vaudenay, "Security Flaws Induced by CBC Padding Applications to SSL, > IPSEC, WTLS...", EUROCRYPT 2002. > > [2] Rizzo, Duong, "Practical Padding Oracle Attacks", Black Hat Europe, > 2010. > > [3] Jager, Somorovsky, "How To Break XML Encryption", 18th ACM Conference > on Computer and Communications Security (CCS), 2011. > > [4] Bellare, Kohno, Namprempre, "Breaking and provably repairing the SSH > authenticated encryption scheme: A case study of the Encode-then- > Encrypt-and-MAC paradigm", ACM Transactions on Information and System > Security, May 2004. > > [5] Rizzo, Thai, "BEAST: Surprising crypto attack against HTTPS", > Ekoparty, 2011. > > [6] Bellovin, “Problem Areas for the IP Security Protocols”, Sixth Usenix > Unix Security Symposium, 1996. > > [7] Paterson, Yau, “Cryptography in theory and practice: The case of > encryption in IPsec”, EUROCRYPT 2006, > > [8] Degabriele, Paterson, "Attacking the IPsec Standards in Encryption- > only Configurations", IEEE Symposium on Security and Privacy, 2007. > > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
- [jose] comments on draft-jones-json-web-signature… David McGrew
- Re: [jose] comments on draft-jones-json-web-signa… Anthony Nadalin
- Re: [jose] comments on draft-jones-json-web-signa… Mike Jones
- Re: [jose] comments on draft-jones-json-web-signa… Nat Sakimura
- Re: [jose] comments on draft-jones-json-web-signa… David McGrew
- Re: [jose] comments on draft-jones-json-web-signa… Nat Sakimura
- Re: [jose] comments on draft-jones-json-web-signa… John Bradley
- Re: [jose] comments on draft-jones-json-web-signa… Jeremy Laurenson (jlaurens)
- Re: [jose] comments on draft-jones-json-web-signa… Phillip Hallam-Baker
- Re: [jose] comments on draft-jones-json-web-signa… Jim Schaad
- Re: [jose] comments on draft-jones-json-web-signa… Mike Jones
- Re: [jose] comments on draft-jones-json-web-signa… Leif Johansson
- Re: [jose] comments on draft-jones-json-web-signa… Matthew Green
- Re: [jose] comments on draft-jones-json-web-signa… John Bradley
- Re: [jose] comments on draft-jones-json-web-signa… John Bradley
- Re: [jose] comments on draft-jones-json-web-signa… Jim Schaad
- Re: [jose] comments on draft-jones-json-web-signa… John Bradley
- Re: [jose] comments on draft-jones-json-web-signa… Jim Schaad
- Re: [jose] comments on draft-jones-json-web-signa… John Bradley
- Re: [jose] comments on draft-jones-json-web-signa… Jim Schaad
- Re: [jose] comments on draft-jones-json-web-signa… Matthew Green