IETF Logo Mail Archive

Re: [jose] comments on draft-jones-json-web-signature and draft-jones-json-web-encryption

Nat Sakimura <sakimura@gmail.com> Wed, 16 November 2011 04:14 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A1C811E80AA for <jose@ietfa.amsl.com>; Tue, 15 Nov 2011 20:14:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.09
X-Spam-Level:
X-Spam-Status: No, score=-3.09 tagged_above=-999 required=5 tests=[AWL=-0.092, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_34=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6vlmdoZSvIIV for <jose@ietfa.amsl.com>; Tue, 15 Nov 2011 20:14:37 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by ietfa.amsl.com (Postfix) with ESMTP id 80C491F0C47 for <jose@ietf.org>; Tue, 15 Nov 2011 20:14:36 -0800 (PST)
Received: by faap16 with SMTP id p16so1270912faa.31 for <jose@ietf.org>; Tue, 15 Nov 2011 20:14:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Xpmh/lWLi92wP9qddsioQEaXgP+MCd87qUsR/ve2eOE=; b=GUmbVYBHSqBe+KzrJ0ot08T3oCa50AORi6+aimoey3DLbcCRZfGtT9mIUg2Vacbwuk OcQZMPT4LwojjAU9oWmVvteihPnY3atfd8WN7CLGv/44WOEJgXFcboEoue0QuOs82rGv aAe9kx61p/3Z6KcG95946/Tgc2TWE3bQb1CP8=
MIME-Version: 1.0
Received: by 10.152.104.130 with SMTP id ge2mr19292715lab.43.1321416874310; Tue, 15 Nov 2011 20:14:34 -0800 (PST)
Received: by 10.152.4.34 with HTTP; Tue, 15 Nov 2011 20:14:34 -0800 (PST)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F7113A8@TK5EX14MBXC285.redmond.corp.microsoft.com>
References: <9509AB72-10CC-4BA6-A61C-AD9C4AC7944A@cisco.com> <B26C1EF377CB694EAB6BDDC8E624B6E73A8BEDC2@SN2PRD0304MB235.namprd03.prod.outlook.com> <4E1F6AAD24975D4BA5B16804296739435F7113A8@TK5EX14MBXC285.redmond.corp.microsoft.com>
Date: Wed, 16 Nov 2011 12:14:34 +0800
Message-ID: <CABzCy2C15cytLubOBEGd2+Zc4Qz4MzMY2wB5xxyUdPOq6VWsBg@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="f46d0408d3c164bac804b1d25728"
Cc: Anthony Nadalin <tonynad@microsoft.com>, David McGrew <mcgrew@cisco.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] comments on draft-jones-json-web-signature and draft-jones-json-web-encryption
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Nov 2011 04:14:41 -0000

+1

Also, Re:David's proposal for use of word "Authentication": I am ok with
"Message Authentication" but against just using stand alone
"Authentication". It is a way too overloaded word and causes unnecessary
confusion.

On Wed, Nov 16, 2011 at 9:57 AM, Mike Jones <Michael.Jones@microsoft.com>wrote:

> Upon reflection since Monday's meeting, I believe that the draft title
> should stay "JSON Web Signature" (as Tony pointed out, "Signing" is in the
> WG's name!) but the text should be clear that the spec describes both how
> to perform digital signatures and how to perform HMAC operations).  It will
> no longer use the term "signing" when referring to HMAC operations.
>
> As Eric Rescorla pointed out during the meeting, the problem with
> splitting out HMAC into a different spec is that the preparation of the
> content is essentially identical between the two kinds of operations.  The
> amount of duplication resulting wouldn't be doing the users of the specs
> any favors.
>
>                                -- Mike
>
> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
> Anthony Nadalin
> Sent: Tuesday, November 15, 2011 5:50 PM
> To: David McGrew; jose@ietf.org
> Subject: Re: [jose] comments on draft-jones-json-web-signature and
> draft-jones-json-web-encryption
>
> At the same time we don't want to confuse folks the other way to have them
> think we are not addressing signature. The WG name does have signing in it.
> One option would be to split out the MAC from the signing
>
> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
> David McGrew
> Sent: Tuesday, November 15, 2011 4:40 AM
> To: jose@ietf.org
> Subject: [jose] comments on draft-jones-json-web-signature and
> draft-jones-json-web-encryption
>
> Hi
>
> I would like to contribute the following comments.  I have not been
> closely following the WG, so apologies in advance if I'm rehashing
> something.
>
> The json-web-signature draft should be changed by using the more generic
> "authentication" instead of "signature", as suggested in
> Section 9.   HMAC is a (symmetric) message authentication code, and
> not an (asymmetric) digital signature algorithm.  See RFC 4949 for
> instance for the appropriate definitions.  Calling HMAC a signature method
> will confuse readers going forward and potentially set incorrect
> expectations. I suggest the following changes (not because I think these
> are the only good alternatives, but because I want to be
> constructive):
>
> "JSON Web Signature" -> "JSON Web Authentication"
> "sign" -> "authenticate"
> "signing" -> "authenticating"
> "signature" -> "authentication data"
>
> The security considerations of json-web-signature should explain the
> difference between symmetric and asymmetric encryption.
>
> Section 9 mentions the possibility of including an unkeyed checksum based
> on SHA-256.  If that is done, then that will potentially confuse the issue
> further.  What would the value of that checksum be, and
> would it be a security mechanism?   If it is defined, I suggest that
> it be done in a different draft.
>
> Why are we allowing unauthenticated encryption in draft-jones-json-web-
> encryption?   Authenticated Encryption with Associated Data (AEAD) is
> recommended (in the form of AES-GCM) in the draft, and it avoids all sorts
> of security issues that are present with unauthenticated encryption
> (besides being theoretically vulnerable, it has fallen victim to practical
> attacks [1][2][3][4][5][6][7][8]).  Note that some of these attacks apply
> when encryption is loosely bound to authentication.  I suggest that AEAD be
> the only encryption method, and that an RFC 5116 interface be included.
>  Since GCM is recommended, the interface is already there, but not called
> out.  Omitting unauthenticated encryption will simplify the spec, and
> improve security.  If there is some percieved issue with AES-GCM, there are
> other AEAD algorithms that can be used, AES-SIV (synthetic IV mode)
> for instance, or a generic CBC+HMAC composition.   In any case, I
> offer to help craft and/or review this text.
>
> A minor point: JWE recommends AES-GCM; why not have json-web-signature
> recommend AES-GMAC?
>
> json-web-signature says that "Related encryption capabilities are
> described in the separate JSON Web Encryption (JWE) specification".
> The JWE specification says that "In general, senders SHOULD sign the
> message and then encrypt the result (thus encrypting the
> signature)".   There ought to be better recommendations for security.
> For instance, encryption without authentication should be disallowed.
>
> regards,
>
> David
>
> --
>
>
> [1] Vaudenay, "Security Flaws Induced by CBC Padding Applications to SSL,
> IPSEC, WTLS...", EUROCRYPT 2002.
>
> [2] Rizzo, Duong, "Practical Padding Oracle Attacks", Black Hat Europe,
> 2010.
>
> [3] Jager, Somorovsky, "How To Break XML Encryption", 18th ACM Conference
> on Computer and Communications Security (CCS), 2011.
>
> [4] Bellare, Kohno, Namprempre, "Breaking and provably repairing the SSH
> authenticated encryption scheme: A case study of the Encode-then-
> Encrypt-and-MAC paradigm", ACM Transactions on Information and System
> Security, May 2004.
>
> [5] Rizzo, Thai, "BEAST: Surprising crypto attack against HTTPS",
> Ekoparty, 2011.
>
> [6] Bellovin, “Problem Areas for the IP Security Protocols”, Sixth Usenix
> Unix Security Symposium, 1996.
>
> [7] Paterson, Yau, “Cryptography in theory and practice: The case of
> encryption in IPsec”, EUROCRYPT 2006,
>
> [8] Degabriele, Paterson, "Attacking the IPsec Standards in Encryption-
> only Configurations", IEEE Symposium on Security and Privacy, 2007.
>
>
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email