IETF Logo Mail Archive

Re: [jose] Support for Wrapped Keys?

"Matt Miller (mamille2)" <mamille2@cisco.com> Tue, 30 October 2012 14:53 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96E8521F8489 for <jose@ietfa.amsl.com>; Tue, 30 Oct 2012 07:53:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hXJjFQiyoZrn for <jose@ietfa.amsl.com>; Tue, 30 Oct 2012 07:53:41 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 7B2ED21F8481 for <jose@ietf.org>; Tue, 30 Oct 2012 07:53:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7905; q=dns/txt; s=iport; t=1351608821; x=1352818421; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=zehiK6ANTukAt/BoplSS4gM9jZ88nrBvzB7Yh5LukIA=; b=KWTbceAG2jQjqWjJw3Qzl7IbUGQffEziDBJ8/Xj2GVfhUOEdhWocMbDJ q3ukfpCQW0MASoc5bGLbuJmx+MrzAzZrenED21f/JSzqPntAiSlNmag+x FFbeNhxb4oLrqzBY5KBINtL3zxZGoDxwrBL/fVl9Tj4L8yd46fHxR8qJL Q=;
X-Files: smime.p7s : 2214
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EALXpj1CtJV2c/2dsb2JhbABEw0iBCIIeAQEBAwEBAQEPAVsLBQcEAgEIDgMEAQELHQcCJQsUCQgCBA4FCAYNB4deBgucfI9nkDcEi3eFfGEDjnWBIZQ2gWuCb4IZ
X-IronPort-AV: E=Sophos; i="4.80,679,1344211200"; d="p7s'?scan'208"; a="136913712"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-7.cisco.com with ESMTP; 30 Oct 2012 14:53:41 +0000
Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id q9UEreY7018314 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 30 Oct 2012 14:53:40 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.240]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.02.0318.001; Tue, 30 Oct 2012 09:53:40 -0500
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Thread-Topic: [jose] Support for Wrapped Keys?
Thread-Index: AQHNsixtFQh89Wn5MUGS4dRC2YkxtZfI+/JAgAlQRoA=
Date: Tue, 30 Oct 2012 14:53:40 +0000
Message-ID: <BF7E36B9C495A6468E8EC573603ED94115076C03@xmb-aln-x11.cisco.com>
References: <BF7E36B9C495A6468E8EC573603ED94115074062@xmb-aln-x11.cisco.com> <4E1F6AAD24975D4BA5B16804296739436687BED7@TK5EX14MBXC285.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436687BED7@TK5EX14MBXC285.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [64.101.72.62]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19320.004
x-tm-as-result: No--48.550300-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/signed; boundary="Apple-Mail=_937516A1-B76A-433F-A826-3E309654259E"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Cc: "<jose@ietf.org>" <jose@ietf.org>
Subject: Re: [jose] Support for Wrapped Keys?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Oct 2012 14:53:42 -0000

On Oct 24, 2012, at 4:03 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:

> Per our discussions, there's an approach we could discuss that's very close to what you're already doing.  JWE already has a way to encrypt a key.  This key is then currently always used to encrypt the plaintext.
> 
> One obvious solution then appears to be to have no plaintext and only perform the first of the two steps - create a JWE Encrypted Key value, leaving the JWE Initialization Vector, JWE Ciphertext, and JWE Integrity value fields empty.
> 

That would work, but I wonder if this complicates implementation interfaces too much.

Here's what I mean:  As far as I can tell, there's no real need for a user of a JWE implementation to actually know about the CMK.  For encryption, the implementation could generate it using a suitable RNG based on the (header) parameters, and encode it with the one key provided by the user.  For decryption, it uses parameters from the header and some determination of the "alg" key (passed in, from a keystore, etc etc), decrypts the CMK with that key, then decrypts the ciphertext with the CMK.

In this instance, decryption requires at a bare minimum multiple outputs: plaintext plus the CMK.  It might be nice for an implementation to provide the rest (header, integrity), but these are easily obtained from the input data in the first place.

Personally, I think it would be ideal if there were a way to say "use this asymmetric key to encrypt the plaintext, but don't worry about a CMK."

I think what we had talked about in Vancouver was effectively to use an "alg" of "dir" and an "enc" of "RSA-OAEP", which I'm sure has its own set of objections (aside from currently being disallowed).

> The objection that I'm sure people would raise to this obvious solution is that then the contents of the header and encrypted key are not integrity protected.  One potential solution to this would be to use an "enc" algorithm that only provides integrity but performs no encryption.
> 
> The most simple such solution would be to use a cryptographic hash function such as SHA-256 to compute an integrity value over the other fields.  You could look at this as a degenerate AEAD algorithm, accepting an "additional authenticated data" input and producing an "authentication tag" output, but with no plaintext input or ciphertext output.
> 
> That would give you an integrity-protected encrypted key, doing the key encryption in the same way that the JWE "alg" values already do.
> 

Personally, I don't really care if there is integrity protection here.  I'm probably alone (with Richard) on this one, though.

> Anyway, hopefully the above will at least seed a productive discussion of the possibilities.  I do completely understand the value of Matt's use case and want us to think about how to best solve it.
> 


- m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.

> 				-- Mike
> 
> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Matt Miller (mamille2)
> Sent: Wednesday, October 24, 2012 2:14 PM
> To: <jose@ietf.org>
> Subject: [jose] Support for Wrapped Keys?
> 
> This is a topic that has been discussed some off-list between myself, Mike Jones, John Bradley, and Nat Sakimura.
> 
> For XMPP E2E, there is a need to disseminate a "session" master (symmetric) key between the sender and recipients as a wrapped key.  To date, this is done in a very custom manner by encrypting the session key with the recipient's public key, and packaging as a partial (read: broken) JWE value.
> 
> Ideally, I would like a nice way of handling wrapped keys in JWE.  The more standardized alternatives I can see are:
> 
> * Follow JWE, using the session key for both the content key and the content plaintext (feels very awkward)
> * Follow JWE, generating yet-another-CMK and using the session key as the content plaintext (feels very wasteful)
> 
> Does anyone else think this is worth supporting?
> 
> 
> - m&m
> 
> Matt Miller < mamille2@cisco.com >
> Cisco Systems, Inc.
> 
> PS: JSMS supports wrapped keys, as does CMS.
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email