IETF Logo Mail Archive

Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt

Mike Jones <Michael.Jones@microsoft.com> Thu, 25 April 2013 19:10 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77A7021F8E76 for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 12:10:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.389
X-Spam-Level:
X-Spam-Status: No, score=-2.389 tagged_above=-999 required=5 tests=[AWL=0.210, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id krWUUaETSHtR for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 12:10:01 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0242.outbound.protection.outlook.com [207.46.163.242]) by ietfa.amsl.com (Postfix) with ESMTP id E2F1A21F8B07 for <jose@ietf.org>; Thu, 25 Apr 2013 12:10:00 -0700 (PDT)
Received: from BL2FFO11FD015.protection.gbl (10.173.161.201) by BL2FFO11HUB023.protection.gbl (10.173.161.47) with Microsoft SMTP Server (TLS) id 15.0.675.0; Thu, 25 Apr 2013 19:09:59 +0000
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD015.mail.protection.outlook.com (10.173.160.223) with Microsoft SMTP Server (TLS) id 15.0.675.0 via Frontend Transport; Thu, 25 Apr 2013 19:09:58 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.233]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.02.0318.003; Thu, 25 Apr 2013 19:09:40 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Russ Housley <housley@vigilsec.com>
Thread-Topic: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
Thread-Index: AQHOQIL4trz81TOedUqxu9faqHUMmpjmU7yAgADgbwCAABQ8wA==
Date: Thu, 25 Apr 2013 19:09:40 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943676C00E2@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <20130424002901.19246.69134.idtracker@ietfa.amsl.com> <014201ce416a$82761a80$87624f80$@augustcellars.com> <B9EADFAC-382A-40C3-937C-C07E77777273@vigilsec.com>
In-Reply-To: <B9EADFAC-382A-40C3-937C-C07E77777273@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464002)(377454001)(377424002)(189002)(199002)(24454001)(51704004)(4396001)(66066001)(6806003)(55846006)(77982001)(59766001)(79102001)(49866001)(63696002)(74366001)(33656001)(15202345002)(47736001)(50986001)(81542001)(50466002)(81342001)(54356001)(16406001)(74502001)(74662001)(31966008)(20776003)(56776001)(56816002)(23726002)(47446002)(47776003)(65816001)(46406003)(54316002)(51856001)(69226001)(53806001)(46102001)(47976001)(80022001)(76482001)(44976003); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB023; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0827D7ACB9
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 19:10:02 -0000

Hi Russ,

I agree that enabling GCM to be safely used in the multiple recipients case would be highly desirable.  It is currently prohibited because if the recipients share a common key and initialization vector (IV) but use different AAD values, this results in the identified vulnerability.  One possible solution that continues integrity protecting the headers but enables the safe use of GCM was identified off-list by John Bradley.
 
That solution is to have each recipient always use the same key, IV, and AAD values.  This could be accomplished by including all the header values in a single combined AAD value, rather than having the integrity protection for each recipient's headers be independent.

This change could be done in a manner that doesn't affect the computation for the single recipients case.  Given the upcoming interim JOSE meeting next week, and given the (understandable) strong negative reaction to the unusability of GCM with the current multiple recipients processing rules, I'll plan on quickly producing a draft -10 that changes the processing rules in the manner described above, so that idea can be concretely considered by the working group next week.

Just so people are clear on the properties on the new processing rules - this would mean that the integrity computations for each recipients would no longer be independent.  The only downside of this (which could be an upside in some ways) is that it would no longer be possible to add recipients over time without performing a new encryption computation with a new CEK and IV.

				Cheers,
				-- Mike

-----Original Message-----
From: Russ Housley [mailto:housley@vigilsec.com] 
Sent: Thursday, April 25, 2013 10:31 AM
To: Mike Jones
Cc: jose@ietf.org
Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt

Mike:

Like Jim, I cannot support this statement: AES GCM MUST NOT be used when using the JWE JSON Serialization for multiple recipients

All recipients ought to be performing decryption and integrity checking with the same GCM key.  The manner in which they obtain that key may be different (key transport: decrypt the GCM key with the recipient's private key, key agreement: agreement of a pairwise KEK and then unwrapping the GCM key with the KEK, pre-shared KEK: unwrapping the GCM key with the already known KEK, etc).

Russ


On Apr 25, 2013, at 12:07 AM, Jim Schaad wrote:

> Mike,
> 
> AES GCM MUST NOT be used when using the JWE JSON Serialization for
>   multiple recipients, since this would result in the same
>   Initialization Vector and Plaintext values being used for multiple
>   GCM encryptions.
> 
> I doubt your co-authors would agree with this.
> I doubt the working group with agree with this.
> I know that at least one co-chair does not agree with this I can 
> predict that the AD and IESG along with the security directorate would 
> crucify me if I allowed this to stand in the document..
> 
> Jim
> 
> 
> 
>> -----Original Message-----
>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf 
>> Of internet-drafts@ietf.org
>> Sent: Tuesday, April 23, 2013 5:29 PM
>> To: i-d-announce@ietf.org
>> Cc: jose@ietf.org
>> Subject: [jose] I-D Action: 
>> draft-ietf-jose-json-web-encryption-09.txt
>> 
>> 
>> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>> This draft is a work item of the Javascript Object Signing and 
>> Encryption Working Group of the IETF.
>> 
>> 	Title           : JSON Web Encryption (JWE)
>> 	Author(s)       : Michael B. Jones
>>                          Eric Rescorla
>>                          Joe Hildebrand
>> 	Filename        : draft-ietf-jose-json-web-encryption-09.txt
>> 	Pages           : 54
>> 	Date            : 2013-04-23
>> 
>> Abstract:
>>   JSON Web Encryption (JWE) is a means of representing encrypted
>>   content using JavaScript Object Notation (JSON) data structures.
>>   Cryptographic algorithms and identifiers for use with this
>>   specification are described in the separate JSON Web Algorithms (JWA)
>>   specification.  Related digital signature and MAC capabilities are
>>   described in the separate JSON Web Signature (JWS) specification.
>> 
>> 
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-jose-json-web-encryption
>> 
>> There's also a htmlized version available at:
>> http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-09
>> 
>> A diff from the previous version is available at:
>> http://www.ietf.org/rfcdiff?url2=draft-ietf-jose-json-web-encryption-
>> 09
>> 
>> 
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>> 
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email