IETF Logo Mail Archive

Re: [jose] WebCrypto feedback on key wrapping

"Jim Schaad" <ietf@augustcellars.com> Tue, 19 March 2013 00:40 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6339021F89AA for <jose@ietfa.amsl.com>; Mon, 18 Mar 2013 17:40:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.539
X-Spam-Level:
X-Spam-Status: No, score=-3.539 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eh4mH7STDDwg for <jose@ietfa.amsl.com>; Mon, 18 Mar 2013 17:40:18 -0700 (PDT)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7C6F521F899E for <jose@ietf.org>; Mon, 18 Mar 2013 17:40:18 -0700 (PDT)
Received: from Philemon (winery.augustcellars.com [206.212.239.129]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 522102CA2B; Mon, 18 Mar 2013 17:40:18 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Richard Barnes' <rlb@ipv.sx>, jose@ietf.org
References: <CAL02cgQQ4YejJOS_BHJWDYwy4SChQ4XfinTG+6px4=JN1=UCBQ@mail.gmail.com>
In-Reply-To: <CAL02cgQQ4YejJOS_BHJWDYwy4SChQ4XfinTG+6px4=JN1=UCBQ@mail.gmail.com>
Date: Mon, 18 Mar 2013 17:39:30 -0700
Message-ID: <096701ce243a$40a54880$c1efd980$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0968_01CE23FF.94475AE0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJp5Fw5bjj7VLaKZ95E+Mj7F7IDmJd0qc/g
Content-Language: en-us
Subject: Re: [jose] WebCrypto feedback on key wrapping
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 00:40:19 -0000

 

 

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
Richard Barnes
Sent: Monday, March 18, 2013 4:25 PM
To: jose@ietf.org
Subject: [jose] WebCrypto feedback on key wrapping

 

On today's call with the W3C WebCrypto working  group, I reported on the
discussion of JOSE key wrapping at the last IETF.  I was asked to relay a
few bits of feedback:

 

1. Vijay Bharadwaj (Microsoft) observed that AES key wrap has fallen out of
favor with some parts of the cryptographic community.  People prefer to be
able to use AEAD algorithms for key wrapping, since they are perceived to be
faster and offer a higher level of security than AES-KW. He gave the example
that IEEE 802.1 uses AES CCM.

 

[JLS] AES Key Wrap is an AD algorithm and a variant of it exists that is an
AEAD algorithm.  So this is a case of not correctly using terminology.  I
would also question the issue of perceived security as with AES-KW every bit
of the plain text affects every other bit of plain text in the encryption
process and this is not true for AES-GW or AES-CCM.  I would agree that
there is both a speed advantage and perhaps more importantly the fact that
only one side of the AES engine is needed (i.e. you only need to encrypt but
not decrypt) for AES CCM and AES-GCM.

 

2. Mark Watson (Netflix) noted that if we use RSA directly to encrypt
wrapped key objects, then we would need something other than OAEP in order
to carry arbitrary-length payloads.  I agreed, and suggested that something
like RSA-KEM would be necessary.  Ryan Sleevi (Google) and Vijay observed
that KEM is troublesome due to the lack of support by native crypto
libraries.

 

Note that using RSA-KEM is not using RSA directly.  RSA-KEM should be
thought of as a single party key agreement algorithm and not a key transport
algorithm.  You encrypt a large integer and then run a KDF on that large
integer to get a key.  I perceive no advantage to using RSA-KEM except for
the fact that the security on it is more provable.

 

It seems to me that these comments have impacts on JWE and JWS (pending
ISSUE-2), as well as the wrapping discussion.  The former has more impact
than the latter. 

 

Point number 1 implies that we should offer AEAD for key wrapping in JWE as
well as for wrapped keys.  It seems to me that the simplest approach to this
would be to make the "alg" field contain an object that is semantically
equivalent to an AlgorithmIdentifier in CMS/PKCS8.  For example, { name:
"A128GCM", iv: "PCIGJe0DjunuM7s0" }.  This syntax, incidentally, is roughly
the same form that algorithm identifiers have in the WebCrypto API.  Note
that this type of key wrapping is supported in CMS by the use of an AEAD
AlgorithmIdentifier in the KEKRecipientInfo structure.  

 

Point number 2 likely applies for some scenarios of JWE, especially if we
adopt the McGrew approach.  For example, if using HMAC-SHA1 and AES with a
256-bit key, the total key length is 788 bits, which is too long to be
encrypted with OAEP under a 1,024-bit RSA key.  I'm not sure how to resolve
it.  The best idea I've got is to allow wrapped keys to nest, so that you
can wrap a key inside of another wrapped key.

 

I will try to take these points into account in my forthcoming key wrapping
draft, and I've filed two issues against JWE to track them.

 

--Richard

v2.23.0 | Report a Bug | By Email