Re: [jose] Use of AES-HMAC algorithm
"Jim Schaad" <ietf@augustcellars.com> Fri, 29 March 2013 02:14 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F183021F8A84 for <jose@ietfa.amsl.com>; Thu, 28 Mar 2013 19:14:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.561
X-Spam-Level:
X-Spam-Status: No, score=-3.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O8u-PfjRnO1J for <jose@ietfa.amsl.com>; Thu, 28 Mar 2013 19:14:25 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 3367021F89C3 for <jose@ietf.org>; Thu, 28 Mar 2013 19:14:25 -0700 (PDT)
Received: from Philemon (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id EAF712CA20; Thu, 28 Mar 2013 19:14:24 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mike Jones' <Michael.Jones@microsoft.com>, jose@ietf.org
References: <006801ce2b39$52595700$f70c0500$@augustcellars.com> <4E1F6AAD24975D4BA5B168042967394367590C2F@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394367590C2F@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Thu, 28 Mar 2013 19:13:48 -0700
Message-ID: <006d01ce2c23$0cd29d50$2677d7f0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLvMnkknFYcqiiltjjBmV7CFJpF2gGCRpdslm3OPRA=
Content-Language: en-us
Subject: Re: [jose] Use of AES-HMAC algorithm
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2013 02:14:26 -0000
Sorry for the delayed response - my mail server was not delivering mail since I updated a certificate. > -----Original Message----- > From: Mike Jones [mailto:Michael.Jones@microsoft.com] > Sent: Wednesday, March 27, 2013 5:21 PM > To: Jim Schaad; jose@ietf.org > Subject: RE: [jose] Use of AES-HMAC algorithm > > Per your point 1, I don't think anyone was advocating doubling the key size. The > proposal in John's slides for issue #3 > (http://trac.tools.ietf.org/wg/jose/trac/ticket/3) was to use a CMK that is the > concatenation of the AES-CBC and HMAC-SHA-2 keys, as draft-mcgrew-aead- > aes-hmac-sha2 does. For instance, when using A128CBC with HS256, the key > size would be 384 bits and when using A256CBC with HS512, the key size would > be 768 bits. This would multiply the current key sizes by 1.5, with the > compensating benefit being the elimination of the use of the KDF. Doubling was indeed a poor choice of words - but I think you are understanding things. We are going to go from a 256 bit key to a 768 bit key - that is actually a tripling of size for the A256CBC + HS512. > > Your point 2 wasn't part of issue #3. This seems like an unnecessary change, > particularly for GCM, where the IV is specified as a separate value from the > ciphertext. > > Your point 3 wasn't part of issue #3. This seems like an unnecessary change, > particularly for GCM, where the Authentication Tag is specified as a separate > value from the ciphertext. > > Per your point 4, after a conversation initiated by Joe Hildebrand and a call > scheduled by Matt Miller, David McGrew has agreed refactor his draft so that > the inputs and outputs are specified separately and independently from the RFC > 5116 encoding of those values. While RFC 5116 specifies a binary serialization > for authenticated encryption algorithms, JWE specifies a textual serialization. > This refactoring would make it easy for JOSE to use the McGrew draft, since > the computation would be specified separately from the serialization, should > the working group choose to do so. > > I suspect that once the refactoring is done, should the working group choose to > use the McGrew algorithm, JWA could reference the appropriate sections of > draft-mcgrew-aead-aes-hmac-sha2 and JWE could include an example > computation for this algorithm, making it easy for developers to build. > > Per your point 5, I think the term "key wrapping" is being used for two different > things: (1) Encrypting the ephemeral symmetric Content Master Key for a JWE > and (2) encrypting a JWK or JWK Set containing symmetric and/or private key > information and potentially other key attributes, enabling the encrypted JWK or > JWK Set to be safely stored or transported. It think it would clarify the > discussions to keep these operations distinct. I don't think anyone is proposing > using AES-GCM or A128CBC+HS256 for (1), whereas they can already be used > as part of (2) if the JWK is encrypted in a JWE, per Matt's draft. Given the > opinions voiced at the CFRG meeting that it's fine to use approved > authenticated encryption algorithms to encrypt keys, I believe that there's > already no problem with using these algorithms for (2). I was actually looking at the case of wrapping the CMK and not wrapping content when I wrote point 5. Jim > > -- Mike > > -----Original Message----- > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim > Schaad > Sent: Wednesday, March 27, 2013 3:21 PM > To: jose@ietf.org > Subject: [jose] Use of AES-HMAC algorithm > > <chair> > After spending time looking at and thinking about how to resolve this issue > since I was unable to do so at the last F2F meeting. I have come up with the > following set of issues that might need to be addressed as part of resolving this > issue. > > 1. Do we change from using KDC to having a double size key for the algorithm? > I think that there is probably a consensus that this should be done. > > 2. Should IVs be prepended to the encrypted body as part of the encoding > steps? If so then this change should be universal. > > Doing so would eliminate one field from all of the encoding formats which > should be considered a plus. > Doing so would force code writers to understand how large the IV is for all > algorithms as the IV would no longer be a separate item. > > 3. Should Authentication Tags be appended to the encrypted body as part of the > encoding steps? > > Doing so would eliminate one field from all of the encoding formats which > should be considered a plus. > Doing so would force code writers to understand how large the IV is for all > algorithms as the IV would no longer be a separate item. > Doing so would force a re-organization for the multiple recipient case as either > all recipient specific data would need to be excluded from the authentication > step or all of the recipient data would need to be included for by all recipients. > Changing how the recipient info is process is going to give a performance > benefit for sending encrypted items for multiple recipients. > The current strategy of a single IV and key pair with AES-GCM and different > authentication data needs to have CFRG look at it. I am worried that it might > be a serious security flaw. > > 4. Should we reference the McGrew draft and provide text on how things are > changed or should we "copy" the draft into our text? > > 5. If we allow for the use of AES-GCM or AES-HMAC for doing key wrapping, > does this change how we think about any of the above questions? > > Allowing for AES-GCM for key wrapping has a benefit for hardware situations > as only the encrypt and not the decrypt functions need to be placed in > hardware. However allowing for this key wrapping give a problem as there is > no way to encode the three fields into the encrypted value unless with use > either a JSON structure in this location or we do use the single appended binary > output stream. The first approach leads to an expansion of the field by double > base64 encoding which is highly undesirable. > > Jim > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- [jose] Use of AES-HMAC algorithm Jim Schaad
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Mike Jones
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Mike Jones
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Manger, James H
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Manger, James H
- Re: [jose] Use of AES-HMAC algorithm Vladimir Dzhuvinov / NimbusDS
- Re: [jose] Use of AES-HMAC algorithm Jim Schaad