IETF Logo Mail Archive

Re: [jose] comments on draft-jones-json-web-signature and draft-jones-json-web-encryption

"Jim Schaad" <ietf@augustcellars.com> Thu, 17 November 2011 00:55 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F19511E8098 for <jose@ietfa.amsl.com>; Wed, 16 Nov 2011 16:55:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lq4Tif4IwFfX for <jose@ietfa.amsl.com>; Wed, 16 Nov 2011 16:55:29 -0800 (PST)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id 19F9011E8086 for <jose@ietf.org>; Wed, 16 Nov 2011 16:55:29 -0800 (PST)
Received: from Tobias (dhcp-450f.meeting.ietf.org [130.129.69.15]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 39A2E2CA14; Wed, 16 Nov 2011 16:55:28 -0800 (PST)
From: Jim Schaad <ietf@augustcellars.com>
To: 'David McGrew' <mcgrew@cisco.com>, 'Mike Jones' <Michael.Jones@microsoft.com>
References: <9509AB72-10CC-4BA6-A61C-AD9C4AC7944A@cisco.com> <B26C1EF377CB694EAB6BDDC8E624B6E73A8BEDC2@SN2PRD0304MB235.namprd03.prod.outlook.com> <4E1F6AAD24975D4BA5B16804296739435F7113A8@TK5EX14MBXC285.redmond.corp.microsoft.com> <109CDA9B-7427-4FB5-ADFD-4A72E82E4CAA@cisco.com>
In-Reply-To: <109CDA9B-7427-4FB5-ADFD-4A72E82E4CAA@cisco.com>
Date: Thu, 17 Nov 2011 08:54:55 +0800
Message-ID: <045101cca4c3$87a77b60$96f67220$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-us
Thread-Index: AQIfXWiGz+BYDGrCkc9B4MZ2d8XmRgGqxNXOAcOgPqsBrEMyFpTh6hAA
Cc: jose@ietf.org
Subject: Re: [jose] comments on draft-jones-json-web-signature and draft-jones-json-web-encryption
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2011 00:55:29 -0000

Mike,

I think that while the structures for JWS might need to undergo some changes that will mean that while the MAC and Digital Signature structures.  As I mentioned at the F2F meeting, I know of someone is doing some small device work where they are sending messages from the devices to more central locations.  In this case there is not a pre-existing shared secret generally between the two entities and they are not using TLS so they could not derive one from the session key.  Mapping what they do into the current JWS work would require some changes. Specifically

Header Object
   - contains a MAC algorithm to be used - generally AES-GMAC
   - contains a key wrapping algorithm - generally AES key wrap
   - contains a key agreement algorithm - generally EC-DH
Key Exchange Value - the CEK wrapped by the KEK where the KEK came from the static-static EC-DH algorithm
Body
MAC value

In this case we have four not three items that need to be placed in the sequence of items to be sent between the originator and the verifier.  I would still compute the MAC value in much the same way, only I would compute the MAC over the first three elements instead of the two elements.

This is the sort of thing that is used in a more store and forward environment or one where the answer is going to be pre-computed or where it needs to last longer than just the current session (i.e. later validation).

The same type of thing can be used for a long term shared KEK value on both the sender and recipient, where a unique CEK is generated for each message and wrapped.  David would be a better person than I am to address the question of security.  -"Do you have more security by doing an indirection and have a fresh key for doing the MAC on each operation rather than using the long term key for doing the MAC."  

If we did the above change, then I would say that the "Key Exchange Value" would become and empty string if you have a key derivied from the TLS session that you are using - but this would still lead to having four not three elements in the MAC case.

Jim

v2.23.0 | Report a Bug | By Email