Re: [jose] #14: Support longer wrapped keys than OAEP allows
Mike Jones <Michael.Jones@microsoft.com> Tue, 19 March 2013 16:33 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1E6521F8F41 for <jose@ietfa.amsl.com>; Tue, 19 Mar 2013 09:33:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.303
X-Spam-Level:
X-Spam-Status: No, score=-2.303 tagged_above=-999 required=5 tests=[AWL=0.295, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3bLpzXRtHp7j for <jose@ietfa.amsl.com>; Tue, 19 Mar 2013 09:33:06 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0203.outbound.protection.outlook.com [207.46.163.203]) by ietfa.amsl.com (Postfix) with ESMTP id B29D921F8EDE for <jose@ietf.org>; Tue, 19 Mar 2013 09:33:05 -0700 (PDT)
Received: from BY2FFO11FD014.protection.gbl (10.1.15.201) by BY2FFO11HUB022.protection.gbl (10.1.14.109) with Microsoft SMTP Server (TLS) id 15.0.641.9; Tue, 19 Mar 2013 16:33:02 +0000
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD014.mail.protection.outlook.com (10.1.14.76) with Microsoft SMTP Server (TLS) id 15.0.641.9 via Frontend Transport; Tue, 19 Mar 2013 16:33:02 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.224]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.02.0318.003; Tue, 19 Mar 2013 16:32:34 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, 'Richard Barnes' <rlb@ipv.sx>
Thread-Topic: [jose] #14: Support longer wrapped keys than OAEP allows
Thread-Index: Ac4kUSSp0CdJ4UeFJ0WR/FqpfMVesAAY5sWAAAJ8CmA=
Date: Tue, 19 Mar 2013 16:32:34 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394367561F27@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436755CB51@TK5EX14MBXC283.redmond.corp.microsoft.com> <006301ce24b4$c765e4e0$5631aea0$@augustcellars.com>
In-Reply-To: <006301ce24b4$c765e4e0$5631aea0$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.72]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B168042967394367561F27TK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(199002)(189002)(53806001)(69226001)(47976001)(55846006)(63696002)(33656001)(16406001)(46102001)(65816001)(56816002)(512874001)(47446002)(77982001)(66066001)(50986001)(54356001)(54316002)(51856001)(20776003)(76482001)(47736001)(74662001)(49866001)(44976002)(4396001)(59766001)(74502001)(56776001)(80022001)(79102001)(31966008)(148743001); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB022; H:TK5EX14MLTC104.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0790FB1F33
Cc: 'James H Manger' <James.H.Manger@team.telstra.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] #14: Support longer wrapped keys than OAEP allows
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 16:33:10 -0000
I completely agree that documenting the engineering tradeoffs is in scope and a worthwhile exercise. The point of my message was simply that we needn’t “accept the goal that there should be one way of encrypting keys” without doing this analysis.
I think Matt Miller had it right when he wrote this morning “Personally, I don't think it's worth discussing this much further without a more complete counter-proposal on the table”. Should a concrete counter-proposal to Matt’s draft be written, at that point we could have a much more concrete discussion.
Cheers,
-- Mike
From: Jim Schaad [mailto:ietf@augustcellars.com]
Sent: Tuesday, March 19, 2013 8:17 AM
To: Mike Jones; 'Richard Barnes'
Cc: 'James H Manger'; jose@ietf.org
Subject: RE: [jose] #14: Support longer wrapped keys than OAEP allows
<personal>
The issue has been raised for discussion. I do not believe that documenting what the extents of the issue are is out of scope of any and all follow on discussion. Until that has been done it is not possible to talk about what the costs and benefits are. If you have a full set of costs and benefits that would be an interesting message to see.
From: Mike Jones [mailto:Michael.Jones@microsoft.com]
Sent: Monday, March 18, 2013 8:24 PM
To: Jim Schaad; Richard Barnes
Cc: James H Manger; jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: [jose] #14: Support longer wrapped keys than OAEP allows
Since you message appears to take it as given that “there should be only one way of encrypting keys”, I’ll point out that I don’t think that it’s reasonable to assume that. JOSE is first and foremost an engineering exercise, where the cost/benefit generality/complexity tradeoffs matter, and the goal is a ubiquitously implemented crypto format for the Web that solves the problems that people actually have, rather than a mathematical exercise, where the goal is completeness and generality. Complexity is the enemy of adoption.
So it’s fair game to ask “What are the costs and benefits of having only one way to encrypt keys”, versus taking that as a given.
I happen to personally believe that encrypting a bare symmetric ephemeral Content Master Key is sufficiently different than encrypting a key that may be public, private, or symmetric and may have additional attributes, that it’s at least worth asking the engineering question whether special-casing the encryption of this bare symmetric ephemeral key results in engineering benefits.
Encrypting a key with attributes for storage or dissemination is not the same kind of operation as wrapping an ephemeral symmetric key to be used for block encryption. I’m personally fine with this being done differently. The engineering benefit if we do it differently in the way that Matt’s draft proposed, at least as I see it, is that we have to invent nothing new. We already have a great format for encrypting arbitrary data, and keys with attributes are a whole lot like arbitrary data.
I respect that some with disagree with my personal view, but I’d also ask you to respect that the engineering tradeoffs may favor having two ways to do things that on the surface may seem similar, but are actually fairly different in nature.
Best wishes,
-- Mike
From: Richard Barnes
Sent: March 18, 2013 7:36 PM
To: Jim Schaad
CC: Manger, James H, jose@ietf.org<mailto:jose@ietf.org>
Subject: Re: [jose] #14: Support longer wrapped keys than OAEP allows
Well, I got to 788 by doing math incorrectly*.
Mike was correct on the other thread that 768 is the right number. However, that's still too big for a 1024-bit RSA key and SHA1, since 768 + 320 = 1088 > 1024.
Regardless, there is clearly an issue here when wrapping a JWK, which is much larger, possibly containing an RSA key itself. So if we accept the goal that there should be one way of encrypting keys, then we'll need to deal with getting around the OAEP size limitations.
--Richard
* This is why my degree is in mathematics, and not accounting.
On Mon, Mar 18, 2013 at 8:40 PM, Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote:
Think in terms of encrypting a JWK directly not an intermediate key.
> -----Original Message-----
> From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>] On Behalf Of
> Manger, James H
> Sent: Monday, March 18, 2013 5:17 PM
> To: rlb@ipv.sx<mailto:rlb@ipv.sx>; jose@ietf.org<mailto:jose@ietf.org>
> Subject: Re: [jose] #14: Support longer wrapped keys than OAEP allows
>
> Richard,
>
> How do you get a 788-bit key length?
>
> draft-mcgrew-aead-aes-cbc-hmac-sha2 defines 5 combinations of AES-
> 128/192/256 and SHA-1/256/384/512. The total key lengths range from 256
> bits to 512 bits.
>
> Keys for two of the algorithms (AEAD_AES_128_CBC_HMAC_SHA_256 and
> AEAD_AES_128_CBC_HMAC_SHA1) fit within OAEP with a 1024-bit RSA key.
>
> Keys for all of the algorithms fit within OAEP with a 2048-bit RSA key.
JWA
> already says RSA key sizes MUST be at least 2048 bits.
>
> This already looks sufficient.
>
> --
> James Manger
>
>
> > From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>] On Behalf
> > Of Richard Barnes
> > Sent: Tuesday, 19 March 2013 10:25 AM
> > Subject: [jose] WebCrypto feedback on key wrapping
> >
> > 2. Mark Watson (Netflix) noted that if we use RSA directly to encrypt
wrapped
> key objects, then we would need something other than OAEP in order to
carry
> arbitrary-length payloads. I agreed, and suggested that something like
RSA-
> KEM would be necessary. Ryan Sleevi (Google) and Vijay observed that KEM
is
> troublesome due to the lack of support by native crypto libraries.
> >
> > Point number 2 likely applies for some scenarios of JWE, especially if
we
> adopt the McGrew approach. For example, if using HMAC-SHA1 and AES with
> a 256-bit key, the total key length is 788 bits, which is too long to be
encrypted
> with OAEP under a 1,024-bit RSA key. I'm not sure how to resolve it. The
best
> idea I've got is to allow wrapped keys to nest, so that you can wrap a key
inside
> of another wrapped key.
> >
> > --Richard
>
>
> >> ----------
> >> Sent: Tuesday, 19 March 2013 10:23 AM
> >> Subject: [jose] #14: Support longer wrapped keys than OAEP allows
> >>
> >> #14: Support longer wrapped keys than OAEP allows
> >>
> >> The use of RSA-OAEP for key wrapping imposes a limit on the length
> >> of the key package being wrapped. With SHA1, this length is N-320,
> >> where N is the length of the RSA modulus. Especially with larger
> >> hash functions, and especially for wrapping private keys, the size
> >> of key packages will be larger than this bound. We should
> >> incorporate a mechanism to accommodate these situations.
> >>
> >>
> >> Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/14>
> _______________________________________________
> jose mailing list
> jose@ietf.org<mailto:jose@ietf.org>
> https://www.ietf.org/mailman/listinfo/jose
- [jose] #14: Support longer wrapped keys than OAEP… jose issue tracker
- Re: [jose] #14: Support longer wrapped keys than … jose issue tracker
- Re: [jose] #14: Support longer wrapped keys than … Manger, James H
- Re: [jose] #14: Support longer wrapped keys than … Jim Schaad
- Re: [jose] #14: Support longer wrapped keys than … Richard Barnes
- Re: [jose] #14: Support longer wrapped keys than … Manger, James H
- Re: [jose] #14: Support longer wrapped keys than … Mike Jones
- Re: [jose] #14: Support longer wrapped keys than … Richard Barnes
- Re: [jose] #14: Support longer wrapped keys than … Matt Miller (mamille2)
- Re: [jose] #14: Support longer wrapped keys than … Jim Schaad
- Re: [jose] #14: Support longer wrapped keys than … Mike Jones
- Re: [jose] #14: Support longer wrapped keys than … Axel Nennker
- Re: [jose] #14: Support longer wrapped keys than … Axel Nennker
- Re: [jose] #14: Support longer wrapped keys than … jose issue tracker
- Re: [jose] #14: Support longer wrapped keys than … jose issue tracker
- Re: [jose] #14: Support longer wrapped keys than … jose issue tracker