Re: [jose] #14: Support longer wrapped keys than OAEP allows
Richard Barnes <rlb@ipv.sx> Tue, 19 March 2013 02:35 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5D8B21F856D for <jose@ietfa.amsl.com>; Mon, 18 Mar 2013 19:35:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QYJNPis4Cy+s for <jose@ietfa.amsl.com>; Mon, 18 Mar 2013 19:35:49 -0700 (PDT)
Received: from mail-oa0-f53.google.com (mail-oa0-f53.google.com [209.85.219.53]) by ietfa.amsl.com (Postfix) with ESMTP id 7BE5221F8521 for <jose@ietf.org>; Mon, 18 Mar 2013 19:35:39 -0700 (PDT)
Received: by mail-oa0-f53.google.com with SMTP id m1so6445282oag.12 for <jose@ietf.org>; Mon, 18 Mar 2013 19:35:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=OMY6J7wtOkVFVoZxr+SVwjvRkP11HRrm8QX63da9Cwc=; b=KOL1qwKZa8VPdmlzVLwV6KAgBFpfX6AG39/TT5L4BSfaUPcLzsVclxdMO39O1vOdPP bIZluj34N2mYcp6CA0lussKcTNQ1eIUEmW9JeArX1wk6n4QV8mtl9PO8feGgZ6utQQtO TChuxnZNSdQgC+IAGGNTzOnB26Y4ChdMN83cEjQMde+im/VBodokhv5r2SbDnvm0ANIa ZUQBK7j65ze0XA1wgMPMtMkY+PcTwDaFxRBfh6pYoED2aozmP/U8F3F4d7VCC53o/j+6 eGQfWIoVfTJj3UQNQkvy3KXoddh0Sdsg6DRdXA/yosH8nvSGjCu0gYxxdFAGADYpH+7P VnlA==
MIME-Version: 1.0
X-Received: by 10.182.8.70 with SMTP id p6mr177076oba.90.1363660539070; Mon, 18 Mar 2013 19:35:39 -0700 (PDT)
Received: by 10.60.40.233 with HTTP; Mon, 18 Mar 2013 19:35:38 -0700 (PDT)
X-Originating-IP: [128.89.254.222]
In-Reply-To: <096c01ce243a$4b22fb90$e168f2b0$@augustcellars.com>
References: <049.a881241698112408b4f26b7cfb4b9103@trac.tools.ietf.org> <255B9BB34FB7D647A506DC292726F6E1150BAAC4D8@WSMSG3153V.srv.dir.telstra.com> <096c01ce243a$4b22fb90$e168f2b0$@augustcellars.com>
Date: Mon, 18 Mar 2013 22:35:38 -0400
Message-ID: <CAL02cgT9x-Vsfd0=_Tmxcxo=04-oNF5-xTLeeRKHsiBFcMGftQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Jim Schaad <ietf@augustcellars.com>
Content-Type: multipart/alternative; boundary="f46d0444ea4106edd004d83df627"
X-Gm-Message-State: ALoCoQm3dWQcomtCqKhPgzc4BUOUZ/RQRsQd6lu9x7R8ZdEsjZHtANjs+Tdy0t+gDkqIaUz97QSo
Cc: "Manger, James H" <James.H.Manger@team.telstra.com>, jose@ietf.org
Subject: Re: [jose] #14: Support longer wrapped keys than OAEP allows
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 02:35:50 -0000
Well, I got to 788 by doing math incorrectly*. Mike was correct on the other thread that 768 is the right number. However, that's still too big for a 1024-bit RSA key and SHA1, since 768 + 320 = 1088 > 1024. Regardless, there is clearly an issue here when wrapping a JWK, which is much larger, possibly containing an RSA key itself. So if we accept the goal that there should be one way of encrypting keys, then we'll need to deal with getting around the OAEP size limitations. --Richard * This is why my degree is in mathematics, and not accounting. On Mon, Mar 18, 2013 at 8:40 PM, Jim Schaad <ietf@augustcellars.com> wrote: > Think in terms of encrypting a JWK directly not an intermediate key. > > > -----Original Message----- > > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of > > Manger, James H > > Sent: Monday, March 18, 2013 5:17 PM > > To: rlb@ipv.sx; jose@ietf.org > > Subject: Re: [jose] #14: Support longer wrapped keys than OAEP allows > > > > Richard, > > > > How do you get a 788-bit key length? > > > > draft-mcgrew-aead-aes-cbc-hmac-sha2 defines 5 combinations of AES- > > 128/192/256 and SHA-1/256/384/512. The total key lengths range from 256 > > bits to 512 bits. > > > > Keys for two of the algorithms (AEAD_AES_128_CBC_HMAC_SHA_256 and > > AEAD_AES_128_CBC_HMAC_SHA1) fit within OAEP with a 1024-bit RSA key. > > > > Keys for all of the algorithms fit within OAEP with a 2048-bit RSA key. > JWA > > already says RSA key sizes MUST be at least 2048 bits. > > > > This already looks sufficient. > > > > -- > > James Manger > > > > > > > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf > > > Of Richard Barnes > > > Sent: Tuesday, 19 March 2013 10:25 AM > > > Subject: [jose] WebCrypto feedback on key wrapping > > > > > > 2. Mark Watson (Netflix) noted that if we use RSA directly to encrypt > wrapped > > key objects, then we would need something other than OAEP in order to > carry > > arbitrary-length payloads. I agreed, and suggested that something like > RSA- > > KEM would be necessary. Ryan Sleevi (Google) and Vijay observed that KEM > is > > troublesome due to the lack of support by native crypto libraries. > > > > > > Point number 2 likely applies for some scenarios of JWE, especially if > we > > adopt the McGrew approach. For example, if using HMAC-SHA1 and AES with > > a 256-bit key, the total key length is 788 bits, which is too long to be > encrypted > > with OAEP under a 1,024-bit RSA key. I'm not sure how to resolve it. > The > best > > idea I've got is to allow wrapped keys to nest, so that you can wrap a > key > inside > > of another wrapped key. > > > > > > --Richard > > > > > > >> ---------- > > >> Sent: Tuesday, 19 March 2013 10:23 AM > > >> Subject: [jose] #14: Support longer wrapped keys than OAEP allows > > >> > > >> #14: Support longer wrapped keys than OAEP allows > > >> > > >> The use of RSA-OAEP for key wrapping imposes a limit on the length > > >> of the key package being wrapped. With SHA1, this length is N-320, > > >> where N is the length of the RSA modulus. Especially with larger > > >> hash functions, and especially for wrapping private keys, the size > > >> of key packages will be larger than this bound. We should > > >> incorporate a mechanism to accommodate these situations. > > >> > > >> > > >> Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/14> > > _______________________________________________ > > jose mailing list > > jose@ietf.org > > https://www.ietf.org/mailman/listinfo/jose > >
- [jose] #14: Support longer wrapped keys than OAEP… jose issue tracker
- Re: [jose] #14: Support longer wrapped keys than … jose issue tracker
- Re: [jose] #14: Support longer wrapped keys than … Manger, James H
- Re: [jose] #14: Support longer wrapped keys than … Jim Schaad
- Re: [jose] #14: Support longer wrapped keys than … Richard Barnes
- Re: [jose] #14: Support longer wrapped keys than … Manger, James H
- Re: [jose] #14: Support longer wrapped keys than … Mike Jones
- Re: [jose] #14: Support longer wrapped keys than … Richard Barnes
- Re: [jose] #14: Support longer wrapped keys than … Matt Miller (mamille2)
- Re: [jose] #14: Support longer wrapped keys than … Jim Schaad
- Re: [jose] #14: Support longer wrapped keys than … Mike Jones
- Re: [jose] #14: Support longer wrapped keys than … Axel Nennker
- Re: [jose] #14: Support longer wrapped keys than … Axel Nennker
- Re: [jose] #14: Support longer wrapped keys than … jose issue tracker
- Re: [jose] #14: Support longer wrapped keys than … jose issue tracker
- Re: [jose] #14: Support longer wrapped keys than … jose issue tracker