Re: [jose] FW: FW: Issue #54, #55, #141

Mike Jones <Michael.Jones@microsoft.com> Mon, 28 October 2013 19:19 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB54421E805D for <jose@ietfa.amsl.com>; Mon, 28 Oct 2013 12:19:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.198
X-Spam-Level:
X-Spam-Status: No, score=-3.198 tagged_above=-999 required=5 tests=[AWL=-0.200, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_56=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qw0N1o45vjZN for <jose@ietfa.amsl.com>; Mon, 28 Oct 2013 12:19:41 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0211.outbound.protection.outlook.com [207.46.163.211]) by ietfa.amsl.com (Postfix) with ESMTP id 4439D21E80C1 for <jose@ietf.org>; Mon, 28 Oct 2013 12:19:37 -0700 (PDT)
Received: from DM2PR03CA009.namprd03.prod.outlook.com (10.141.52.157) by BN1PR03MB234.namprd03.prod.outlook.com (10.255.200.19) with Microsoft SMTP Server (TLS) id 15.0.800.7; Mon, 28 Oct 2013 19:19:33 +0000
Received: from BN1BFFO11FD021.protection.gbl (2a01:111:f400:7c10::196) by DM2PR03CA009.outlook.office365.com (2a01:111:e400:2414::29) with Microsoft SMTP Server (TLS) id 15.0.800.7 via Frontend Transport; Mon, 28 Oct 2013 19:19:33 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD021.mail.protection.outlook.com (10.58.53.81) with Microsoft SMTP Server (TLS) id 15.0.805.12 via Frontend Transport; Mon, 28 Oct 2013 19:19:32 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.212]) by TK5EX14HUBC105.redmond.corp.microsoft.com ([157.54.80.48]) with mapi id 14.03.0158.002; Mon, 28 Oct 2013 19:18:47 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] FW: FW: Issue #54, #55, #141
Thread-Index: AQHO0qVkXZwwZ3JR7USKiKuYpfsYwpoKffWA
Date: Mon, 28 Oct 2013 19:18:46 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394377E209BD@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <037701cec3b9$6a9419e0$3fbc4da0$@augustcellars.com> <001301ced2a5$18db8700$4a929500$@augustcellars.com>
In-Reply-To: <001301ced2a5$18db8700$4a929500$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.78]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B168042967394377E209BDTK5EX14MBXC286r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(5383001)(189002)(199002)(377454003)(15975445006)(4396001)(50986001)(85806002)(6806004)(77096001)(76796001)(83322001)(19580405001)(80976001)(46102001)(51856001)(84326002)(19580395003)(44976005)(85306002)(54356001)(49866001)(53806001)(512954002)(19300405004)(74876001)(87266001)(83072001)(74706001)(81686001)(16236675002)(81816001)(47976001)(47736001)(74366001)(33656001)(56816003)(20776003)(54316002)(80022001)(63696002)(31966008)(71186001)(56776001)(59766001)(74502001)(79102001)(66066001)(47446002)(77982001)(81342001)(76786001)(76482001)(55846006)(65816001)(74662001)(81542001)(15202345003)(69226001); DIR:OUT; SFP:; SCL:1; SRVR:BN1PR03MB234; H:mail.microsoft.com; CLIP:131.107.125.37; FPR:; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0013079544
X-OriginatorOrg: microsoft.com
Subject: Re: [jose] FW: FW: Issue #54, #55, #141
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Oct 2013 19:19:47 -0000

#54:  Richard had agreed to close this as "wontfix" and this was confirmed on the last call.  Please close this one.

#55:  The working group text discussed on the list has been incorporated in the drafts.  Please close this one as "fixed".

#151:  Per our discussion during our last meeting in my office, our use of Concat is specific to ECDH key agreement - and not intended to general-purpose.  Concat is already described in a general-purpose way in NIST 800-56A so we don't need to repeat that description in JWA.  Given that the technical issue of giving the algorithm name a length prefix has been addressed, I believe that it's time to close this one as "fixed" (which I think you agreed to do in my office, after the length prefix was added).

There is also already text saying how to achieve the same effect as RFC 2631 in a note.  Thus, I believe that all these issues have already been addressed.

                                                                -- Mike

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim Schaad
Sent: Saturday, October 26, 2013 4:43 PM
To: jose@ietf.org
Subject: [jose] FW: FW: Issue #54, #55, #141

I have not seen comments on this

From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org] On Behalf Of Jim Schaad
Sent: Monday, October 07, 2013 5:01 PM
To: jose@ietf.org<mailto:jose@ietf.org>
Subject: [jose] FW: Issue #54, #55, #141



From: Jim Schaad [mailto:ietf@augutscellars.com]
Sent: Tuesday, October 01, 2013 3:41 PM
To: jose@ietf.org<mailto:jose@ietf.org>
Subject: Issue #54, #55, #141

There are four issues that need to be addressed with respect to the concat section of the JWA draft.  There is some agreement for these issues but I am not totally happy with what is being done here and would like to see some changes.  This message describes the changes that I would like to see.

The current set of open issues in the tracker are:

Issue #54 - epk/apu/apv need to be REQUIRED
Issue #55 - Mandatory entropy in ECC KDF inputs
Issue #151 - Section 4.7.2 Concat should have its own section
No Tracker Item - The concat usage should be consistent with that of the CMS DH document RFC 2631


I don't like the current text which says that the partyU name can be either a name or a nonce value.  While it is true that both are not needed for the ES version of the key derivation function, this will not be the case for a SS version of using concat.  I would like to make sure that this is a doable thing without having to do massive re-writes.  I therefore propose the following changes:

Add a new section

4.7.1.4 "nonce" Header Parameter

The "nonce" value for a key derivation algorithm.  This parameter is REQUIRED to be used when a static-static key agreement method is used and MAY be used for other key agreement methods.  The value MUST be generated freshly for each key derivation done.  The member value contains the base64 encoded nonce value.  The length of the nonce value needs to be sufficient that it will not be duplicated for the pair of keys being used.  If the uniqueness is generated pseudo-randomly, then it should be a minimum of 512 bits long.

Change the way that PartyUInfo is defined in section 4.7.2 as follows:

PartyUInfo  The PartyUInfo value consists of the partyU name and, when present, the nonce field.  Both fields are encoded as Datalen || Data, where Datalen is a 32 bit value containing the size of the field in bits as a big-endian integer and Data is the value of the field.

      PartyUInfo = I4(partyU name.length) || partyU name
      If nonce.length > 0 then PartyUInfo = PartyUInfo || I4(nonce.length) || nonce


Replace the last paragraph with



The "apu" and "apv" parameters MUST contain distinct values so that the same key would not be generated if the KDF is done for the opposite direction.  Applications can change the default values for these parameters in order to make the keys generated for that application different from other applications.



My reading of the NIST document which we are using for concat says that the partyU name and partyV names are required to be defined, however they can be defined by the protocol and not by the actual parties themselves.  This means that it is possible that the parameters can have values, without them being transmitted as part of the message.  In fact they should be removable by the application and not transmitted.  I don't know that we need to make that an explicit statement in the text or not.  (I have chosen not to do so in this change, but it can be discussed.) Based on this understanding I would like to modify the text in the following ways.


Change the way that PartyUInfo and partyVInfo are defined in section 4.7.2 as follows:

Old:

If an "apu" (agreement PartyUInfo) header
      parameter is present, Data is set to the result of base64url
      decoding the "apu" value and Datalen is set to the number of
      octets in Data.  Otherwise, the Datalen is set to 6 and Data is set to the UTF-8 encoded string "Sender".

For apv replace "Sender" with "Recipient"



In order that the concat description be available for other key agreement algorithms (i.e. ES-DH or SS-ECDH) I really would like to see it described as a separate algorithm that is then referred to from the ES-ECDH algorithm description.  This means that apu, apv and nonce would be defined as being CONCAT parameters and not be defined as ES-ECDH parameters.   This can be discussed and I can provide the alternate text if it makes sense to do so.

Jim