IETF Logo Mail Archive

Re: [jose] Draft describing encrypting JWK key representations, with JWE

Mike Jones <Michael.Jones@microsoft.com> Fri, 15 March 2013 16:49 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A57F21F8511 for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 09:49:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.068
X-Spam-Level:
X-Spam-Status: No, score=-2.068 tagged_above=-999 required=5 tests=[AWL=0.530, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1h7lTy-xx6Q6 for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 09:49:23 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0209.outbound.protection.outlook.com [207.46.163.209]) by ietfa.amsl.com (Postfix) with ESMTP id C9BEF21F84F9 for <jose@ietf.org>; Fri, 15 Mar 2013 09:49:22 -0700 (PDT)
Received: from BL2FFO11FD010.protection.gbl (10.173.161.200) by BL2FFO11HUB018.protection.gbl (10.173.160.110) with Microsoft SMTP Server (TLS) id 15.0.641.9; Fri, 15 Mar 2013 16:49:14 +0000
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD010.mail.protection.outlook.com (10.173.161.16) with Microsoft SMTP Server (TLS) id 15.0.641.9 via Frontend Transport; Fri, 15 Mar 2013 16:49:14 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.29]) by TK5EX14HUBC107.redmond.corp.microsoft.com ([157.54.80.67]) with mapi id 14.02.0318.003; Fri, 15 Mar 2013 16:48:51 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Richard Barnes <rlb@ipv.sx>
Thread-Topic: [jose] Draft describing encrypting JWK key representations, with JWE
Thread-Index: AQHOIZw3PQRi1iNdgk2MdX9lp+JWfJim9Wcw
Date: Fri, 15 Mar 2013 16:48:50 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394367526789@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <mailman.4019.1363356696.3432.cfrg@irtf.org> <51433B12.1020703@gmail.com> <4E1F6AAD24975D4BA5B168042967394367526568@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgQ8=yKwArwvR228Z=xi0N3U6yvoOHt6M-3EuCD_HYkyww@mail.gmail.com>
In-Reply-To: <CAL02cgQ8=yKwArwvR228Z=xi0N3U6yvoOHt6M-3EuCD_HYkyww@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B168042967394367526789TK5EX14MBXC284r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(189002)(164054002)(13464002)(51704002)(24454001)(199002)(377454001)(49866001)(51856001)(16236675001)(31966008)(20776003)(56816002)(76482001)(66066001)(5343655001)(16601075001)(5343635001)(50986001)(55846006)(16297215001)(65816001)(47446002)(46102001)(4396001)(74502001)(54356001)(74662001)(54316002)(56776001)(79102001)(53806001)(47976001)(80022001)(512954001)(44976002)(63696002)(47736001)(33656001)(59766001)(16406001)(77982001)(69226001)(551544001)(15202345001)(563064004); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB018; H:TK5EX14HUBC107.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 078693968A
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>, "cfrg@irtf.org" <cfrg@irtf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Draft describing encrypting JWK key representations, with JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 16:49:24 -0000

That's up to the working group.  I'm actually hoping that experts on the lists will respond to Yaron's comments before we make a decision on whether PBKDF2 as specified is an appropriate key wrapping algorithm or not.

Assuming that the content in Matt's draft eventually becomes an RFC or part of one, the PBKDF2 definition would end up in the algorithms registry either way, even if it's not part of the JWA spec itself.

                                                            Cheers,
                                                            -- Mike

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Richard Barnes
Sent: Friday, March 15, 2013 9:43 AM
To: Mike Jones
Cc: Yaron Sheffer; cfrg@irtf.org; jose@ietf.org
Subject: Re: [jose] Draft describing encrypting JWK key representations, with JWE

So, Mike, would you be OK with adding PBE to JWE / JWA, as a new key wrapping algorithm?

--Richard



On Fri, Mar 15, 2013 at 12:14 PM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
[Adding JOSE mailing list to the thread]

For clarification, PBKDF2 is not the only algorithm that could be used to wrap keys in this scheme.  This draft *adds* PBKDF2 to the set of algorithms already specified for use with encryption in the JSON Web Algorithms (JWA) specification (http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-08).  In particular, other algorithms such as AES Key Wrap and AES GCM are also present there.

I'll let others who are experts in PBKDF2 and password-based encryption respond to Yaron's specific comment.

                                -- Mike

-----Original Message-----
From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>]
Sent: Friday, March 15, 2013 8:16 AM
To: cfrg@irtf.org<mailto:cfrg@irtf.org>; Mike Jones
Subject: Re: Draft describing encrypting JWK key representations, with JWE

Hi Mike,

I'm probably missing something, but I'm worried about the security of this scheme (though I do appreciate the usability/convenience of passwords).

PBKDF2 is meant to make dictionary attacks on stored passwords harder, as a second line defense, once the server has been breached. Using it to encrypt data and then sending the data on the wire, makes the data vulnerable to this same dictionary attack (in this case the effort comes to the space of all possible passwords - say 1 million - times 1000).
Moreover, this also puts the password itself in danger.

Thanks,
        Yaron

>
> ------------------------------
>
> Message: 5
> Date: Fri, 15 Mar 2013 14:10:32 +0000
> From: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
> To: "cfrg@irtf.org<mailto:cfrg@irtf.org>" <cfrg@irtf.org<mailto:cfrg@irtf.org>>
> Subject: [Cfrg] Draft describing encrypting JWK key representations
>       with JWE
> Message-ID:
>
> <4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.redmond.corp.
<mailto:4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.redmond.corp.%0b>> microsoft.com<http://microsoft.com>>
>
> Content-Type: text/plain; charset="us-ascii"
>
> http://tools.ietf.org/html/draft-miller-jose-jwe-protected-jwk-01
>
> This also adds password-based encryption to the algorithm registry.
>
>                                                              -- Mike
>
> -------------- next part -------------- An HTML attachment was
> scrubbed...
> URL:
> <http://www.irtf.org/mail-archive/web/cfrg/attachments/20130315/02e36b
> 24/attachment.htm>
>
> ------------------------------
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org<mailto:Cfrg@irtf.org>
> http://www.irtf.org/mailman/listinfo/cfrg
>
>
> End of Cfrg Digest, Vol 95, Issue 3
> ***********************************
>
_______________________________________________
jose mailing list
jose@ietf.org<mailto:jose@ietf.org>
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email