Re: [jose] #14: Support longer wrapped keys than OAEP allows
Axel Nennker <ignisvulpis@gmail.com> Fri, 22 March 2013 21:50 UTC
Return-Path: <ignisvulpis@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7EE021F8BA1 for <jose@ietfa.amsl.com>; Fri, 22 Mar 2013 14:50:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wa0MLXXqy8W2 for <jose@ietfa.amsl.com>; Fri, 22 Mar 2013 14:50:32 -0700 (PDT)
Received: from mail-vb0-x22b.google.com (mail-vb0-x22b.google.com [IPv6:2607:f8b0:400c:c02::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 7BE6F21F8CE0 for <jose@ietf.org>; Fri, 22 Mar 2013 14:50:28 -0700 (PDT)
Received: by mail-vb0-f43.google.com with SMTP id fs19so2896314vbb.30 for <jose@ietf.org>; Fri, 22 Mar 2013 14:50:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=5vtON1Yg1SX3zXANHxftrYS97M4jHw42pkKuQBO+YsY=; b=poT39D3MIkQjwsAD7ah4fFpsLyEx8xh0OEb8AVTWVwuekbxE8ebQD3H1Bq+ZccqYEm 0RZuR5Fat7CpohDlN68AdpswVaFzOIWt+fBbvKGSf/TIg3faFW+C+19d/bgQLjgMkIv+ R7d1/ODZmPZUHRV9jOgvQxellzkrUtE1DikjvIeLDlO6r+ROqSr7TTqrtwnK5utuBt+s 9aFCvg8Ts/4/N1sqialB0VXnJ2MUsbU9y2+0ize7qRPn0Kd4OpgyALNOoLmtHP52Qttl L9X53HYZrXnB/zyOw+xBxhC7/sATvUXtHdPyPCXprzioF7hOGX1lB6jbSI7eD/MlM5An 6/Kg==
MIME-Version: 1.0
X-Received: by 10.52.73.73 with SMTP id j9mr3687235vdv.124.1363989027921; Fri, 22 Mar 2013 14:50:27 -0700 (PDT)
Received: by 10.220.112.198 with HTTP; Fri, 22 Mar 2013 14:50:27 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B168042967394367561F27@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436755CB51@TK5EX14MBXC283.redmond.corp.microsoft.com> <006301ce24b4$c765e4e0$5631aea0$@augustcellars.com> <4E1F6AAD24975D4BA5B168042967394367561F27@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Fri, 22 Mar 2013 22:50:27 +0100
Message-ID: <CAHcDwFxVMGW+ePco45sVjTsmFnoevdqjMYZT4-BZUbZrNiudtQ@mail.gmail.com>
From: Axel Nennker <ignisvulpis@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="bcaec501c5bc7ca8b604d88a71d9"
Cc: Richard Barnes <rlb@ipv.sx>, Jim Schaad <ietf@augustcellars.com>, James H Manger <James.H.Manger@team.telstra.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] #14: Support longer wrapped keys than OAEP allows
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2013 21:50:33 -0000
+1 2013/3/19 Mike Jones <Michael.Jones@microsoft.com> > I completely agree that documenting the engineering tradeoffs is in > scope and a worthwhile exercise. The point of my message was simply that > we needn’t “accept the goal that there should be one way of encrypting > keys” without doing this analysis.**** > > ** ** > > I think Matt Miller had it right when he wrote this morning “Personally, > I don't think it's worth discussing this much further without a more > complete counter-proposal on the table”. Should a concrete > counter-proposal to Matt’s draft be written, at that point we could have a > much more concrete discussion.**** > > ** ** > > Cheers,*** > * > > -- Mike*** > * > > ** ** > > *From:* Jim Schaad [mailto:ietf@augustcellars.com] > *Sent:* Tuesday, March 19, 2013 8:17 AM > *To:* Mike Jones; 'Richard Barnes' > > *Cc:* 'James H Manger'; jose@ietf.org > *Subject:* RE: [jose] #14: Support longer wrapped keys than OAEP allows*** > * > > ** ** > > <personal>**** > > ** ** > > The issue has been raised for discussion. I do not believe that > documenting what the extents of the issue are is out of scope of any and > all follow on discussion. Until that has been done it is not possible to > talk about what the costs and benefits are. If you have a full set of > costs and benefits that would be an interesting message to see.**** > > ** ** > > *From:* Mike Jones [mailto:Michael.Jones@microsoft.com<Michael.Jones@microsoft.com>] > > *Sent:* Monday, March 18, 2013 8:24 PM > *To:* Jim Schaad; Richard Barnes > *Cc:* James H Manger; jose@ietf.org > *Subject:* RE: [jose] #14: Support longer wrapped keys than OAEP allows*** > * > > ** ** > > Since you message appears to take it as given that “there should be only > one way of encrypting keys”, I’ll point out that I don’t think that it’s > reasonable to assume that. JOSE is first and foremost an engineering > exercise, where the cost/benefit generality/complexity tradeoffs matter, > and the goal is a ubiquitously implemented crypto format for the Web that > solves the problems that people actually have, rather than a mathematical > exercise, where the goal is completeness and generality. Complexity is the > enemy of adoption.**** > > **** > > So it’s fair game to ask “What are the costs and benefits of having only > one way to encrypt keys”, versus taking that as a given.**** > > **** > > I happen to personally believe that encrypting a bare symmetric > ephemeral Content Master Key is sufficiently different than encrypting a > key that may be public, private, or symmetric and may have additional > attributes, that it’s at least worth asking the engineering question > whether special-casing the encryption of this bare symmetric ephemeral key > results in engineering benefits.**** > > **** > > Encrypting a key with attributes for storage or dissemination is not the > same kind of operation as wrapping an ephemeral symmetric key to be used > for block encryption. I’m personally fine with this being done > differently. The engineering benefit if we do it differently in the way > that Matt’s draft proposed, at least as I see it, is that we have to invent > nothing new. We already have a great format for encrypting arbitrary data, > and keys with attributes are a whole lot like arbitrary data.**** > > **** > > I respect that some with disagree with my personal view, but I’d also ask > you to respect that the engineering tradeoffs may favor having two ways to > do things that on the surface may seem similar, but are actually fairly > different in nature.**** > > **** > > Best wishes,**** > > -- Mike**** > > **** > > *From:* Richard Barnes > *Sent:* March 18, 2013 7:36 PM > *To:* Jim Schaad > *CC:* Manger, James H, jose@ietf.org > *Subject:* Re: [jose] #14: Support longer wrapped keys than OAEP allows*** > * > > **** > > Well, I got to 788 by doing math incorrectly*. **** > > ** ** > > Mike was correct on the other thread that 768 is the right number. > However, that's still too big for a 1024-bit RSA key and SHA1, since 768 + > 320 = 1088 > 1024. **** > > ** ** > > Regardless, there is clearly an issue here when wrapping a JWK, which is > much larger, possibly containing an RSA key itself. So if we accept the > goal that there should be one way of encrypting keys, then we'll need to > deal with getting around the OAEP size limitations.**** > > ** ** > > --Richard > > * This is why my degree is in mathematics, and not accounting.**** > > On Mon, Mar 18, 2013 at 8:40 PM, Jim Schaad <ietf@augustcellars.com> > wrote:**** > > Think in terms of encrypting a JWK directly not an intermediate key.**** > > > > -----Original Message----- > > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of* > *** > > > Manger, James H > > Sent: Monday, March 18, 2013 5:17 PM > > To: rlb@ipv.sx; jose@ietf.org > > Subject: Re: [jose] #14: Support longer wrapped keys than OAEP allows > > > > Richard, > > > > How do you get a 788-bit key length? > > > > draft-mcgrew-aead-aes-cbc-hmac-sha2 defines 5 combinations of AES- > > 128/192/256 and SHA-1/256/384/512. The total key lengths range from 256 > > bits to 512 bits. > > > > Keys for two of the algorithms (AEAD_AES_128_CBC_HMAC_SHA_256 and > > AEAD_AES_128_CBC_HMAC_SHA1) fit within OAEP with a 1024-bit RSA key. > > > > Keys for all of the algorithms fit within OAEP with a 2048-bit RSA key. > JWA > > already says RSA key sizes MUST be at least 2048 bits. > > > > This already looks sufficient. > > > > -- > > James Manger > > > > > > > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf > > > Of Richard Barnes > > > Sent: Tuesday, 19 March 2013 10:25 AM > > > Subject: [jose] WebCrypto feedback on key wrapping > > > > > > 2. Mark Watson (Netflix) noted that if we use RSA directly to encrypt > wrapped > > key objects, then we would need something other than OAEP in order to > carry > > arbitrary-length payloads. I agreed, and suggested that something like > RSA- > > KEM would be necessary. Ryan Sleevi (Google) and Vijay observed that KEM > is > > troublesome due to the lack of support by native crypto libraries. > > > > > > Point number 2 likely applies for some scenarios of JWE, especially if > we > > adopt the McGrew approach. For example, if using HMAC-SHA1 and AES with > > a 256-bit key, the total key length is 788 bits, which is too long to be > encrypted > > with OAEP under a 1,024-bit RSA key. I'm not sure how to resolve it. > The > best > > idea I've got is to allow wrapped keys to nest, so that you can wrap a > key > inside > > of another wrapped key. > > > > > > --Richard > > > > > > >> ---------- > > >> Sent: Tuesday, 19 March 2013 10:23 AM > > >> Subject: [jose] #14: Support longer wrapped keys than OAEP allows > > >> > > >> #14: Support longer wrapped keys than OAEP allows > > >> > > >> The use of RSA-OAEP for key wrapping imposes a limit on the length > > >> of the key package being wrapped. With SHA1, this length is N-320, > > >> where N is the length of the RSA modulus. Especially with larger > > >> hash functions, and especially for wrapping private keys, the size > > >> of key packages will be larger than this bound. We should > > >> incorporate a mechanism to accommodate these situations. > > >> > > >> > > >> Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/14>**** > > > _______________________________________________ > > jose mailing list > > jose@ietf.org > > https://www.ietf.org/mailman/listinfo/jose**** > > ** ** > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- [jose] #14: Support longer wrapped keys than OAEP… jose issue tracker
- Re: [jose] #14: Support longer wrapped keys than … jose issue tracker
- Re: [jose] #14: Support longer wrapped keys than … Manger, James H
- Re: [jose] #14: Support longer wrapped keys than … Jim Schaad
- Re: [jose] #14: Support longer wrapped keys than … Richard Barnes
- Re: [jose] #14: Support longer wrapped keys than … Manger, James H
- Re: [jose] #14: Support longer wrapped keys than … Mike Jones
- Re: [jose] #14: Support longer wrapped keys than … Richard Barnes
- Re: [jose] #14: Support longer wrapped keys than … Matt Miller (mamille2)
- Re: [jose] #14: Support longer wrapped keys than … Jim Schaad
- Re: [jose] #14: Support longer wrapped keys than … Mike Jones
- Re: [jose] #14: Support longer wrapped keys than … Axel Nennker
- Re: [jose] #14: Support longer wrapped keys than … Axel Nennker
- Re: [jose] #14: Support longer wrapped keys than … jose issue tracker
- Re: [jose] #14: Support longer wrapped keys than … jose issue tracker
- Re: [jose] #14: Support longer wrapped keys than … jose issue tracker