Re: [jose] encrypting AND signing a token
<Axel.Nennker@telekom.de> Tue, 06 November 2012 15:02 UTC
Return-Path: <Axel.Nennker@telekom.de>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E269E21F898F for <jose@ietfa.amsl.com>; Tue, 6 Nov 2012 07:02:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.699
X-Spam-Level:
X-Spam-Status: No, score=-4.699 tagged_above=-999 required=5 tests=[AWL=-0.050, BAYES_00=-2.599, GB_I_LETTER=-2, HELO_EQ_DE=0.35, J_CHICKENPOX_47=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pcF2Use5L+gG for <jose@ietfa.amsl.com>; Tue, 6 Nov 2012 07:02:06 -0800 (PST)
Received: from tcmail23.telekom.de (tcmail23.telekom.de [80.149.113.243]) by ietfa.amsl.com (Postfix) with ESMTP id D2CAA21F8A46 for <jose@ietf.org>; Tue, 6 Nov 2012 07:02:05 -0800 (PST)
Received: from he111296.emea1.cds.t-internal.com ([10.125.90.14]) by tcmail21.telekom.de with ESMTP; 05 Nov 2012 15:31:41 +0100
Received: from HE111541.emea1.cds.t-internal.com ([10.125.90.94]) by HE111296.EMEA1.CDS.T-INTERNAL.COM ([fe80::19ac:3fb4:a382:6df4%16]) with mapi; Mon, 5 Nov 2012 15:31:41 +0100
From: Axel.Nennker@telekom.de
To: jose@ietf.org
Date: Mon, 05 Nov 2012 15:31:40 +0100
Thread-Topic: [jose] encrypting AND signing a token
Thread-Index: AQHNuQ3KoFNZ2fysZU+2R3+vnzYsspfWsFUAgAAMIoCAA0SWgIAAGaMAgAAPmoCAAAkkIIAA14lg
Message-ID: <CE8995AB5D178F44A2154F5C9A97CAF4025219B0512B@HE111541.emea1.cds.t-internal.com>
References: <4ACFC778-31A9-4C79-9F4E-7C01719F51AD@gmail.com> <4E1F6AAD24975D4BA5B168042967394366887325@TK5EX14MBXC285.redmond.corp.microsoft.com> <E73A223A-6546-4A3A-A839-8627B3DBCB8F@gmail.com> <000b01cdbab9$967ef070$c37cd150$@augustcellars.com> <210E03E3-FD49-449A-8953-571ECA9E5FBE@gmail.com>, <001101cdbace$34906500$9db12f00$@augustcellars.com> <0C8F9A45306BD9499EAD612A10CFF8942BE45035@AMXPRD0310MB353.eurprd03.prod.outlook.com>
In-Reply-To: <0C8F9A45306BD9499EAD612A10CFF8942BE45035@AMXPRD0310MB353.eurprd03.prod.outlook.com>
Accept-Language: de-DE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: de-DE
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [jose] encrypting AND signing a token
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2012 15:02:13 -0000
I think that it is NOT necessary to have ONE crypto op for signing and simultaneous encryption. I think we should define ONE signed and encrypted JWT. As was stated in previous emails: This is a very common use case. If this paper is true http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html then we have these options: 1) naming repair 2) sign/encrypt/sign 3) encrypt/sign/encrypt The naming repair is difficult with JWT because we don't handle sender and recipient names. The other two seem to cost a lot. I guess that in Dick's use case the naming repair will work and I think we should add senderID and recipientID to JWT and make it then mandatory for sign&encrypt. -----Original Message----- From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Mike Scott Sent: Sunday, November 04, 2012 10:27 PM To: jose@ietf.org Subject: Re: [jose] encrypting AND signing a token Signcryption? http://www.signcryption.org/standards/ Mike Scott ________________________________________ From: jose-bounces@ietf.org [jose-bounces@ietf.org] on behalf of Jim Schaad [ietf@augustcellars.com] Sent: 04 November 2012 20:51 To: 'Dick Hardt' Cc: 'Mike Jones'; jose@ietf.org Subject: Re: [jose] encrypting AND signing a token > -----Original Message----- > From: Dick Hardt [mailto:dick.hardt@gmail.com] > Sent: Sunday, November 04, 2012 2:56 PM > To: Jim Schaad > Cc: 'Dick Hardt'; 'Mike Jones'; jose@ietf.org > Subject: Re: [jose] encrypting AND signing a token > > Thanks Jim. An interesting historical reference. > > In my use case, who signed or who the token is for is not a secret. The > payload needs to be kept a secret. > > Does no one sign and encrypt SAML tokens? > Is this not a common use case? Everything I have seen does this as independent operations. Jim > > If it does need to be solved, it would seem to me that a standards body > would be the place to have lots of eyes look at how to sign and encrypt a > token so that people do not do naive sign and encrypt. > > Q: does anyone else need to sign and encrypt? > > -- Dick > > On Nov 4, 2012, at 10:24 AM, "Jim Schaad" <ietf@augustcellars.com> wrote: > > > <personal> > > > > I would note that the original PKCS#7 specifications had a mode that > > provided a similar sign and encrypt as a single operation mode. When > > the > > PKCS#7 specifications where adopted by the IETF as part of the CMS > > work, this mode was discussed and very deliberately dropped because of > > numerous security problems that had been found. These included (but > > are not limited > > to) the fact that it was signed or who signed it was sometimes a > > security leak. Also there were attacks where the signed and encrypted > > mode could be converted to just an encrypted mode. > > > > I would think that there would be a need for a very detailed security > > analysis that we are not prepared to do in order to support a signed > > and encrypted mode. > > > > Jim > > > > > >> -----Original Message----- > >> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf > >> Of Dick Hardt > >> Sent: Friday, November 02, 2012 12:30 PM > >> To: Mike Jones > >> Cc: jose@ietf.org > >> Subject: Re: [jose] encrypting AND signing a token > >> > >> Not only is my original token increasing in size by 4/3, I am also > >> adding another header, payload and signature. > >> > >> One of the objectives of JWT was to enabled compact tokens. It would > >> seem that we should be able to support both signing and encryption of > >> the same token. > >> > >> All the encryption use cases I can think of involving asymmetric keys > > would > >> also require signing with the senders private key. > >> > >> My suggestion is to be explicit in what the algorithm etc. is used for: > >> > >> Rather than "alg" and "enc", we have: > >> > >> "algs" - algorithm for token signing > >> "algk" - algorithm for content management key encryption "alge" - > > algorithm > >> for payload encryption > >> > >> Similiarly, > >> > >> "kids" - key id for signing > >> "kidk" - key id for content managment key encryption > >> > >> We could probably make these three or even two letter codes if you > >> want to save a couple bytes. > >> > >> -- Dick > >> > >> On Nov 2, 2012, at 8:46 AM, Mike Jones <Michael.Jones@microsoft.com> > >> wrote: > >> > >>> The way you put it brings one straightforward solution to mind. > >>> Solve > > 1-3 > >> with a JWE. Solve 4-5 by signing the JWE as a JWS payload. Done. > >>> > >>> I do understand that the 4/3 space blowup-of double base64url > >>> encoding > >> the JWE motivates your earlier proposal about nested signing. (See > >> Dick's > >> 10/29/12 message "[jose] signing an existing JWT".) I also > >> understand > > that if > >> you could do integrity with the asymmetric signature then the > >> integrity provided by the JWE itself may be redundant. I don't have > >> a specific > > proposal > >> on how to do that. > >>> > >>> -- Mike > >>> > >>> -----Original Message----- > >>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf > >>> Of Dick Hardt > >>> Sent: Friday, November 02, 2012 8:22 AM > >>> To: jose@ietf.org > >>> Subject: [jose] encrypting AND signing a token > >>> > >>> I am trying to figure out how to implement JWT/JWS/JWE to solve a > >>> real > >> world problem. > >>> > >>> 1) Bob sends a token to Charlie via Alice. (Alice gets token from > >>> Bob and then Alice gives token to Charlie) > >>> 2) Alice must be prevented from reading the token. (token needs to > >>> be > >>> encrypted) > >>> 3) Bob and Charlie can share a symmetric key. > >>> > >>> I can solve this with JWE. > >>> > >>> Now let's add another condition. > >>> > >>> 4) Charlie wants non-repuditation that Bob created the token. > >>> 5) Bob has a private key and a public key > >>> > >>> I don't see how to do this using JWE. It seems I have to sign the > >>> same > > token > >> I had previously with JWS. This seems inefficient since I should be > >> able > > to > >> replace the JWE integrity computation done with the symmetric key > >> with the private key -- but the "alg" parameter is the same in both > >> encrypting and signing. > >>> > >>> Now let's expand this to replacing the symmetric key with a > > public/private > >> key pair for encryption. Bob encrypts with Charlies public key and > >> signs > > with > >> Bob's private key (we also need to make sure we are not doing naive > >> encryption and signing here, would be a really useful to specify what > > needs > >> to be done there). Now we need to have parameters for both > >> public/private key pairs in the header. > >>> > >>> Am I missing something here? > >>> > >>> Seems like we can do this if we change the header parameters to > >>> specify > > if > >> they ("alg", "kid", et.c) are for token signing, payload encryption > >> or > > content > >> key encryption. > >>> > >>> -- Dick > >>> > >>> > >>> _______________________________________________ > >>> jose mailing list > >>> jose@ietf.org > >>> https://www.ietf.org/mailman/listinfo/jose > >> > >> _______________________________________________ > >> jose mailing list > >> jose@ietf.org > >> https://www.ietf.org/mailman/listinfo/jose > > _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose
- [jose] encrypting AND signing a token Dick Hardt
- Re: [jose] encrypting AND signing a token Mike Jones
- Re: [jose] encrypting AND signing a token Dick Hardt
- Re: [jose] encrypting AND signing a token Jim Schaad
- Re: [jose] encrypting AND signing a token Dick Hardt
- Re: [jose] encrypting AND signing a token Jim Schaad
- Re: [jose] encrypting AND signing a token Mike Scott
- Re: [jose] encrypting AND signing a token Axel.Nennker
- Re: [jose] encrypting AND signing a token Dick Hardt
- Re: [jose] encrypting AND signing a token Axel.Nennker
- Re: [jose] encrypting AND signing a token Axel.Nennker
- Re: [jose] encrypting AND signing a token John Bradley
- Re: [jose] encrypting AND signing a token John Bradley
- Re: [jose] encrypting AND signing a token Jim Schaad
- Re: [jose] encrypting AND signing a token Richard L. Barnes
- Re: [jose] encrypting AND signing a token John Bradley
- Re: [jose] encrypting AND signing a token John Bradley
- Re: [jose] encrypting AND signing a token Dick Hardt
- Re: [jose] encrypting AND signing a token Dick Hardt