IETF Logo Mail Archive

Re: [jose] #14: Support longer wrapped keys than OAEP allows

"Manger, James H" <James.H.Manger@team.telstra.com> Tue, 19 March 2013 03:23 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54B6221F8613 for <jose@ietfa.amsl.com>; Mon, 18 Mar 2013 20:23:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.9
X-Spam-Level:
X-Spam-Status: No, score=-0.9 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9nGWOA7pu2Xj for <jose@ietfa.amsl.com>; Mon, 18 Mar 2013 20:23:57 -0700 (PDT)
Received: from ipxavo.tcif.telstra.com.au (ipxavo.tcif.telstra.com.au [203.35.135.200]) by ietfa.amsl.com (Postfix) with ESMTP id 8B24121F860B for <jose@ietf.org>; Mon, 18 Mar 2013 20:23:51 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="4.84,868,1355058000"; d="scan'208,217"; a="124018819"
Received: from unknown (HELO ipccvi.tcif.telstra.com.au) ([10.97.217.208]) by ipoavi.tcif.telstra.com.au with ESMTP; 19 Mar 2013 14:23:49 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,7018"; a="119748609"
Received: from wsmsg3705.srv.dir.telstra.com ([172.49.40.203]) by ipccvi.tcif.telstra.com.au with ESMTP; 19 Mar 2013 14:23:49 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3705.srv.dir.telstra.com ([172.49.40.203]) with mapi; Tue, 19 Mar 2013 14:23:48 +1100
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Richard Barnes <rlb@ipv.sx>, Jim Schaad <ietf@augustcellars.com>
Date: Tue, 19 Mar 2013 14:23:47 +1100
Thread-Topic: [jose] #14: Support longer wrapped keys than OAEP allows
Thread-Index: Ac4kSnNicfSOfT3iSRSNjR/kV+qFtAAABMag
Message-ID: <255B9BB34FB7D647A506DC292726F6E1150BB430EE@WSMSG3153V.srv.dir.telstra.com>
References: <049.a881241698112408b4f26b7cfb4b9103@trac.tools.ietf.org> <255B9BB34FB7D647A506DC292726F6E1150BAAC4D8@WSMSG3153V.srv.dir.telstra.com> <096c01ce243a$4b22fb90$e168f2b0$@augustcellars.com> <CAL02cgT9x-Vsfd0=_Tmxcxo=04-oNF5-xTLeeRKHsiBFcMGftQ@mail.gmail.com>
In-Reply-To: <CAL02cgT9x-Vsfd0=_Tmxcxo=04-oNF5-xTLeeRKHsiBFcMGftQ@mail.gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E1150BB430EEWSMSG3153Vsrv_"
MIME-Version: 1.0
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] #14: Support longer wrapped keys than OAEP allows
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 03:23:58 -0000

768 is also the wrong number, which is another reason to use draft-mcgrew-aead-aes-cbc-hmac-sha2 instead of the JOSE-specific AEAD construction (better key size choices). But that isn’t the main issue.

> So if we accept the goal that there should be one way of encrypting keys

Having one way of encrypting ephemeral raw symmetric session keys sounds like a decent goal.
I’m far from certain that extending that to asymmetric keys and their metadata (such as certs) is a sensible goal.

--
James Manger

From: Richard Barnes [mailto:rlb@ipv.sx]
Sent: Tuesday, 19 March 2013 1:36 PM
To: Jim Schaad
Cc: Manger, James H; jose@ietf.org
Subject: Re: [jose] #14: Support longer wrapped keys than OAEP allows

Well, I got to 788 by doing math incorrectly*.

Mike was correct on the other thread that 768 is the right number.  However, that's still too big for a 1024-bit RSA key and SHA1, since 768 + 320 = 1088 > 1024.

Regardless, there is clearly an issue here when wrapping a JWK, which is much larger, possibly containing an RSA key itself.  So if we accept the goal that there should be one way of encrypting keys, then we'll need to deal with getting around the OAEP size limitations.

--Richard

* This is why my degree is in mathematics, and not accounting.

On Mon, Mar 18, 2013 at 8:40 PM, Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote:
Think in terms of encrypting a JWK directly not an intermediate key.

> -----Original Message-----
> From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>] On Behalf Of
> Manger, James H
> Sent: Monday, March 18, 2013 5:17 PM
> To: rlb@ipv.sx<mailto:rlb@ipv.sx>; jose@ietf.org<mailto:jose@ietf.org>
> Subject: Re: [jose] #14: Support longer wrapped keys than OAEP allows
>
> Richard,
>
> How do you get a 788-bit key length?
>
> draft-mcgrew-aead-aes-cbc-hmac-sha2 defines 5 combinations of AES-
> 128/192/256 and SHA-1/256/384/512. The total key lengths range from 256
> bits to 512 bits.
>
> Keys for two of the algorithms (AEAD_AES_128_CBC_HMAC_SHA_256 and
> AEAD_AES_128_CBC_HMAC_SHA1) fit within OAEP with a 1024-bit RSA key.
>
> Keys for all of the algorithms fit within OAEP with a 2048-bit RSA key.
JWA
> already says RSA key sizes MUST be at least 2048 bits.
>
> This already looks sufficient.
>
> --
> James Manger
>
>
> > From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>] On Behalf
> > Of Richard Barnes
> > Sent: Tuesday, 19 March 2013 10:25 AM
> > Subject: [jose] WebCrypto feedback on key wrapping
> >
> > 2. Mark Watson (Netflix) noted that if we use RSA directly to encrypt
wrapped
> key objects, then we would need something other than OAEP in order to
carry
> arbitrary-length payloads.  I agreed, and suggested that something like
RSA-
> KEM would be necessary.  Ryan Sleevi (Google) and Vijay observed that KEM
is
> troublesome due to the lack of support by native crypto libraries.
> >
> > Point number 2 likely applies for some scenarios of JWE, especially if
we
> adopt the McGrew approach.  For example, if using HMAC-SHA1 and AES with
> a 256-bit key, the total key length is 788 bits, which is too long to be
encrypted
> with OAEP under a 1,024-bit RSA key.  I'm not sure how to resolve it.  The
best
> idea I've got is to allow wrapped keys to nest, so that you can wrap a key
inside
> of another wrapped key.
> >
> > --Richard
>
>
> >> ----------
> >> Sent: Tuesday, 19 March 2013 10:23 AM
> >> Subject: [jose] #14: Support longer wrapped keys than OAEP allows
> >>
> >> #14: Support longer wrapped keys than OAEP allows
> >>
> >>  The use of RSA-OAEP for key wrapping imposes a limit on the length
> >> of  the key package being wrapped. With SHA1, this length is N-320,
> >> where  N is the length of the RSA modulus.  Especially with larger
> >> hash  functions, and especially for wrapping private keys, the size
> >> of key  packages will be larger than this bound.  We should
> >> incorporate a  mechanism to accommodate these situations.
> >>
> >>
> >> Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/14>
> _______________________________________________
> jose mailing list
> jose@ietf.org<mailto:jose@ietf.org>
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email