Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
Richard Barnes <rlb@ipv.sx> Thu, 25 April 2013 21:46 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33B6F21F96D8 for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 14:46:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.377
X-Spam-Level:
X-Spam-Status: No, score=-0.377 tagged_above=-999 required=5 tests=[FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oT-2WrUqAaRH for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 14:46:11 -0700 (PDT)
Received: from mail-oa0-f54.google.com (mail-oa0-f54.google.com [209.85.219.54]) by ietfa.amsl.com (Postfix) with ESMTP id 1966B21F96C4 for <jose@ietf.org>; Thu, 25 Apr 2013 14:46:11 -0700 (PDT)
Received: by mail-oa0-f54.google.com with SMTP id l20so3374566oag.13 for <jose@ietf.org>; Thu, 25 Apr 2013 14:46:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=ZQddKEZmGybpZOv3T5MkxBCxtuWdNPNbT+Jwe+PtZY4=; b=cTUfo5Wyck4rf8hqWmbwGwOH0/dplIajbNYoIvgH+ccGcYtDccbMaQM4JBKm4YsAHN pirgeNVw1u4NFmnhiSew8QW6yS+y4XSRyomRjvMNf6iyAwSZjEOP3X3LG1ZwmToTVyi5 Ky7dQEfidxECm0NofdTzrmCx+7PaZqLyCOtczFBQQoQjeSTrFoE/GjJb5DmuasC2GIc+ AU4KJdtvyKUlGkkrhzDeugNNf717+P2qj0xRTezjJKKoO7heqHTZTRvt5uIa4qW0VMa5 k7nyzwn8d4V2XajIHECgP6lHDLMvq8nzRfBaJwMkFB43ynvPtrSxj1CCSyHpesx9Vnu1 ZEOw==
MIME-Version: 1.0
X-Received: by 10.60.15.98 with SMTP id w2mr17228518oec.128.1366926370597; Thu, 25 Apr 2013 14:46:10 -0700 (PDT)
Received: by 10.60.41.225 with HTTP; Thu, 25 Apr 2013 14:46:10 -0700 (PDT)
X-Originating-IP: [128.89.253.101]
In-Reply-To: <4A22938F-958F-4648-933E-47AD443E21E3@vigilsec.com>
References: <20130424002901.19246.69134.idtracker@ietfa.amsl.com> <014201ce416a$82761a80$87624f80$@augustcellars.com> <B9EADFAC-382A-40C3-937C-C07E77777273@vigilsec.com> <4E1F6AAD24975D4BA5B1680429673943676C00E2@TK5EX14MBXC283.redmond.corp.microsoft.com> <4A22938F-958F-4648-933E-47AD443E21E3@vigilsec.com>
Date: Thu, 25 Apr 2013 17:46:10 -0400
Message-ID: <CAL02cgTkU8E7DN_btT0i1uZgGjq9TAeGZtu2sLdkUh+fX4jFkg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="089e013a0a1ec0fdb504db365819"
X-Gm-Message-State: ALoCoQnNibazWdZcc3Nx0ZIq/7TyUMf65MmgvB1lxMWoV+mvYnNCWAFMIH1ADiY1pYy4Nje0r9IJ
Cc: Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 21:46:12 -0000
On Thu, Apr 25, 2013 at 5:45 PM, Russ Housley <housley@vigilsec.com> wrote: > Mike: > > If the header is protected with the AAD mechanism in GCM, then it must > cover exactly the same bits for all recipients. > > I do not see the need for JOSE header integrity. I have said this in the > past. I'm saying it again.... > +much_more_than_one > > Russ > > > On Apr 25, 2013, at 3:09 PM, Mike Jones wrote: > > > Hi Russ, > > > > I agree that enabling GCM to be safely used in the multiple recipients > case would be highly desirable. It is currently prohibited because if the > recipients share a common key and initialization vector (IV) but use > different AAD values, this results in the identified vulnerability. One > possible solution that continues integrity protecting the headers but > enables the safe use of GCM was identified off-list by John Bradley. > > > > That solution is to have each recipient always use the same key, IV, and > AAD values. This could be accomplished by including all the header values > in a single combined AAD value, rather than having the integrity protection > for each recipient's headers be independent. > > > > This change could be done in a manner that doesn't affect the > computation for the single recipients case. Given the upcoming interim > JOSE meeting next week, and given the (understandable) strong negative > reaction to the unusability of GCM with the current multiple recipients > processing rules, I'll plan on quickly producing a draft -10 that changes > the processing rules in the manner described above, so that idea can be > concretely considered by the working group next week. > > > > Just so people are clear on the properties on the new processing rules - > this would mean that the integrity computations for each recipients would > no longer be independent. The only downside of this (which could be an > upside in some ways) is that it would no longer be possible to add > recipients over time without performing a new encryption computation with a > new CEK and IV. > > > > Cheers, > > -- Mike > > > > -----Original Message----- > > From: Russ Housley [mailto:housley@vigilsec.com] > > Sent: Thursday, April 25, 2013 10:31 AM > > To: Mike Jones > > Cc: jose@ietf.org > > Subject: Re: [jose] I-D Action: > draft-ietf-jose-json-web-encryption-09.txt > > > > Mike: > > > > Like Jim, I cannot support this statement: AES GCM MUST NOT be used when > using the JWE JSON Serialization for multiple recipients > > > > All recipients ought to be performing decryption and integrity checking > with the same GCM key. The manner in which they obtain that key may be > different (key transport: decrypt the GCM key with the recipient's private > key, key agreement: agreement of a pairwise KEK and then unwrapping the GCM > key with the KEK, pre-shared KEK: unwrapping the GCM key with the already > known KEK, etc). > > > > Russ > > > > > > On Apr 25, 2013, at 12:07 AM, Jim Schaad wrote: > > > >> Mike, > >> > >> AES GCM MUST NOT be used when using the JWE JSON Serialization for > >> multiple recipients, since this would result in the same > >> Initialization Vector and Plaintext values being used for multiple > >> GCM encryptions. > >> > >> I doubt your co-authors would agree with this. > >> I doubt the working group with agree with this. > >> I know that at least one co-chair does not agree with this I can > >> predict that the AD and IESG along with the security directorate would > >> crucify me if I allowed this to stand in the document.. > >> > >> Jim > >> > >> > >> > >>> -----Original Message----- > >>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf > >>> Of internet-drafts@ietf.org > >>> Sent: Tuesday, April 23, 2013 5:29 PM > >>> To: i-d-announce@ietf.org > >>> Cc: jose@ietf.org > >>> Subject: [jose] I-D Action: > >>> draft-ietf-jose-json-web-encryption-09.txt > >>> > >>> > >>> A New Internet-Draft is available from the on-line Internet-Drafts > >> directories. > >>> This draft is a work item of the Javascript Object Signing and > >>> Encryption Working Group of the IETF. > >>> > >>> Title : JSON Web Encryption (JWE) > >>> Author(s) : Michael B. Jones > >>> Eric Rescorla > >>> Joe Hildebrand > >>> Filename : draft-ietf-jose-json-web-encryption-09.txt > >>> Pages : 54 > >>> Date : 2013-04-23 > >>> > >>> Abstract: > >>> JSON Web Encryption (JWE) is a means of representing encrypted > >>> content using JavaScript Object Notation (JSON) data structures. > >>> Cryptographic algorithms and identifiers for use with this > >>> specification are described in the separate JSON Web Algorithms (JWA) > >>> specification. Related digital signature and MAC capabilities are > >>> described in the separate JSON Web Signature (JWS) specification. > >>> > >>> > >>> The IETF datatracker status page for this draft is: > >>> https://datatracker.ietf.org/doc/draft-ietf-jose-json-web-encryption > >>> > >>> There's also a htmlized version available at: > >>> http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-09 > >>> > >>> A diff from the previous version is available at: > >>> http://www.ietf.org/rfcdiff?url2=draft-ietf-jose-json-web-encryption- > >>> 09 > >>> > >>> > >>> Internet-Drafts are also available by anonymous FTP at: > >>> ftp://ftp.ietf.org/internet-drafts/ > >>> > >>> _______________________________________________ > >>> jose mailing list > >>> jose@ietf.org > >>> https://www.ietf.org/mailman/listinfo/jose > >> > >> _______________________________________________ > >> jose mailing list > >> jose@ietf.org > >> https://www.ietf.org/mailman/listinfo/jose > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >
- [jose] I-D Action: draft-ietf-jose-json-web-encry… internet-drafts
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Jim Schaad
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Russ Housley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Jim Schaad
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Russ Housley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Russ Housley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Matt Miller
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Dick Hardt
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Manger, James H