Re: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK
Richard Barnes <rlb@ipv.sx> Tue, 12 March 2013 19:59 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D34B61F0D08 for <jose@ietfa.amsl.com>; Tue, 12 Mar 2013 12:59:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.652
X-Spam-Level:
X-Spam-Status: No, score=-0.652 tagged_above=-999 required=5 tests=[AWL=-1.427, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_34=0.6, J_CHICKENPOX_44=0.6, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3o+Yk6U6o-4Q for <jose@ietfa.amsl.com>; Tue, 12 Mar 2013 12:59:45 -0700 (PDT)
Received: from mail-ob0-x229.google.com (mail-ob0-x229.google.com [IPv6:2607:f8b0:4003:c01::229]) by ietfa.amsl.com (Postfix) with ESMTP id DBCC321F852C for <jose@ietf.org>; Tue, 12 Mar 2013 12:59:42 -0700 (PDT)
Received: by mail-ob0-f169.google.com with SMTP id ta14so262010obb.14 for <jose@ietf.org>; Tue, 12 Mar 2013 12:59:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=aY8fYHr7sO7yXhdbCS1amgY8YVEe3im2DAAWvGV2zR8=; b=PVwUdyikMCP0VQbn6lnEKtA8gwGeu111E8sdIZOg1Fn4NGMYPnBzWCoHB0uxgjyFMd 7U+kdkwddDIopXDuWN9361r/Z0l75Twmq2lKVxOghxxG2QeshfhZfeYUZbxQFJtp2fc1 Zf3pyRI27wdthGsT6VzenJqr9sWP3vwXEbigbRVkH0Y0b6L/+80aZUnv/9kO+Gu8Q4Ib VWr+O560FJQbHMMtjmkYdW/NpcE5GRY6Z+5z5WG2fuTSCAhcPI7NNJc/d8VJLHbAPQBQ CUKMkJ+lVdTpeNvAAuroK8NueOvn+jYAsUf4fKs8Pg3MMkZLXMZRE8CbE2T5PHrL81bn z6Yg==
MIME-Version: 1.0
X-Received: by 10.60.172.18 with SMTP id ay18mr13199514oec.126.1363118382204; Tue, 12 Mar 2013 12:59:42 -0700 (PDT)
Received: by 10.60.40.233 with HTTP; Tue, 12 Mar 2013 12:59:42 -0700 (PDT)
X-Originating-IP: [128.89.253.127]
In-Reply-To: <8B4C063947CD794BB6FF90C78BAE9B321EFC09EC@IMCMBX04.MITRE.ORG>
References: <8B4C063947CD794BB6FF90C78BAE9B321EFC09EC@IMCMBX04.MITRE.ORG>
Date: Tue, 12 Mar 2013 15:59:42 -0400
Message-ID: <CAL02cgSn-_+_7RAHrETdbzvHBq3d=xa0kmuh9HuvAf9TjJp_eA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "Peck, Michael A" <mpeck@mitre.org>
Content-Type: multipart/alternative; boundary="bcaec54fae48f5658004d7bfbabb"
X-Gm-Message-State: ALoCoQlx47RKh65tjeN0/s+erFqa7xIdpFXJjEzUVTnyOZg3PIU9os8zzFgOe4p+gD1axH6bkAtN
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2013 19:59:51 -0000
Actually, for everything but key agreement, we can just use draft-mcgrew-aead-aes-cbc-hmac-sha2, with larger keys. We should not be specifying key expansion here when we can avoid it. --Richard On Tue, Mar 12, 2013 at 2:29 PM, Peck, Michael A <mpeck@mitre.org> wrote: > draft-ietf-jose-json-web-algorithms-08 section 4.7.1 describes the use > of Concat KDF on the shared secret Z established by ECDH-ES.**** > > ** ** > > The draft allows for an empty PartyUInfo and PartyVInfo but that may not > be allowed by NIST SP 800-56A (where the Concat KDF is defined).**** > > The current (March 2007) version of NIST SP 800-56A requires “At a > minimum, *PartyUInfo **shall *include *ID**U*, the identifier of party *U*.” > and an equivalent requirement for PartyVInfo. (Page 46 of > http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf) > **** > > The August 2012 draft update to NIST SP 800-56A requires “At a minimum, > PartyUInfo shall include IDu, an identifier for party U, as a distinct item > of information.” and an equivalent requirement for PartyVInfo. (Page 59 of > http://csrc.nist.gov/publications/drafts/800-56a/draft-sp-800-56a.pdf ) > My interpretation of this text (others may interpret it differently) is > that PartyUInfo and PartyVInfo can’t be empty.**** > > ** ** > > Instead of using the Concat KDF, a more appropriate choice may be the KDF > described in NIST SP 800-56C and RFC 5869.**** > > Its requirements are not as strict. (SP 800-56C Page 13: “If the > information is available, *Context **should *include the identifiers of > the parties who are deriving and/or using the derived keying material”) ** > ** > > ** ** > > It would look something like this:**** > > ** ** > > Step 1 - Randomness Extraction:**** > > Key Derivation Key := HMAC(salt, Z) (HMAC-SHA256 should suffice > for all of the current algorithms)**** > > ** ** > > Step 2 - Expansion Step: **** > > Use the Counter Mode KDF defined in SP 800-108 or section 2.3 of RFC 5869 > with the same HMAC algorithm used in step 1 to produce needed keys from the > Key Derivation Key produced in step 1.**** > > The needed keys would depend on the values of alg and enc.**** > > If alg is ECDH-ES+A128KW or ECDH-ES+A256KW, a single 128 bit or 256 bit > key is needed (used to decrypt the CMK, which may then need to be split > into CEK/CIK).**** > > If alg is ECDH-ES, then the needed keys depend on “enc”:**** > > If enc is AES-GCM, a 128 bit key or 256 bit key is needed.**** > > If enc is one of the AEAD AES-CBC algorithms in > draft-mcgrew-aead-aes-cbc-hmac-sha2-01, a key of ENC_KEY_LEN + MAC_KEY_LEN > is needed as it’s then split into two by the AEAD algorithm.**** > > If enc is one of the current CBC+HMAC options in > draft-ietf-jose-json-web-algorithms-08, then two keys are needed, a CEK and > a CIK. Counter Mode KDF could be invoked twice, with different labels each > time, or Counter Mode KDF could be invoked once to generate a big key which > would then be split into the CEK and CIK.**** > > ** ** > > Richard has already pointed out the issues with using the Concat KDF to > derive the CEK/CIK from the CMK. Instead, one option would be to use the > Expansion Step above: use the Counter Mode KDF with an HMAC to derive > necessary keys from the CMK. **** > > Even if we use encryption algorithms that combine the encryption and > integrity key such as the CBC+HMAC algorithms in > draft-mcgrew-aead-aes-cbc-hmac-sha2-01, there will still be a need to take > a smaller master key and create the combined encryption + integrity key > from it.**** > > ** ** > > ** ** > > Mike**** > > ** ** > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- Re: [jose] Concat KDF issues with ECDH-ES and for… Mike Jones
- [jose] Concat KDF issues with ECDH-ES and for der… Peck, Michael A
- Re: [jose] Concat KDF issues with ECDH-ES and for… Richard Barnes
- Re: [jose] Concat KDF issues with ECDH-ES and for… John Bradley
- Re: [jose] Concat KDF issues with ECDH-ES and for… Peck, Michael A
- Re: [jose] Concat KDF issues with ECDH-ES and for… Mike Jones
- Re: [jose] Concat KDF issues with ECDH-ES and for… Manger, James H
- Re: [jose] Concat KDF issues with ECDH-ES and for… Richard Barnes
- Re: [jose] Concat KDF issues with ECDH-ES and for… Jim Schaad
- Re: [jose] Concat KDF issues with ECDH-ES and for… Manger, James H
- Re: [jose] Concat KDF issues with ECDH-ES and for… Richard Barnes