Re: [jose] Use of AES-HMAC algorithm
Mike Jones <Michael.Jones@microsoft.com> Thu, 28 March 2013 00:21 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E10B21F9338 for <jose@ietfa.amsl.com>; Wed, 27 Mar 2013 17:21:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ah4OyqsDhK3Q for <jose@ietfa.amsl.com>; Wed, 27 Mar 2013 17:21:23 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0237.outbound.protection.outlook.com [207.46.163.237]) by ietfa.amsl.com (Postfix) with ESMTP id 8FF7621F9333 for <jose@ietf.org>; Wed, 27 Mar 2013 17:21:23 -0700 (PDT)
Received: from BN1BFFO11FD026.protection.gbl (10.58.52.200) by BN1BFFO11HUB021.protection.gbl (10.58.53.131) with Microsoft SMTP Server (TLS) id 15.0.651.3; Thu, 28 Mar 2013 00:21:21 +0000
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.37) by BN1BFFO11FD026.mail.protection.outlook.com (10.58.53.86) with Microsoft SMTP Server (TLS) id 15.0.651.3 via Frontend Transport; Thu, 28 Mar 2013 00:21:21 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.224]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.02.0318.003; Thu, 28 Mar 2013 00:21:20 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] Use of AES-HMAC algorithm
Thread-Index: Ac4nS9Dlxfl1UeEXRp6aXJeHoQZF0QD+cy9A
Date: Thu, 28 Mar 2013 00:21:19 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394367590C2F@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <006801ce2b39$52595700$f70c0500$@augustcellars.com>
In-Reply-To: <006801ce2b39$52595700$f70c0500$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.78]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464002)(377454001)(35754002)(199002)(51444002)(189002)(50466001)(47446002)(63696002)(47776003)(20776003)(79102001)(5343655001)(561944001)(23726001)(31966008)(47736001)(69226001)(49866001)(74502001)(15202345001)(4396001)(50986001)(74662001)(54316002)(16406001)(80022001)(46406002)(55846006)(51856001)(33656001)(47976001)(59766001)(56776001)(77982001)(65816001)(54356001)(56816002)(46102001)(81342001)(66066001)(76482001)(53806001); DIR:OUT; SFP:; SCL:1; SRVR:BN1BFFO11HUB021; H:TK5EX14MLTC104.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0799B1B2D7
Subject: Re: [jose] Use of AES-HMAC algorithm
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2013 00:21:24 -0000
Per your point 1, I don't think anyone was advocating doubling the key size. The proposal in John's slides for issue #3 (http://trac.tools.ietf.org/wg/jose/trac/ticket/3) was to use a CMK that is the concatenation of the AES-CBC and HMAC-SHA-2 keys, as draft-mcgrew-aead-aes-hmac-sha2 does. For instance, when using A128CBC with HS256, the key size would be 384 bits and when using A256CBC with HS512, the key size would be 768 bits. This would multiply the current key sizes by 1.5, with the compensating benefit being the elimination of the use of the KDF. Your point 2 wasn't part of issue #3. This seems like an unnecessary change, particularly for GCM, where the IV is specified as a separate value from the ciphertext. Your point 3 wasn't part of issue #3. This seems like an unnecessary change, particularly for GCM, where the Authentication Tag is specified as a separate value from the ciphertext. Per your point 4, after a conversation initiated by Joe Hildebrand and a call scheduled by Matt Miller, David McGrew has agreed refactor his draft so that the inputs and outputs are specified separately and independently from the RFC 5116 encoding of those values. While RFC 5116 specifies a binary serialization for authenticated encryption algorithms, JWE specifies a textual serialization. This refactoring would make it easy for JOSE to use the McGrew draft, since the computation would be specified separately from the serialization, should the working group choose to do so. I suspect that once the refactoring is done, should the working group choose to use the McGrew algorithm, JWA could reference the appropriate sections of draft-mcgrew-aead-aes-hmac-sha2 and JWE could include an example computation for this algorithm, making it easy for developers to build. Per your point 5, I think the term "key wrapping" is being used for two different things: (1) Encrypting the ephemeral symmetric Content Master Key for a JWE and (2) encrypting a JWK or JWK Set containing symmetric and/or private key information and potentially other key attributes, enabling the encrypted JWK or JWK Set to be safely stored or transported. It think it would clarify the discussions to keep these operations distinct. I don't think anyone is proposing using AES-GCM or A128CBC+HS256 for (1), whereas they can already be used as part of (2) if the JWK is encrypted in a JWE, per Matt's draft. Given the opinions voiced at the CFRG meeting that it's fine to use approved authenticated encryption algorithms to encrypt keys, I believe that there's already no problem with using these algorithms for (2). -- Mike -----Original Message----- From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim Schaad Sent: Wednesday, March 27, 2013 3:21 PM To: jose@ietf.org Subject: [jose] Use of AES-HMAC algorithm <chair> After spending time looking at and thinking about how to resolve this issue since I was unable to do so at the last F2F meeting. I have come up with the following set of issues that might need to be addressed as part of resolving this issue. 1. Do we change from using KDC to having a double size key for the algorithm? I think that there is probably a consensus that this should be done. 2. Should IVs be prepended to the encrypted body as part of the encoding steps? If so then this change should be universal. Doing so would eliminate one field from all of the encoding formats which should be considered a plus. Doing so would force code writers to understand how large the IV is for all algorithms as the IV would no longer be a separate item. 3. Should Authentication Tags be appended to the encrypted body as part of the encoding steps? Doing so would eliminate one field from all of the encoding formats which should be considered a plus. Doing so would force code writers to understand how large the IV is for all algorithms as the IV would no longer be a separate item. Doing so would force a re-organization for the multiple recipient case as either all recipient specific data would need to be excluded from the authentication step or all of the recipient data would need to be included for by all recipients. Changing how the recipient info is process is going to give a performance benefit for sending encrypted items for multiple recipients. The current strategy of a single IV and key pair with AES-GCM and different authentication data needs to have CFRG look at it. I am worried that it might be a serious security flaw. 4. Should we reference the McGrew draft and provide text on how things are changed or should we "copy" the draft into our text? 5. If we allow for the use of AES-GCM or AES-HMAC for doing key wrapping, does this change how we think about any of the above questions? Allowing for AES-GCM for key wrapping has a benefit for hardware situations as only the encrypt and not the decrypt functions need to be placed in hardware. However allowing for this key wrapping give a problem as there is no way to encode the three fields into the encrypted value unless with use either a JSON structure in this location or we do use the single appended binary output stream. The first approach leads to an expansion of the field by double base64 encoding which is highly undesirable. Jim _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose
- [jose] Use of AES-HMAC algorithm Jim Schaad
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Mike Jones
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Mike Jones
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Manger, James H
- Re: [jose] Use of AES-HMAC algorithm Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm Manger, James H
- Re: [jose] Use of AES-HMAC algorithm Vladimir Dzhuvinov / NimbusDS
- Re: [jose] Use of AES-HMAC algorithm Jim Schaad