IETF Logo Mail Archive

Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt

Richard Barnes <rlb@ipv.sx> Thu, 25 April 2013 18:13 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A46021F9677 for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 11:13:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.063
X-Spam-Level:
X-Spam-Status: No, score=-1.063 tagged_above=-999 required=5 tests=[AWL=-0.638, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YtXJJlbvKtlp for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 11:13:49 -0700 (PDT)
Received: from mail-ob0-x22f.google.com (mail-ob0-x22f.google.com [IPv6:2607:f8b0:4003:c01::22f]) by ietfa.amsl.com (Postfix) with ESMTP id F32F721F9675 for <jose@ietf.org>; Thu, 25 Apr 2013 11:13:48 -0700 (PDT)
Received: by mail-ob0-f175.google.com with SMTP id wp18so2749019obc.20 for <jose@ietf.org>; Thu, 25 Apr 2013 11:13:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=Mf36HMOR//eNldjX6zRcEPaTe7oPDQkYBcbT+w7y8SQ=; b=c+fcZLaiJT8olrWBFX5aajhhU7hRnYnvRyAER2qYaikUQXFeg4vHl/RFFKDk4iou99 Rxm5PV+WEsmVTS/cbLkr+km2D0uEzaHQOYMqmckhrKcLnVzaBOAMqSHO4mdB0Lgq1eZY cFfXTViZk06a3wl9JUdHUp9qD0QbVzDV64YBPj4i7nKpaeUyuYSR4PypCyyoocf08V48 ajGPFDrNG/MYKYeF5TbDqpc37SedHpRbv4ocnOLal0zQM/Bj/cgNVLn7YtJADAJMml+B W9rXJepmshSOoFXMH7vTFjwNZx5KR3xKtRbjBy8KuLQlO2jGPOU7kJ2fVF3NsuoEWB0b jwFw==
MIME-Version: 1.0
X-Received: by 10.182.64.74 with SMTP id m10mr15471057obs.61.1366913628448; Thu, 25 Apr 2013 11:13:48 -0700 (PDT)
Received: by 10.60.41.225 with HTTP; Thu, 25 Apr 2013 11:13:48 -0700 (PDT)
X-Originating-IP: [192.1.51.16]
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943676ACD2E@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <20130424002901.19246.69134.idtracker@ietfa.amsl.com> <014201ce416a$82761a80$87624f80$@augustcellars.com> <4E1F6AAD24975D4BA5B1680429673943676ACD2E@TK5EX14MBXC284.redmond.corp.microsoft.com>
Date: Thu, 25 Apr 2013 14:13:48 -0400
Message-ID: <CAL02cgSDhjpPaW-rjbRSa9+0MRnsZ1B_eEvAppVd__h69OMOsQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="14dae93b5e36433c6f04db336188"
X-Gm-Message-State: ALoCoQkFhG50KZJa8pIjCUNDVRYWwPaiJWk/MuG8qPV62pTJdewDLrIp5hEWVRn8DdNbenIy55HK
Cc: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 18:13:50 -0000

Mike,

Your facts are right, but your conclusions are wrong.

We have three mutually incompatible goals here:
1. GCM
2. Efficient encoding for multiple recipients
3. Header integrity

We can have any two of these, but not all three.  If we try to do all three
(JWE-08), then we end up with the vulnerability identified in the CFRG
thread.  So we need to choose which one to get rid of.

Getting rid of GCM is clearly not the right answer, as evidenced by the
reaction in this thread.  There are clear, concrete use reasons to support
multiple recipients, but not for header integrity.  And header integrity
can be "polyfilled" with an optional feature, for those who are willing to
break the multiple recipient case.  Clearly, header integrity is the
weakest link here.

JWE-09 is the reductio ad absurdum of header integrity.  Let's do the
logical thing and stop the absurdity.

--Richard




On Thu, Apr 25, 2013 at 2:48 AM, Mike Jones <Michael.Jones@microsoft.com>wrote:

> Jim - I am surprised that you would say that my co-authors Eric Rescorla
> or Joe Hildebrand or the working group would advocate using AES GCM in a
> way that would result in severe security vulnerabilities - in particular,
> allowing attackers to obtain the XOR of the messages to multiple recipients
> encrypted using GCM - a vulnerability identified by the CFRG.
>
> Not stating this in the document would seem to me to be highly
> irresponsible, given the brittleness of GCM in this regard, as identified
> by the CRFG.  As I said to Richard Barnes over dinner last night, while
> unpleasant, and possibly surprising to those who aren't familiar to how GCM
> actually works, as an editor, I viewed including the statement that "AES
> GCM MUST NOT be used when using the JWE JSON Serialization for multiple
> recipients, since this would result in the same Initialization Vector and
> Plaintext values being used for multiple GCM encryptions" as necessary, and
> "truth in advertising".
>
>                                 -- Mike
>
> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
> Jim Schaad
> Sent: Wednesday, April 24, 2013 9:07 PM
> To: Mike Jones
> Cc: jose@ietf.org
> Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
>
> Mike,
>
> AES GCM MUST NOT be used when using the JWE JSON Serialization for
>    multiple recipients, since this would result in the same
>    Initialization Vector and Plaintext values being used for multiple
>    GCM encryptions.
>
> I doubt your co-authors would agree with this.
> I doubt the working group with agree with this.
> I know that at least one co-chair does not agree with this I can predict
> that the AD and IESG along with the security directorate would crucify me
> if I allowed this to stand in the document..
>
> Jim
>
>
>
> > -----Original Message-----
> > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf
> > Of internet-drafts@ietf.org
> > Sent: Tuesday, April 23, 2013 5:29 PM
> > To: i-d-announce@ietf.org
> > Cc: jose@ietf.org
> > Subject: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
> >
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> >  This draft is a work item of the Javascript Object Signing and
> > Encryption Working Group of the IETF.
> >
> >       Title           : JSON Web Encryption (JWE)
> >       Author(s)       : Michael B. Jones
> >                           Eric Rescorla
> >                           Joe Hildebrand
> >       Filename        : draft-ietf-jose-json-web-encryption-09.txt
> >       Pages           : 54
> >       Date            : 2013-04-23
> >
> > Abstract:
> >    JSON Web Encryption (JWE) is a means of representing encrypted
> >    content using JavaScript Object Notation (JSON) data structures.
> >    Cryptographic algorithms and identifiers for use with this
> >    specification are described in the separate JSON Web Algorithms (JWA)
> >    specification.  Related digital signature and MAC capabilities are
> >    described in the separate JSON Web Signature (JWS) specification.
> >
> >
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-jose-json-web-encryption
> >
> > There's also a htmlized version available at:
> > http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-09
> >
> > A diff from the previous version is available at:
> > http://www.ietf.org/rfcdiff?url2=draft-ietf-jose-json-web-encryption-0
> > 9
> >
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> > _______________________________________________
> > jose mailing list
> > jose@ietf.org
> > https://www.ietf.org/mailman/listinfo/jose
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>

v2.23.0 | Report a Bug | By Email