IETF Logo Mail Archive

Re: [jose] encrypting AND signing a token

Dick Hardt <dick.hardt@gmail.com> Sun, 04 November 2012 19:56 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98B4D21F8785 for <jose@ietfa.amsl.com>; Sun, 4 Nov 2012 11:56:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.742
X-Spam-Level:
X-Spam-Status: No, score=-4.742 tagged_above=-999 required=5 tests=[AWL=0.857, BAYES_00=-2.599, GB_I_LETTER=-2, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fkIofT8bFWBq for <jose@ietfa.amsl.com>; Sun, 4 Nov 2012 11:55:59 -0800 (PST)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id DD78821F8800 for <jose@ietf.org>; Sun, 4 Nov 2012 11:55:59 -0800 (PST)
Received: by mail-pb0-f44.google.com with SMTP id ro8so3432016pbb.31 for <jose@ietf.org>; Sun, 04 Nov 2012 11:55:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=sxl5Bp1aM4URFC5RfYOJf0WrH8WhJeUaAAYkNERujq8=; b=ywvvPtxk4/Uytr/z10oLs960fRhddedIGUohMAzFWBXVCBJaFnC76LkK9OomcWGJ6D Rof80jRnHec5rAPFA6sd6xZ+YlaBvYE8elY1cVB9ozzO76cib6bvghUiT+ka4cbJ76Zj MW2Ne1HbvVQTZhCAHLM3rOY5yYOZD31qEiOnhW6auJ9UWnkNSCFxXRMe+hauvTlB6rY3 ZN1fIkrWdD+hXBzIHATDajhV4yovMvQYhmV48CSnSxKt3a0aGGw58rbDNb6knQYEgY95 TKjhgeY1MyYpJ3W5JeDEoRrW1h/eH/6IKAbU8N9k8GyjVre0kYyjI7vcpZ6KJseMB4i/ yt1Q==
Received: by 10.68.143.201 with SMTP id sg9mr24923371pbb.32.1352058959649; Sun, 04 Nov 2012 11:55:59 -0800 (PST)
Received: from [10.0.0.4] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id hc4sm9295223pbc.30.2012.11.04.11.55.56 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 04 Nov 2012 11:55:58 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <000b01cdbab9$967ef070$c37cd150$@augustcellars.com>
Date: Sun, 04 Nov 2012 11:55:54 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <210E03E3-FD49-449A-8953-571ECA9E5FBE@gmail.com>
References: <4ACFC778-31A9-4C79-9F4E-7C01719F51AD@gmail.com> <4E1F6AAD24975D4BA5B168042967394366887325@TK5EX14MBXC285.redmond.corp.microsoft.com> <E73A223A-6546-4A3A-A839-8627B3DBCB8F@gmail.com> <000b01cdbab9$967ef070$c37cd150$@augustcellars.com>
To: Jim Schaad <ietf@augustcellars.com>
X-Mailer: Apple Mail (2.1499)
Cc: 'Mike Jones' <Michael.Jones@microsoft.com>, jose@ietf.org, 'Dick Hardt' <dick.hardt@gmail.com>
Subject: Re: [jose] encrypting AND signing a token
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Nov 2012 19:56:00 -0000

Thanks Jim. An interesting historical reference. 

In my use case, who signed or who the token is for is not a secret. The payload needs to be kept a secret.

Does no one sign and encrypt SAML tokens?
Is this not a common use case?

If it does need to be solved, it would seem to me that a standards body would be the place to have lots of eyes look at how to sign and encrypt a token so that people do not do naive sign and encrypt.

Q: does anyone else need to sign and encrypt?

-- Dick

On Nov 4, 2012, at 10:24 AM, "Jim Schaad" <ietf@augustcellars.com> wrote:

> <personal>
> 
> I would note that the original PKCS#7 specifications had a mode that
> provided a similar sign and encrypt as a single operation mode.  When the
> PKCS#7 specifications where adopted by the IETF as part of the CMS work,
> this mode was discussed and very deliberately dropped because of numerous
> security problems that had been found.  These included (but are not limited
> to) the fact that it was signed or who signed it was sometimes a security
> leak.  Also there were attacks where the signed and encrypted mode could be
> converted to just an encrypted mode.
> 
> I would think that there would be a need for a very detailed security
> analysis that we are not prepared to do in order to support a signed and
> encrypted mode.
> 
> Jim
> 
> 
>> -----Original Message-----
>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
>> Dick Hardt
>> Sent: Friday, November 02, 2012 12:30 PM
>> To: Mike Jones
>> Cc: jose@ietf.org
>> Subject: Re: [jose] encrypting AND signing a token
>> 
>> Not only is my original token increasing in size by 4/3, I am also adding
>> another header, payload and signature.
>> 
>> One of the objectives of JWT was to enabled compact tokens. It would seem
>> that we should be able to support both signing and encryption of the same
>> token.
>> 
>> All the encryption use cases I can think of involving asymmetric keys
> would
>> also require signing with the senders private key.
>> 
>> My suggestion is to be explicit in what the algorithm etc. is used for:
>> 
>> Rather than "alg" and "enc", we have:
>> 
>> "algs" - algorithm for token signing
>> "algk" - algorithm for content management key encryption "alge" -
> algorithm
>> for payload encryption
>> 
>> Similiarly,
>> 
>> "kids" - key id for signing
>> "kidk" - key id for content managment key encryption
>> 
>> We could probably make these three or even two letter codes if you want to
>> save a couple bytes.
>> 
>> -- Dick
>> 
>> On Nov 2, 2012, at 8:46 AM, Mike Jones <Michael.Jones@microsoft.com>
>> wrote:
>> 
>>> The way you put it brings one straightforward solution to mind.  Solve
> 1-3
>> with a JWE.  Solve 4-5 by signing the JWE as a JWS payload.  Done.
>>> 
>>> I do understand that the 4/3 space blowup-of double base64url encoding
>> the JWE motivates your earlier proposal about nested signing.  (See Dick's
>> 10/29/12 message "[jose] signing an existing JWT".)  I also understand
> that if
>> you could do integrity with the asymmetric signature then the integrity
>> provided by the JWE itself may be redundant.  I don't have a specific
> proposal
>> on how to do that.
>>> 
>>> 				-- Mike
>>> 
>>> -----Original Message-----
>>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf
>>> Of Dick Hardt
>>> Sent: Friday, November 02, 2012 8:22 AM
>>> To: jose@ietf.org
>>> Subject: [jose] encrypting AND signing a token
>>> 
>>> I am trying to figure out how to implement JWT/JWS/JWE to solve a real
>> world problem.
>>> 
>>> 1) Bob sends a token to Charlie via Alice. (Alice gets token from Bob
>>> and then Alice gives token to Charlie)
>>> 2) Alice must be prevented from reading the token. (token needs to be
>>> encrypted)
>>> 3) Bob and Charlie can share a symmetric key.
>>> 
>>> I can solve this with JWE.
>>> 
>>> Now let's add another condition.
>>> 
>>> 4) Charlie wants non-repuditation that Bob created the token.
>>> 5) Bob has a private key and a public key
>>> 
>>> I don't see how to do this using JWE. It seems I have to sign the same
> token
>> I had previously with JWS. This seems inefficient since I should be able
> to
>> replace the JWE integrity computation done with the symmetric key with the
>> private key -- but the "alg" parameter is the same in both encrypting and
>> signing.
>>> 
>>> Now let's expand this to replacing the symmetric key with a
> public/private
>> key pair for encryption. Bob encrypts with Charlies public key and signs
> with
>> Bob's private key (we also need to make sure we are not doing naive
>> encryption and signing here, would be a really useful to specify what
> needs
>> to be done there). Now we need to have parameters for both public/private
>> key pairs in the header.
>>> 
>>> Am I missing something here?
>>> 
>>> Seems like we can do this if we change the header parameters to specify
> if
>> they ("alg", "kid", et.c) are for token signing, payload encryption or
> content
>> key encryption.
>>> 
>>> -- Dick
>>> 
>>> 
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>> 
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>

v2.23.0 | Report a Bug | By Email