IETF Logo Mail Archive

Re: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK

"Manger, James H" <James.H.Manger@team.telstra.com> Mon, 18 March 2013 00:02 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD50C21F8A67 for <jose@ietfa.amsl.com>; Sun, 17 Mar 2013 17:02:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.901
X-Spam-Level:
X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lMYcE4sCB60n for <jose@ietfa.amsl.com>; Sun, 17 Mar 2013 17:02:37 -0700 (PDT)
Received: from ipxavo.tcif.telstra.com.au (ipxavo.tcif.telstra.com.au [203.35.135.200]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2CA21F8A66 for <jose@ietf.org>; Sun, 17 Mar 2013 17:02:35 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="4.84,861,1355058000"; d="scan'208,217"; a="123635073"
Received: from unknown (HELO ipcdvi.tcif.telstra.com.au) ([10.97.217.212]) by ipoavi.tcif.telstra.com.au with ESMTP; 18 Mar 2013 11:02:33 +1100
X-IronPort-AV: E=McAfee;i="5400,1158,7017"; a="118930027"
Received: from wsmsg3701.srv.dir.telstra.com ([172.49.40.169]) by ipcdvi.tcif.telstra.com.au with ESMTP; 18 Mar 2013 11:02:33 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3701.srv.dir.telstra.com ([172.49.40.169]) with mapi; Mon, 18 Mar 2013 11:02:27 +1100
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Jim Schaad <ietf@augustcellars.com>
Date: Mon, 18 Mar 2013 11:02:25 +1100
Thread-Topic: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK
Thread-Index: AQIfUvokC2KN1bP9hZD3WzbTW1wpuwJJuz3QAMb1EvwBDVdg+AMdMmNBAgT8d5gCo7yYCJelipLggANwViA=
Message-ID: <255B9BB34FB7D647A506DC292726F6E1150B9AE692@WSMSG3153V.srv.dir.telstra.com>
References: <8B4C063947CD794BB6FF90C78BAE9B321EFC09EC@IMCMBX04.MITRE.ORG> <CAL02cgSn-_+_7RAHrETdbzvHBq3d=xa0kmuh9HuvAf9TjJp_eA@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943675001A6@TK5EX14MBXC283.redmond.corp.microsoft.com> <D1DEAADA-5879-4D05-BDF4-D2D1EA0998B0@ve7jtb.com> <8B4C063947CD794BB6FF90C78BAE9B321EFC0B77@IMCMBX04.MITRE.ORG> <4E1F6AAD24975D4BA5B16804296739436750053A@TK5EX14MBXC283.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E1150B8467A5@WSMSG3153V.srv.dir.telstra.com> <07b701ce21a8$40b502f0$c21f08d0$@augustcellars.com>
In-Reply-To: <07b701ce21a8$40b502f0$c21f08d0$@augustcellars.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E1150B9AE692WSMSG3153Vsrv_"
MIME-Version: 1.0
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2013 00:02:37 -0000

>> For instance, JWE includes the IV as part of the additional authenticated data (AAD). No other AEAD system is defined like this. Everywhere else the IV/nonce and AAD are separate. I hope that doesn’t adversely affect the crypto properties, but it does raise questions about whether it is important for some crypto reason.

[JLS] For this algorithm it is absolutely vital that the IV be protected.  Since the authentication is computed on the post encrypted text not the pre-encyrpted text, a decryption could never be able to correctly determine that the IV passed in was correct if it is not validated!!!!!!


Jim,

A256CBC+HS512 needs to integrity-protect the IV. I am not disagreeing with that.

Every other AEAD algorithm accepts an IV and AAD as separate inputs and *internally to the AEAD algorithm* ensures the appropriate integrity protection is applied. This is what GCM, CCM, and SIV do. It is the what RFC5116 (AEAD interface) assumes. It is what any crypto library with an explicit AEAD interface will support (separate calls or separate parameters for the IV and AAD).

JWE defines the AAD to be the Header+WrappedKey+IV. That is, the IV is included in the AAD.

Consequently every other AEAD algorithm (such as A128GCM) will process the JWE IV twice. In A128GCM, for example, the IV will be passed from JOSE code to an underlying crypto API once as a 12-byte (96-bit) binary value, and also as 16 base64url characters at the end of the AAD. For all these AEAD algorithms this duplication is merely slightly wasteful, but I guess (hope) it has no impact on security.

The JOSE-specific A256CBC+HS512 algorithm, in contrast, is different. This algorithm would be insecure if the AAD did not include the IV. What would happen if A256CBC+HS512 was implemented in a crypto library accessed via a generic AEAD interface? Perhaps it would have to base64url-encode the IV it was passed and check that it matches the end of the AAD it was passed (making it unsuitable as a generic AEAD alg in any other context)?

--
James Manger

v2.23.0 | Report a Bug | By Email