IETF Logo Mail Archive

Re: [jose] Use of AES-HMAC algorithm - Consensus Request

Nat Sakimura <sakimura@gmail.com> Mon, 08 April 2013 23:29 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD1A821F8EDE for <jose@ietfa.amsl.com>; Mon, 8 Apr 2013 16:29:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7kQefPEGhfMq for <jose@ietfa.amsl.com>; Mon, 8 Apr 2013 16:29:56 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id E757121F8EDB for <jose@ietf.org>; Mon, 8 Apr 2013 16:29:55 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id u10so6282540lbi.3 for <jose@ietf.org>; Mon, 08 Apr 2013 16:29:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=ZBxHRncC4dyRinfj0i1J9bWdviBIUUpk8tcHX93rjUs=; b=oVlZxgzU1hd+e5qHTF6yodXAjbHE9/9s2BZW/gWbH69y6m8S+nWC3t/NGZrxHxg38t 0+gFQLcTc3zOxWlDjFq5wGRX4KhBfqK4MmI22//wO7T6BmEN+po5NvG+3LwwLoTaiQ8V SDpqhFDFgkpZYShbJjDU2AWstgix5ZNvyBF2wBz2zzXFkZmPfyXkT7MFOovzFAg2gOqk uN8nOiZSLnr2+/QhOh9TJlxJkbXVmCo48Y4IGOQ+G7+kZ6g6DHn1DEDi5eIbHV9fhNHj iZ0+ZLDLifxSyOk9TcE+60Wi9U4nSjsha5T3c/LEqTdBlqeJGZ80MWRKoy9Hs3QLnNkh n18g==
MIME-Version: 1.0
X-Received: by 10.112.162.40 with SMTP id xx8mr12634345lbb.30.1365463794722; Mon, 08 Apr 2013 16:29:54 -0700 (PDT)
Received: by 10.112.19.163 with HTTP; Mon, 8 Apr 2013 16:29:54 -0700 (PDT)
In-Reply-To: <BF7E36B9C495A6468E8EC573603ED941151B6F48@xmb-aln-x11.cisco.com>
References: <017a01ce318f$482d8470$d8888d50$@augustcellars.com> <8B4C063947CD794BB6FF90C78BAE9B321EFFF14C@IMCMBX04.MITRE.ORG> <CDF230A7-15ED-4722-BDFC-364D8A1975B8@gmail.com> <BF7E36B9C495A6468E8EC573603ED941151B6F48@xmb-aln-x11.cisco.com>
Date: Tue, 09 Apr 2013 08:29:54 +0900
Message-ID: <CABzCy2B3ctmYQjvfw1bVxSoO=YwWvp4F53OHKuoUVzfJmQqDNA@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: "Matt Miller (mamille2)" <mamille2@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Jim Schaad <ietf@augustcellars.com>, "Peck, Michael A" <mpeck@mitre.org>, "jose@ietf.org" <jose@ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Subject: Re: [jose] Use of AES-HMAC algorithm - Consensus Request
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2013 23:29:57 -0000

Concat is what McGrew algorithm does it, is it not? I support the move.

2013/4/9 Matt Miller (mamille2) <mamille2@cisco.com>:
> +1 on a longer key.
>
>
> - m&m
>
> Matt Miller < mamille2@cisco.com >
> Cisco Systems, Inc.
>
> On Apr 7, 2013, at 10:47 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> FWIW: I'd strongly prefer a longer key than a different KDF scheme.
>>
>> On Apr 7, 2013, at 12:32 PM, "Peck, Michael A" <mpeck@mitre.org> wrote:
>>
>>> I prefer using a KDF, as I think the approach of using a long key over-complicates key management by requiring generation and transport of a longer key than necessary, and it may also provide a false sense of the overall security level.
>>>
>>> As previously discussed, the Concat KDF is not appropriate, but there are other NIST KDFs that seem acceptable for this key expansion purpose.
>>> For instance, the "KDF in Counter Mode" in NIST SP 800-108 Section 5.1, with the PRF algorithm set to the same HMAC algorithm used in the corresponding AEAD algorithm.  (i.e. use HMAC-SHA-256 as PRF with AES-128 + HMAC-SHA-256, and use HMAC-SHA-512 as PRF with AES-256 + HMAC-SHA-512).
>>>
>>> For example, for AES-128 + HMAC-SHA-256, where "key" is an inputted 128-bit "master" key:
>>> Expanded key = HMAC-SHA-256(key, 0x00 0x00 0x00 0x01 | "A128CBC+HS256" | 0x00 | 0x00 0x00 0x01 0x00)
>>> AES key = first 128 bits of expanded key
>>> HMAC key = second 128 bits of expanded key
>>>
>>> If JOSE chooses to use draft-mcgrew-aead-aes-cbc-hmac-sha2, I think it would be worth discussing with the draft authors whether they are interested in performing the KDF in the AEAD algorithm itself (for example, input a 128-bit key into their AEAD_AES_128_CBC_HMAC_SHA_256 and have it be responsible for deriving the 128-bit AES key and 128-bit HMAC key).
>>>
>>> Mike
>>>
>>>> -----Original Message-----
>>>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
>>>> Jim Schaad
>>>> Sent: Thursday, April 04, 2013 7:51 PM
>>>> To: jose@ietf.org
>>>> Subject: Re: [jose] Use of AES-HMAC algorithm - Consensus Request
>>>>
>>>> <chair>
>>>>
>>>> At the request of the editors, this is a formal consensus call on the first
>>>> item in the list below.  If there are objects to use a single long key
>>>> rather than a KDF function for the AES-CBC/HMAC algorithm please speak up
>>>> now.  To date nobody has said that I was wrong to assume the consensus on
>>>> that item.
>>>>
>>>> Call ends in one week.
>>>>
>>>> Jim
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
>>>> Jim
>>>>> Schaad
>>>>> Sent: Wednesday, March 27, 2013 3:21 PM
>>>>> To: jose@ietf.org
>>>>> Subject: [jose] Use of AES-HMAC algorithm
>>>>>
>>>>> <chair>
>>>>> After spending time looking at and thinking about how to resolve this
>>>> issue
>>>>> since I was unable to do so at the last F2F meeting.  I have come up with
>>>> the
>>>>> following set of issues that might need to be addressed as part of
>>>> resolving
>>>>> this issue.
>>>>>
>>>>> 1.  Do we change from using KDC to having a double size key for the
>>>>> algorithm?  I think that there is probably a consensus that this should be
>>>> done.
>>>>>
>>>>> 2. Should IVs be prepended to the encrypted body as part of the encoding
>>>>> steps?  If so then this change should be universal.
>>>>>
>>>>> Doing so would eliminate one field from all of the encoding formats which
>>>>> should be considered a plus.
>>>>> Doing so would force code writers to understand how large the IV is for
>>>> all
>>>>> algorithms as the IV would no longer be a separate item.
>>>>>
>>>>> 3. Should Authentication Tags be appended to the encrypted body as part of
>>>>> the encoding steps?
>>>>>
>>>>> Doing so would eliminate one field from all of the encoding formats which
>>>>> should be considered a plus.
>>>>> Doing so would force code writers to understand how large the IV is for
>>>> all
>>>>> algorithms as the IV would no longer be a separate item.
>>>>> Doing so would force a re-organization for the multiple recipient case as
>>>>> either all recipient specific data would need to be excluded from the
>>>>> authentication step or all of the recipient data would need to be included
>>>> for
>>>>> by all recipients.
>>>>> Changing how the recipient info is process is going to give a performance
>>>>> benefit for sending encrypted items for multiple recipients.
>>>>> The current strategy of a single IV and key pair with AES-GCM and
>>>> different
>>>>> authentication data needs to have CFRG look at it.  I am worried that it
>>>> might
>>>>> be a serious security flaw.
>>>>>
>>>>> 4. Should we reference the McGrew draft and provide text on how things
>>>> are
>>>>> changed or should we "copy" the draft into our text?
>>>>>
>>>>> 5.  If we allow for the use of AES-GCM or AES-HMAC for doing key wrapping,
>>>>> does this change how we think about any of the above questions?
>>>>>
>>>>> Allowing for AES-GCM for key wrapping has a benefit for hardware
>>>> situations
>>>>> as only the encrypt and not the decrypt functions need to be placed in
>>>>> hardware.  However allowing for this key wrapping give a problem as there
>>>> is
>>>>> no way to encode the three fields into the encrypted value unless with use
>>>>> either a JSON structure in this location or we do use the single appended
>>>>> binary output stream.  The first approach leads to an expansion of the
>>>> field by
>>>>> double base64 encoding which is highly undesirable.
>>>>>
>>>>> Jim
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> jose mailing list
>>>>> jose@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/jose
>>>>
>>>> _______________________________________________
>>>> jose mailing list
>>>> jose@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/jose
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email