Re: [jose] Use of AES-HMAC algorithm - Consensus Request
Nat Sakimura <sakimura@gmail.com> Mon, 08 April 2013 23:29 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD1A821F8EDE for <jose@ietfa.amsl.com>; Mon, 8 Apr 2013 16:29:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7kQefPEGhfMq for <jose@ietfa.amsl.com>; Mon, 8 Apr 2013 16:29:56 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id E757121F8EDB for <jose@ietf.org>; Mon, 8 Apr 2013 16:29:55 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id u10so6282540lbi.3 for <jose@ietf.org>; Mon, 08 Apr 2013 16:29:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=ZBxHRncC4dyRinfj0i1J9bWdviBIUUpk8tcHX93rjUs=; b=oVlZxgzU1hd+e5qHTF6yodXAjbHE9/9s2BZW/gWbH69y6m8S+nWC3t/NGZrxHxg38t 0+gFQLcTc3zOxWlDjFq5wGRX4KhBfqK4MmI22//wO7T6BmEN+po5NvG+3LwwLoTaiQ8V SDpqhFDFgkpZYShbJjDU2AWstgix5ZNvyBF2wBz2zzXFkZmPfyXkT7MFOovzFAg2gOqk uN8nOiZSLnr2+/QhOh9TJlxJkbXVmCo48Y4IGOQ+G7+kZ6g6DHn1DEDi5eIbHV9fhNHj iZ0+ZLDLifxSyOk9TcE+60Wi9U4nSjsha5T3c/LEqTdBlqeJGZ80MWRKoy9Hs3QLnNkh n18g==
MIME-Version: 1.0
X-Received: by 10.112.162.40 with SMTP id xx8mr12634345lbb.30.1365463794722; Mon, 08 Apr 2013 16:29:54 -0700 (PDT)
Received: by 10.112.19.163 with HTTP; Mon, 8 Apr 2013 16:29:54 -0700 (PDT)
In-Reply-To: <BF7E36B9C495A6468E8EC573603ED941151B6F48@xmb-aln-x11.cisco.com>
References: <017a01ce318f$482d8470$d8888d50$@augustcellars.com> <8B4C063947CD794BB6FF90C78BAE9B321EFFF14C@IMCMBX04.MITRE.ORG> <CDF230A7-15ED-4722-BDFC-364D8A1975B8@gmail.com> <BF7E36B9C495A6468E8EC573603ED941151B6F48@xmb-aln-x11.cisco.com>
Date: Tue, 09 Apr 2013 08:29:54 +0900
Message-ID: <CABzCy2B3ctmYQjvfw1bVxSoO=YwWvp4F53OHKuoUVzfJmQqDNA@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: "Matt Miller (mamille2)" <mamille2@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Jim Schaad <ietf@augustcellars.com>, "Peck, Michael A" <mpeck@mitre.org>, "jose@ietf.org" <jose@ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Subject: Re: [jose] Use of AES-HMAC algorithm - Consensus Request
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2013 23:29:57 -0000
Concat is what McGrew algorithm does it, is it not? I support the move. 2013/4/9 Matt Miller (mamille2) <mamille2@cisco.com>: > +1 on a longer key. > > > - m&m > > Matt Miller < mamille2@cisco.com > > Cisco Systems, Inc. > > On Apr 7, 2013, at 10:47 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > >> FWIW: I'd strongly prefer a longer key than a different KDF scheme. >> >> On Apr 7, 2013, at 12:32 PM, "Peck, Michael A" <mpeck@mitre.org> wrote: >> >>> I prefer using a KDF, as I think the approach of using a long key over-complicates key management by requiring generation and transport of a longer key than necessary, and it may also provide a false sense of the overall security level. >>> >>> As previously discussed, the Concat KDF is not appropriate, but there are other NIST KDFs that seem acceptable for this key expansion purpose. >>> For instance, the "KDF in Counter Mode" in NIST SP 800-108 Section 5.1, with the PRF algorithm set to the same HMAC algorithm used in the corresponding AEAD algorithm. (i.e. use HMAC-SHA-256 as PRF with AES-128 + HMAC-SHA-256, and use HMAC-SHA-512 as PRF with AES-256 + HMAC-SHA-512). >>> >>> For example, for AES-128 + HMAC-SHA-256, where "key" is an inputted 128-bit "master" key: >>> Expanded key = HMAC-SHA-256(key, 0x00 0x00 0x00 0x01 | "A128CBC+HS256" | 0x00 | 0x00 0x00 0x01 0x00) >>> AES key = first 128 bits of expanded key >>> HMAC key = second 128 bits of expanded key >>> >>> If JOSE chooses to use draft-mcgrew-aead-aes-cbc-hmac-sha2, I think it would be worth discussing with the draft authors whether they are interested in performing the KDF in the AEAD algorithm itself (for example, input a 128-bit key into their AEAD_AES_128_CBC_HMAC_SHA_256 and have it be responsible for deriving the 128-bit AES key and 128-bit HMAC key). >>> >>> Mike >>> >>>> -----Original Message----- >>>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of >>>> Jim Schaad >>>> Sent: Thursday, April 04, 2013 7:51 PM >>>> To: jose@ietf.org >>>> Subject: Re: [jose] Use of AES-HMAC algorithm - Consensus Request >>>> >>>> <chair> >>>> >>>> At the request of the editors, this is a formal consensus call on the first >>>> item in the list below. If there are objects to use a single long key >>>> rather than a KDF function for the AES-CBC/HMAC algorithm please speak up >>>> now. To date nobody has said that I was wrong to assume the consensus on >>>> that item. >>>> >>>> Call ends in one week. >>>> >>>> Jim >>>> >>>> >>>>> -----Original Message----- >>>>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of >>>> Jim >>>>> Schaad >>>>> Sent: Wednesday, March 27, 2013 3:21 PM >>>>> To: jose@ietf.org >>>>> Subject: [jose] Use of AES-HMAC algorithm >>>>> >>>>> <chair> >>>>> After spending time looking at and thinking about how to resolve this >>>> issue >>>>> since I was unable to do so at the last F2F meeting. I have come up with >>>> the >>>>> following set of issues that might need to be addressed as part of >>>> resolving >>>>> this issue. >>>>> >>>>> 1. Do we change from using KDC to having a double size key for the >>>>> algorithm? I think that there is probably a consensus that this should be >>>> done. >>>>> >>>>> 2. Should IVs be prepended to the encrypted body as part of the encoding >>>>> steps? If so then this change should be universal. >>>>> >>>>> Doing so would eliminate one field from all of the encoding formats which >>>>> should be considered a plus. >>>>> Doing so would force code writers to understand how large the IV is for >>>> all >>>>> algorithms as the IV would no longer be a separate item. >>>>> >>>>> 3. Should Authentication Tags be appended to the encrypted body as part of >>>>> the encoding steps? >>>>> >>>>> Doing so would eliminate one field from all of the encoding formats which >>>>> should be considered a plus. >>>>> Doing so would force code writers to understand how large the IV is for >>>> all >>>>> algorithms as the IV would no longer be a separate item. >>>>> Doing so would force a re-organization for the multiple recipient case as >>>>> either all recipient specific data would need to be excluded from the >>>>> authentication step or all of the recipient data would need to be included >>>> for >>>>> by all recipients. >>>>> Changing how the recipient info is process is going to give a performance >>>>> benefit for sending encrypted items for multiple recipients. >>>>> The current strategy of a single IV and key pair with AES-GCM and >>>> different >>>>> authentication data needs to have CFRG look at it. I am worried that it >>>> might >>>>> be a serious security flaw. >>>>> >>>>> 4. Should we reference the McGrew draft and provide text on how things >>>> are >>>>> changed or should we "copy" the draft into our text? >>>>> >>>>> 5. If we allow for the use of AES-GCM or AES-HMAC for doing key wrapping, >>>>> does this change how we think about any of the above questions? >>>>> >>>>> Allowing for AES-GCM for key wrapping has a benefit for hardware >>>> situations >>>>> as only the encrypt and not the decrypt functions need to be placed in >>>>> hardware. However allowing for this key wrapping give a problem as there >>>> is >>>>> no way to encode the three fields into the encrypted value unless with use >>>>> either a JSON structure in this location or we do use the single appended >>>>> binary output stream. The first approach leads to an expansion of the >>>> field by >>>>> double base64 encoding which is highly undesirable. >>>>> >>>>> Jim >>>>> >>>>> >>>>> _______________________________________________ >>>>> jose mailing list >>>>> jose@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/jose >>>> >>>> _______________________________________________ >>>> jose mailing list >>>> jose@ietf.org >>>> https://www.ietf.org/mailman/listinfo/jose >>> _______________________________________________ >>> jose mailing list >>> jose@ietf.org >>> https://www.ietf.org/mailman/listinfo/jose >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Jim Schaad
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Mike Jones
- Re: [jose] Use of AES-HMAC algorithm - Consensus … John Bradley
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Vladimir Dzhuvinov / NimbusDS
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Russ Housley
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Peck, Michael A
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Dick Hardt
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Matt Miller (mamille2)
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Nat Sakimura
- Re: [jose] Use of AES-HMAC algorithm - Consensus … Edmund Jay
- Re: [jose] Use of AES-HMAC algorithm - Consensus … John Bradley