IETF Logo Mail Archive

Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt

John Bradley <ve7jtb@ve7jtb.com> Thu, 25 April 2013 23:13 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7687621F96AB for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 16:13:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gqXLEON207-7 for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 16:13:36 -0700 (PDT)
Received: from mail-ie0-x22b.google.com (mail-ie0-x22b.google.com [IPv6:2607:f8b0:4001:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id B5D1521F8808 for <jose@ietf.org>; Thu, 25 Apr 2013 16:13:36 -0700 (PDT)
Received: by mail-ie0-f171.google.com with SMTP id e11so4362958iej.30 for <jose@ietf.org>; Thu, 25 Apr 2013 16:13:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=YEeXDjvlOZmKVpEVt1vGSbuso0awVVDsOZH1KHfJ6y0=; b=RmbuX/IHZb8338axHO5Mc2OZFBuvgA+6E+gq7sSZeLQt0zk9RSSR24O8n0aVI4wnju XBBOLT2+f2UK0sSG8sFDGcYR5rcBqW2Yq55Gq79ZRsERI3vf1hFactV05zoBjdkDbvYC 83j7VfI6Flnd3R7zRR9zCrFM5lZrunUEVEKjFABpGfKG6rJo4xwLjv2B/q30bCHVNf4k KGek16A5xHwUQcMxo2pjDSyNPmOGPQTSeZSWxIDZevX+tnNmLCGvmatAmCKi/O9/82e2 d5w5aq0aSHvytdo5IOHYwqQxxiaJ+Da3Ba/BtKJ19bCNNk/SYSISAVNbjNtKPMmLW780 ePoA==
X-Received: by 10.50.129.69 with SMTP id nu5mr253805igb.106.1366931615831; Thu, 25 Apr 2013 16:13:35 -0700 (PDT)
Received: from [192.168.1.39] (190-20-37-138.baf.movistar.cl. [190.20.37.138]) by mx.google.com with ESMTPSA id xc3sm115919igb.10.2013.04.25.16.13.31 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 25 Apr 2013 16:13:33 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_440B6DA6-A608-4CF2-9656-AE9511D827B4"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <95BF000E-50B4-4D42-8F21-A6D5BE9D7A59@cisco.com>
Date: Thu, 25 Apr 2013 20:13:23 -0300
Message-Id: <18BB8C27-5373-40A3-B1F6-F21F66B5BF75@ve7jtb.com>
References: <20130424002901.19246.69134.idtracker@ietfa.amsl.com> <014201ce416a$82761a80$87624f80$@augustcellars.com> <B9EADFAC-382A-40C3-937C-C07E77777273@vigilsec.com> <4E1F6AAD24975D4BA5B1680429673943676C00E2@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgTmv_A+cs4eJ6oK4v3AqgxZA2q=wdV69ey4xydcaupGuw@mail.gmail.com> <95BF000E-50B4-4D42-8F21-A6D5BE9D7A59@cisco.com>
To: Matt Miller <mamille2@cisco.com>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQnjixwtlCMahlVDxvUvSwqvowO6hLhol92Kz/eV2T5JFDdEEkp0TG93zQfqqM2qlNBvw4rA
Cc: Richard Barnes <rlb@ipv.sx>, Mike Jones <Michael.Jones@microsoft.com>, Russ Housley <housley@vigilsec.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 23:13:37 -0000

I agree with Matt.   I don't think there is anything in the XMPP use case that would break if the envelope is integrity protected.  
I think there is only a single envelope anyway as I understand it.   

John B.

On 2013-04-25, at 7:02 PM, Matt Miller <mamille2@cisco.com> wrote:

> 
> On Apr 25, 2013, at 3:56 PM, Richard Barnes <rlb@ipv.sx>
> wrote:
> 
>> On Thu, Apr 25, 2013 at 3:09 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:
>> 
>>> Hi Russ,
>>> 
>>> I agree that enabling GCM to be safely used in the multiple recipients
>>> case would be highly desirable.  It is currently prohibited because if the
>>> recipients share a common key and initialization vector (IV) but use
>>> different AAD values, this results in the identified vulnerability.  One
>>> possible solution that continues integrity protecting the headers but
>>> enables the safe use of GCM was identified off-list by John Bradley.
>>> 
>>> That solution is to have each recipient always use the same key, IV, and
>>> AAD values.  This could be accomplished by including all the header values
>>> in a single combined AAD value, rather than having the integrity protection
>>> for each recipient's headers be independent.
>>> 
>>> This change could be done in a manner that doesn't affect the computation
>>> for the single recipients case.  Given the upcoming interim JOSE meeting
>>> next week, and given the (understandable) strong negative reaction to the
>>> unusability of GCM with the current multiple recipients processing rules,
>>> I'll plan on quickly producing a draft -10 that changes the processing
>>> rules in the manner described above, so that idea can be concretely
>>> considered by the working group next week.
>>> 
>>> Just so people are clear on the properties on the new processing rules -
>>> this would mean that the integrity computations for each recipients would
>>> no longer be independent.  The only downside of this (which could be an
>>> upside in some ways) is that it would no longer be possible to add
>>> recipients over time without performing a new encryption computation with a
>>> new CEK and IV.
>>> 
>> 
>> As I said to John, that is not an acceptable solution because it breaks the
>> XMPP use case.  The minimum sensible change is to remove the per-recipient
>> info from the integrity check.
>> 
> 
> It is not clear to me how John's suggestion utterly breaks the XMPP use case, unless you have this alternate-reality version of XMPP-E2E you've not yet told me about (-:
> 
> The current XMPP document already separates per-recipient info from the actual protected content.
> 
> 
> - m&m
> 
> Matt Miller < mamille2@cisco.com >
> Cisco Systems, Inc.
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email