IETF Logo Mail Archive

Re: [jose] Issue #13 - use AES-GCM for Key Wrapping

Breno de Medeiros <breno@google.com> Thu, 27 June 2013 04:21 UTC

Return-Path: <breno@google.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 195F221F9133 for <jose@ietfa.amsl.com>; Wed, 26 Jun 2013 21:21:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B77vqTwA84BZ for <jose@ietfa.amsl.com>; Wed, 26 Jun 2013 21:21:54 -0700 (PDT)
Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id E3BC021F859A for <jose@ietf.org>; Wed, 26 Jun 2013 21:21:47 -0700 (PDT)
Received: by mail-we0-f171.google.com with SMTP id m46so169144wev.16 for <jose@ietf.org>; Wed, 26 Jun 2013 21:21:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=vlDPrQXOM0CAm0gVsV3Cn2G0Rln57/HSKp9mtDxj6EE=; b=VKbKOhiHxs6XuE2C3bQo5GtAByWFbf+DFyCuaITytFlEQTLXIPhpoJ9RPUmMVKHBZC res5rhAw9ryeqaRzg9DEEnKJ2OlIgAuOy1MbZFrz+aa3o1zn+KeoBlWstiCsCjg8kf/I ESI9eKuH1yljXPQSpYsuibQGVxtMkiRQTxZOFkuYxmojlUfQFqGWmvWez/trSj4pf5LX anPnm8P70B8qzPagV9guevPobqAq8Q60PpQYEeU+4FgqeaYBCeqG68U0ee/Vwf11+9M9 vGoahBxAunRidsk0ZX9desqPJDN5ZAV5t8a2yaop9PnaUiyptcH96RrB8YA3gMIYHJs2 RKBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=vlDPrQXOM0CAm0gVsV3Cn2G0Rln57/HSKp9mtDxj6EE=; b=CMKdFShXobTbqegZvnY2YsnLVgFmVSocvB47hQXOABTmJ/RyT1cPojIi5zY7wILjbZ klAVfjPee2UZ7dsND5q/mXt70qk4VFkOHm4oiBraLUIqueczk5FLWZbOrdVZ21saXfcj buo73fwZioZO7mRfJK0PE3ygeBZE8Ge1T60awiVXceMdWFA8qWDZe4hjeK/ESUcEaVM6 fsv8hsWQh7PIqMTR2WyJq5qbih3bSnehHx6yXpWXjvp/pV+5FcVHwX3UR32fxZRtJUzW PdeiYodARKK/ku6JGmKQuBHLT83t31mnYrp6OaANwXRtq2t5aGqCXuIeb3sCDk0PTuxb Z9ag==
MIME-Version: 1.0
X-Received: by 10.180.188.97 with SMTP id fz1mr4638132wic.34.1372306906985; Wed, 26 Jun 2013 21:21:46 -0700 (PDT)
Received: by 10.194.151.72 with HTTP; Wed, 26 Jun 2013 21:21:46 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436789D481@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B168042967394367898761@TK5EX14MBXC283.redmond.corp.microsoft.com> <034101ce729b$27473b00$75d5b100$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739436789B458@TK5EX14MBXC283.redmond.corp.microsoft.com> <03b901ce72e5$01248190$036d84b0$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739436789D481@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Wed, 26 Jun 2013 21:21:46 -0700
Message-ID: <CAAJ++qGUTLrqT9JmDDw0LJUusYzqorKCH6EpzriLnOeBTs7EuA@mail.gmail.com>
From: Breno de Medeiros <breno@google.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQkqYAMxb1+G0kZshncXQ2lh8ju0M7VT+iPXMDgW80alQInivE34/Ht8LYoT5xAJnVdcqQRorA++10c2J3jU7Q1J/ZGaichd7W5KIICWdon0tN3OVkQgyBaSfnohFGi7FarKQyQ2iKo50jZut+zqKuNPNdIE9pgYebOYiytW5DGJlGze1Dcknzx2CSCcxCLuc0IV/sjb
Cc: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Issue #13 - use AES-GCM for Key Wrapping
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2013 04:21:56 -0000

I also don't believe that supporting the matrix of possible
algorithmic combinations satisfies any business need.

On Wed, Jun 26, 2013 at 9:01 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> For my part, I consider the fact that people will need to register specific
> algorithm combinations that they actually need to be a feature – not a bug.
> The smaller the set of algorithm combinations registered, the more likely
> that they will be implemented and will interoperate.  Trying to claim that
> we support the combinatorial explosion of mask generation functions, hash
> functions, key derivation functions, key wrapping functions, etc. that are
> possible will almost certainly result in less interoperability and more
> developer confusion than a small set of registered choices, carefully
> considered.  I’m glad to have people consider these criteria in their
> evaluation of the two choices.
>
>
>
>
> -- Mike
>
>
>
> From: Jim Schaad [mailto:ietf@augustcellars.com]
> Sent: Wednesday, June 26, 2013 8:18 PM
> To: Mike Jones; jose@ietf.org
>
>
> Subject: RE: [jose] Issue #13 - use AES-GCM for Key Wrapping
>
>
>
> My point was that there were some issues that your draft did not fully
> address that need to be evaluated as part of your proposal not that these
> algorithms would need to be added.  The n x m addition of algorithms to the
> registry is an issue that is there for your draft that is not present for
> Richard’s draft and therefore needs to be considered in the arguments.
>
>
>
> From: Mike Jones [mailto:Michael.Jones@microsoft.com]
> Sent: Wednesday, June 26, 2013 12:22 PM
> To: Jim Schaad; jose@ietf.org
> Subject: RE: [jose] Issue #13 - use AES-GCM for Key Wrapping
>
>
>
> Yes, we could also propose algorithm combinations for key agreement followed
> GCM key wrapping but I didn’t think that was an ask from the working group.
> The Denver minutes just recorded my action item as “key wrap draft for
> AES-GCM-keywrap”, so that’s what I did.  We could have a discussion on
> Monday’s call and on the list about whether the working group is also
> interested in other algorithms.
>
>
>
> Remember, the beauty of having the algorithms registry is that algorithms
> can be added “just in time” – as actual need for them is demonstrated.  We
> don’t have to register all conceivable algorithm combinations up front for
> the JWE/JWA specs to be complete.
>
>
>
> As for how the AEAD parameters are handled I used a parameter encoding that
> doesn’t result in double base64url encoding anything.  I could have instead
> introduced separate “iv” and “tag” header parameter values, but didn’t do so
> for that reason.  But if people would prefer that approach because it’s more
> parallel to the use of GCM for plaintext encryption, I have no problem with
> that.
>
>
>
> I do believe that the objective of my draft was met – demonstrating that
> AEAD key wrapping can be easily done with the current drafts.  The details
> of how the algorithm parameters are encoded is secondary to that and
> algorithm-specific; several reasonable choices are possible within the
> current JWE framework – one of which was described in my draft.
>
>
>
>                                                                 -- Mike
>
>
>
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim
> Schaad
> Sent: Wednesday, June 26, 2013 11:30 AM
> To: Mike Jones; jose@ietf.org
> Subject: Re: [jose] Issue #13 - use AES-GCM for Key Wrapping
>
>
>
> <no hat>
>
> <sarcasm level=”heavy”>
>
>
>
> I am shocked that you would possibly support this proposal.  It provides for
> two ways of dealing with something.  It is my understanding that you never
> support anything that has two ways of doing something.
>
>
>
> How the AEAD algorithm parameters is handled completely differently for this
> proposal and for the same algorithms being used in a CEK context.  This is
> going to lead to confusion.
>
>
>
> </sarcasm>
>
>
>
> Your specification is missing some items that still need to be registered
> Thus you also need to have ECDH-ES+A128GCMKW and ECDH-ES+A256GCMKW defined
> in your document as well.
>
>
>
> Your document ends up with a registration complexity that needs to be
> thought about and dealt with as well.  For every new key wrap algorithm
> added, you will need to register not only it alone but also it with every
> different key agreement algorithm that is supported.  Thus adding a single
> key wrap algorithm becomes a slight issue in terms of adding in all of the
> different ways that it might be used.  This is a complexity issue that is
> not discussed in the current draft.
>
>
>
> I have not necessarily found that document size equals code size.  I have
> implemented some very simple documents that were very difficult to code and
> implemented some very long documents that were very easy to code.  So I
> would not use that fact as a deciding factor.
>
>
>
> (Once again I regret the fact that the group did not go with an object
> descriptor for algorithms as this would have made all of this much simpler.
> I actually immediately map from the string to an object description in my
> JOSE implementation for simplicity reasons.  Not to mention that this is way
> it needs to be done for the WebCrypto specficiation.)
>
>
>
> Jim
>
>
>
>
>
>
>
> From: Mike Jones [mailto:Michael.Jones@microsoft.com]
> Sent: Tuesday, June 25, 2013 4:18 PM
> To: 'Jim Schaad'; jose@ietf.org
> Subject: RE: [jose] Issue #13 - use AES-GCM for Key Wrapping
>
>
>
> http://tools.ietf.org/html/draft-jones-jose-aes-gcm-key-wrap-00 seems like a
> substantially simpler approach than
> http://tools.ietf.org/html/draft-barnes-jose-key-wrapping-01.  This is
> evident by several metrics:
>
> ·        Number of proposed changes:  The Jones draft proposes no changes to
> any of the current specs.  It simply defines an encoding for GCM and adds
> registry entries for it.  Whereas the Barnes draft proposes a major
> restructuring – listing 4 major changes in the introduction and 4 smaller
> changes.
>
> ·        Normative text size:  The Jones GCM key wrap approach requires only
> 7 normative sentences in 1/2 page of text.  The Barnes draft has four pages
> of normative text, along with an extensive introduction describing the
> proposed complete restructuring of JWS and JWE.
>
>
>
> We don’t need to boil the ocean with a total redesign to enable AEAD key
> wrapping.  It can already easily be done with the current specs simply by
> defining new algorithms.  The approach taken in
> http://tools.ietf.org/html/draft-jones-jose-aes-gcm-key-wrap-00 would work
> for any AEAD algorithm.
>
>
>
>                                                                 -- Mike
>
>
>
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Jim
> Schaad
> Sent: Tuesday, June 25, 2013 9:53 AM
> To: jose@ietf.org
> Subject: [jose] Issue #13 - use AES-GCM for Key Wrapping
>
>
>
> We now have two documents – one from Richard and one from Mike – which
> provide the two different ways that have been proposed for doing key
> wrapping with an AEAD algorithm.
>
>
>
> Please review the two documents and provide comments to the list.
>
>
>
> Jim
>
>
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>



-- 
--Breno

v2.23.0 | Report a Bug | By Email