Re: [jose] #28: AES-GCM should not be allowed for content encryption in combination with Direct Encryption key management mode
"jose issue tracker" <trac+jose@trac.tools.ietf.org> Thu, 01 August 2013 11:00 UTC
Return-Path: <trac+jose@trac.tools.ietf.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3586121E8053 for <jose@ietfa.amsl.com>; Thu, 1 Aug 2013 04:00:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YalUEA8NQ+Tc for <jose@ietfa.amsl.com>; Thu, 1 Aug 2013 04:00:18 -0700 (PDT)
Received: from grenache.tools.ietf.org (grenache.tools.ietf.org [IPv6:2a01:3f0:1:2::30]) by ietfa.amsl.com (Postfix) with ESMTP id 22D9A11E80C5 for <jose@ietf.org>; Thu, 1 Aug 2013 04:00:17 -0700 (PDT)
Received: from localhost ([127.0.0.1]:49146 helo=grenache.tools.ietf.org ident=www-data) by grenache.tools.ietf.org with esmtp (Exim 4.80) (envelope-from <trac+jose@trac.tools.ietf.org>) id 1V4qc5-0004k5-6c; Thu, 01 Aug 2013 13:00:09 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: jose issue tracker <trac+jose@trac.tools.ietf.org>
X-Trac-Version: 0.12.3
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.3, by Edgewall Software
To: draft-ietf-jose-json-web-algorithms@tools.ietf.org, michael.jones@microsoft.com, ietf@augustcellars.com, mpeck@mitre.org
X-Trac-Project: jose
Date: Thu, 01 Aug 2013 11:00:09 -0000
X-URL: http://tools.ietf.org/jose/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/jose/trac/ticket/28#comment:5
Message-ID: <069.30c309038827142dbc4d6345d4b10d97@trac.tools.ietf.org>
References: <054.7c33f2d20d536f291cb1402eed2d1710@trac.tools.ietf.org>
X-Trac-Ticket-ID: 28
In-Reply-To: <054.7c33f2d20d536f291cb1402eed2d1710@trac.tools.ietf.org>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Rcpt-To: draft-ietf-jose-json-web-algorithms@tools.ietf.org, michael.jones@microsoft.com, ietf@augustcellars.com, mpeck@mitre.org, jose@ietf.org
X-SA-Exim-Mail-From: trac+jose@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on grenache.tools.ietf.org); SAEximRunCond expanded to false
Resent-To: mbj@microsoft.com
Resent-Message-Id: <20130801110018.22D9A11E80C5@ietfa.amsl.com>
Resent-Date: Thu, 01 Aug 2013 04:00:17 -0700
Resent-From: trac+jose@trac.tools.ietf.org
Cc: jose@ietf.org
Subject: Re: [jose] #28: AES-GCM should not be allowed for content encryption in combination with Direct Encryption key management mode
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 11:00:19 -0000
#28: AES-GCM should not be allowed for content encryption in combination with Direct Encryption key management mode Comment (by michael.jones@microsoft.com): What's practical for applications depends entirely upon the application context. For many applications, the rate of encryption transactions by itself means that 2-to-the-32 encryption operations will never be performed, and so no "keeping track" would be needed. 2-to-the-32 is big. For instance, it would take 136 years to do that many encryptions at a rate of one per second. If the algorithm is used to encrypt daily updates of information, you'd have over 49,000 years of updates before hitting the limit. We've told applications that they must not exceed this limit. We've given them other algorithms without this limit - notably McGrew's AES_CBC_HMAC_SHA2 algorithms. If applications choose to not heed these constraints, I'm sure that we have bigger problems. There are a lot easier ways they can hurt themselves by not heeding other usage constraints. For instance, if they ignore what's said about safely using the JOSE crypto encodings, they could always use zero initialization vector values. They could publish their symmetric and private keys on publicly accessible Internet sites. They could use random number generators and key generators that produce constant or predictable values. Etc. Yes, it's possible to use direct encryption with GCM in an unsafe manner. It's possible to use all the crypto operations in an unsafe manner. The key is that we've clearly told applications how to not do that. If they choose to ignore what the specs say about how to use the crypto operations safely, there's very little we can do to prevent that. (Heck, even if we accepted your proposed action for this issue, they could ignore a prohibition not to use GCM for direct encryption as well! :-) ) I think we've already fulfilled our responsibilities to implementers and applications by clearly saying how to do safe crypto, both in this particular case, and in others. -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-jose-json-web- mpeck@mitre.org | algorithms@tools.ietf.org Type: defect | Status: new Priority: major | Milestone: Component: json-web- | Version: algorithms | Resolution: Severity: - | Keywords: | -------------------------+------------------------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/28#comment:5> jose <http://tools.ietf.org/jose/>
- Re: [jose] #28: AES-GCM should not be allowed for… jose issue tracker
- [jose] #28: AES-GCM should not be allowed for con… jose issue tracker
- Re: [jose] #28: AES-GCM should not be allowed for… jose issue tracker
- Re: [jose] #28: AES-GCM should not be allowed for… jose issue tracker
- Re: [jose] #28: AES-GCM should not be allowed for… jose issue tracker
- Re: [jose] #28: AES-GCM should not be allowed for… jose issue tracker
- Re: [jose] #28: AES-GCM should not be allowed for… jose issue tracker
- Re: [jose] #28: AES-GCM should not be allowed for… jose issue tracker