IETF Logo Mail Archive

Re: [jose] #28: AES-GCM should not be allowed for content encryption in combination with Direct Encryption key management mode

"jose issue tracker" <trac+jose@trac.tools.ietf.org> Thu, 01 August 2013 11:00 UTC

Return-Path: <trac+jose@trac.tools.ietf.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3586121E8053 for <jose@ietfa.amsl.com>; Thu, 1 Aug 2013 04:00:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YalUEA8NQ+Tc for <jose@ietfa.amsl.com>; Thu, 1 Aug 2013 04:00:18 -0700 (PDT)
Received: from grenache.tools.ietf.org (grenache.tools.ietf.org [IPv6:2a01:3f0:1:2::30]) by ietfa.amsl.com (Postfix) with ESMTP id 22D9A11E80C5 for <jose@ietf.org>; Thu, 1 Aug 2013 04:00:17 -0700 (PDT)
Received: from localhost ([127.0.0.1]:49146 helo=grenache.tools.ietf.org ident=www-data) by grenache.tools.ietf.org with esmtp (Exim 4.80) (envelope-from <trac+jose@trac.tools.ietf.org>) id 1V4qc5-0004k5-6c; Thu, 01 Aug 2013 13:00:09 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: jose issue tracker <trac+jose@trac.tools.ietf.org>
X-Trac-Version: 0.12.3
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.3, by Edgewall Software
To: draft-ietf-jose-json-web-algorithms@tools.ietf.org, michael.jones@microsoft.com, ietf@augustcellars.com, mpeck@mitre.org
X-Trac-Project: jose
Date: Thu, 01 Aug 2013 11:00:09 -0000
X-URL: http://tools.ietf.org/jose/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/jose/trac/ticket/28#comment:5
Message-ID: <069.30c309038827142dbc4d6345d4b10d97@trac.tools.ietf.org>
References: <054.7c33f2d20d536f291cb1402eed2d1710@trac.tools.ietf.org>
X-Trac-Ticket-ID: 28
In-Reply-To: <054.7c33f2d20d536f291cb1402eed2d1710@trac.tools.ietf.org>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Rcpt-To: draft-ietf-jose-json-web-algorithms@tools.ietf.org, michael.jones@microsoft.com, ietf@augustcellars.com, mpeck@mitre.org, jose@ietf.org
X-SA-Exim-Mail-From: trac+jose@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on grenache.tools.ietf.org); SAEximRunCond expanded to false
Resent-To: mbj@microsoft.com
Resent-Message-Id: <20130801110018.22D9A11E80C5@ietfa.amsl.com>
Resent-Date: Thu, 01 Aug 2013 04:00:17 -0700
Resent-From: trac+jose@trac.tools.ietf.org
Cc: jose@ietf.org
Subject: Re: [jose] #28: AES-GCM should not be allowed for content encryption in combination with Direct Encryption key management mode
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 11:00:19 -0000

#28: AES-GCM should not be allowed for content encryption in combination with
Direct Encryption key management mode


Comment (by michael.jones@microsoft.com):

 What's practical for applications depends entirely upon the application
 context.  For many applications, the rate of encryption transactions by
 itself means that 2-to-the-32 encryption operations will never be
 performed, and so no "keeping track" would be needed.  2-to-the-32 is big.
 For instance, it would take 136 years to do that many encryptions at a
 rate of one per second.  If the algorithm is used to encrypt daily updates
 of information, you'd have over 49,000 years of updates before hitting the
 limit.

 We've told applications that they must not exceed this limit.  We've given
 them other algorithms without this limit - notably McGrew's
 AES_CBC_HMAC_SHA2 algorithms.  If applications choose to not heed these
 constraints, I'm sure that we have bigger problems. There are a lot easier
 ways they can hurt themselves by not heeding other usage constraints.

 For instance, if they ignore what's said about safely using the JOSE
 crypto encodings, they could always use zero initialization vector values.
 They could publish their symmetric and private keys on publicly accessible
 Internet sites.  They could use random number generators and key
 generators that produce constant or predictable values.  Etc.

 Yes, it's possible to use direct encryption with GCM in an unsafe manner.
 It's possible to use all the crypto operations in an unsafe manner.  The
 key is that we've clearly told applications how to not do that.  If they
 choose to ignore what the specs say about how to use the crypto operations
 safely, there's very little we can do to prevent that.  (Heck, even if we
 accepted your proposed action for this issue, they could ignore a
 prohibition not to use GCM for direct encryption as well! :-) )  I think
 we've already fulfilled our responsibilities to implementers and
 applications by clearly saying how to do safe crypto, both in this
 particular case, and in others.

-- 
-------------------------+-------------------------------------------------
 Reporter:               |       Owner:  draft-ietf-jose-json-web-
  mpeck@mitre.org        |  algorithms@tools.ietf.org
     Type:  defect       |      Status:  new
 Priority:  major        |   Milestone:
Component:  json-web-    |     Version:
  algorithms             |  Resolution:
 Severity:  -            |
 Keywords:               |
-------------------------+-------------------------------------------------

Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/28#comment:5>
jose <http://tools.ietf.org/jose/>

v2.23.0 | Report a Bug | By Email