IETF Logo Mail Archive

Re: [jose] comments on draft-jones-json-web-signature and draft-jones-json-web-encryption

"Jim Schaad" <ietf@augustcellars.com> Mon, 13 February 2012 00:16 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C01D121F8709 for <jose@ietfa.amsl.com>; Sun, 12 Feb 2012 16:16:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[AWL=-0.435, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C63B1z3348nq for <jose@ietfa.amsl.com>; Sun, 12 Feb 2012 16:16:18 -0800 (PST)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id E91E921F8703 for <jose@ietf.org>; Sun, 12 Feb 2012 16:16:17 -0800 (PST)
Received: from Tobias (exodus.augustcellars.com [207.202.179.27]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 4B3A82C9E7; Sun, 12 Feb 2012 16:16:15 -0800 (PST)
From: Jim Schaad <ietf@augustcellars.com>
To: 'John Bradley' <ve7jtb@ve7jtb.com>
References: <9509AB72-10CC-4BA6-A61C-AD9C4AC7944A@cisco.com> <B26C1EF377CB694EAB6BDDC8E624B6E73A8BEDC2@SN2PRD0304MB235.namprd03.prod.outlook.com> <4E1F6AAD24975D4BA5B16804296739435F7113A8@TK5EX14MBXC285.redmond.corp.microsoft.com> <109CDA9B-7427-4FB5-ADFD-4A72E82E4CAA@cisco.com> <045101cca4c3$87a77b60$96f67220$@augustcellars.com> <32DB7054-1E9F-4BFB-80EC-D5F863C1BB03@ve7jtb.com> <01c401cce9df$1d6db690$584923b0$@augustcellars.com> <2C03AE7C-C9E0-4373-AC95-B265C2F16646@ve7jtb.com>
In-Reply-To: <2C03AE7C-C9E0-4373-AC95-B265C2F16646@ve7jtb.com>
Date: Sun, 12 Feb 2012 16:15:29 -0800
Message-ID: <01cd01cce9e4$9961f1d0$cc25d570$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-us
Thread-index: AQIfXWiGz+BYDGrCkc9B4MZ2d8XmRgGqxNXOAcOgPqsBrEMyFgIUxGhfAb7pkuYCUqYwMgGl5Y1wlS3V4/A=
Cc: 'Mike Jones' <Michael.Jones@microsoft.com>, jose@ietf.org
Subject: Re: [jose] comments on draft-jones-json-web-signature and draft-jones-json-web-encryption
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2012 00:16:18 -0000

> -----Original Message-----
> From: John Bradley [mailto:ve7jtb@ve7jtb.com]
> Sent: Sunday, February 12, 2012 4:05 PM
> To: Jim Schaad
> Cc: 'Mike Jones'; jose@ietf.org
> Subject: Re: [jose] comments on draft-jones-json-web-signature and draft-
> jones-json-web-encryption
> 
> 
> On 2012-02-12, at 8:36 PM, Jim Schaad wrote:
> 
> >
> >
> >> -----Original Message-----
> >> From: John Bradley [mailto:ve7jtb@ve7jtb.com]
> >> Sent: Sunday, February 12, 2012 1:41 PM
> >> To: Jim Schaad
> >> Cc: 'David McGrew'; 'Mike Jones'; jose@ietf.org
> >> Subject: Re: [jose] comments on draft-jones-json-web-signature and
> draft-
> >> jones-json-web-encryption
> >>
> >> Jim,
> >>
> >> I may be missing something.
> >>
> >> The scenario below is using RFC6278 and pre shared EC keys to crate a
> > master
> >> symmetric key to wrap a per message symmetric key used for generating
> a
> >> HMAC, or to use the master symmetric key to wrap a MAC of the
> message?
> >
> > It is using static-ephemeral ECDH (or ECDH-ES) to generate a symmetric
key
> > which uses A128KW to wrap a symmetric key which is used to MAC the
> message.
> 
> Ah OK you had static static that confused me.  We do have ECDSA-ES for
> encryption, but hadn't thought about it for signing, because it is more
> integrity, without knowing the identity of the originator.

Yeah - I forgot - it depends on if you want to know who sent it.  If you
want to know who sent it then you need to use static-static.  But that is
completely orthogonal to the rest of the argument.

> 
> >
> >>
> >> For EC we only included ECDSA.
> >>
> >> The main difference is that with EC-DH-SS only the intended recipient
can
> >> verify the message.  Slightly different from the ECDSA case.
> >
> > But not any different from the case of using a pre-shared secret key and
a
> > MAC algorithm.  This is the current MUST implement.  ECDSA is only a
> SHOULD
> > implement.
> 
> I don't know that we are going to get more agreement on ECDH-ES being a
> MUST than ECDSA.

I am not saying that it needs to be a MUST - but the current structure does
not support it in any fashion.

> 
> >
> >>
> >> Is the reason for this performance in a embedded environment?
> >
> > In the case I outlined below, yes this is an embedded system.  The goal
> was,
> > in part, to use the fewest possible cryptographic primitives necessary.
> > Since encryption was a requirement, there was already AES and EC
> > shared-secret computation.  Using an AES based KDF meant that there are
> no
> > hash functions.  Adding integrity protection as well without adding new
> > primitives was desired.  It could use EC + the AES KDF to get a key and
> > AES-CBC (or AES-GMAC) to compute a MAC by adding only modes.
> 
> In your original post I missed that the body was encrypted, I thought you
> were only encrypting the key.

In this case I am not encrypting the body.  I am only doing an
authentication operation.  What I am looking at is the number of primitives
that are required for the sender to be able to do both operations.

> 
> Generating a unauthenticated integrity check.
> 
> If we are talking about Encryption then ECDH-ES with AES-GWC in the
> existing spec works.
> We do need to add the MAC integrity check to support CBC.
> 
> Again in ECDH-ES only the recipient is authenticated.
> 
> >
> >>
> >> I think there is a general question about key wrapping vs using the
pre-
> >> shared or key agreement value directly.
> >> The current specs lean towards using the values directly rather than
for
> > key
> >> wrapping.
> >>
> >> I tend to prefer key wrapping for security,  but that depends on people
> >> actually rotating keys, and it makes the minimum message size larger.
> >
> > Actually it is the other way around.  Not using key wrapping is more
> > dependent on people actually rotating keys.  If one uses a key agreement
> or
> > key transport to carry the key, then a fresh key is being used for the
MAC
> > every time and there is no problems with either forward security or
> > gathering a large number of messages with the same MAC value and being
> able
> > to do things based on that.  So you most likely trading off message size
for
> > security depending on the source of the key you are using for the MAC
> > operation.   For example if it came from the TLS session then the answer
> > would be different.
> 
> My confidence in people using a fresh key for the MAC each time in
> wrapping is less than yours.
> I admit encouraging them to do the right thing is probably the best,
rather
> than optimizing for there potential mistakes.
> 

There are a lot of things people can do that is bad.  That does not mean we
should discourage those that want to do it correctly.

> 
> >
> >>
> >> Is key agreement for integrity (signing) common?
> >
> > How common is it to use MACs?  In those cases how many people are
> > complaining because the shared keys never get rolled over?  No it is not
> > common, what is common is to have no security at all.  The next is to
have
> > very long term shared keys for doing MACs.
> >
> > One could possibly argue that the entire project is a waste of time
since
> > all of these items are sent over a TLS session (or should be) and
therefore
> > the integrity of the transfer is already protected.  This would mean
that
> > you are making for bigger messages by adding a second level of integrity
> > protection.  The question is what is the second level of integrity
> > protection trying to protect?  Is it trying to be long term or short
term?
> > Without knowing what the goals are, it is not possible to say that the
> > answer is actually working correctly.
> >
> In general with HMAC type integrity checks people infer the identity of
the
> originator through the possession of the long term secret.
> 
> The scenario you present seems to not care about the identity of the
> originator.

See above note - It actually does use a static-static.  But as I can easily
add to that to the list of "private" algorithms this is not a stumbling
block.  Note that if you look at the above I needed to add a new ECDH
algorithm in any event since I am not using the standard KDF function.

Jim

> 
> Sorry if the questions are simple.
> I am just trying to understand the use case.
> 
> John B.
> 
> >>
> >> John B.
> >> On 2011-11-16, at 9:54 PM, Jim Schaad wrote:
> >>
> >>> Mike,
> >>>
> >>> I think that while the structures for JWS might need to undergo some
> >> changes that will mean that while the MAC and Digital Signature
> > structures.
> >> As I mentioned at the F2F meeting, I know of someone is doing some
> small
> >> device work where they are sending messages from the devices to more
> >> central locations.  In this case there is not a pre-existing shared
secret
> >> generally between the two entities and they are not using TLS so they
> > could
> >> not derive one from the session key.  Mapping what they do into the
> > current
> >> JWS work would require some changes. Specifically
> >>>
> >>> Header Object
> >>>  - contains a MAC algorithm to be used - generally AES-GMAC
> >>>  - contains a key wrapping algorithm - generally AES key wrap
> >>>  - contains a key agreement algorithm - generally EC-DH
> >>> Key Exchange Value - the CEK wrapped by the KEK where the KEK came
> >> from the static-static EC-DH algorithm
> >>> Body
> >>> MAC value
> >>>
> >>> In this case we have four not three items that need to be placed in
the
> >> sequence of items to be sent between the originator and the verifier.
I
> >> would still compute the MAC value in much the same way, only I would
> >> compute the MAC over the first three elements instead of the two
> >> elements.
> >>>
> >>> This is the sort of thing that is used in a more store and forward
> >> environment or one where the answer is going to be pre-computed or
> >> where it needs to last longer than just the current session (i.e. later
> >> validation).
> >>>
> >>> The same type of thing can be used for a long term shared KEK value on
> >> both the sender and recipient, where a unique CEK is generated for each
> >> message and wrapped.  David would be a better person than I am to
> address
> >> the question of security.  -"Do you have more security by doing an
> > indirection
> >> and have a fresh key for doing the MAC on each operation rather than
> using
> >> the long term key for doing the MAC."
> >>>
> >>> If we did the above change, then I would say that the "Key Exchange
> >> Value" would become and empty string if you have a key derivied from
> the
> >> TLS session that you are using - but this would still lead to having
four
> > not
> >> three elements in the MAC case.
> >>>
> >>> Jim
> >>>
> >>>
> >>> _______________________________________________
> >>> jose mailing list
> >>> jose@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/jose
> >
> >

v2.23.0 | Report a Bug | By Email