IETF Logo Mail Archive

Re: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK

Mike Jones <Michael.Jones@microsoft.com> Tue, 12 March 2013 20:21 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0382D11E8140 for <jose@ietfa.amsl.com>; Tue, 12 Mar 2013 13:21:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[AWL=-0.600, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_34=0.6, J_CHICKENPOX_44=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2GPuSiIPoeUT for <jose@ietfa.amsl.com>; Tue, 12 Mar 2013 13:20:59 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0241.outbound.protection.outlook.com [207.46.163.241]) by ietfa.amsl.com (Postfix) with ESMTP id 8F9C111E8108 for <jose@ietf.org>; Tue, 12 Mar 2013 13:20:59 -0700 (PDT)
Received: from BL2FFO11FD005.protection.gbl (10.173.161.200) by BL2FFO11HUB035.protection.gbl (10.173.161.115) with Microsoft SMTP Server (TLS) id 15.0.620.12; Tue, 12 Mar 2013 20:20:56 +0000
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD005.mail.protection.outlook.com (10.173.161.1) with Microsoft SMTP Server (TLS) id 15.0.620.12 via Frontend Transport; Tue, 12 Mar 2013 20:20:56 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.132]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.02.0318.003; Tue, 12 Mar 2013 20:20:00 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Richard Barnes <rlb@ipv.sx>, "Peck, Michael A" <mpeck@mitre.org>
Thread-Topic: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK
Thread-Index: AQHOH1w+q0obM/4B3E2z5wOsWscejpiifSFA
Date: Tue, 12 Mar 2013 20:19:59 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943675001A6@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <8B4C063947CD794BB6FF90C78BAE9B321EFC09EC@IMCMBX04.MITRE.ORG> <CAL02cgSn-_+_7RAHrETdbzvHBq3d=xa0kmuh9HuvAf9TjJp_eA@mail.gmail.com>
In-Reply-To: <CAL02cgSn-_+_7RAHrETdbzvHBq3d=xa0kmuh9HuvAf9TjJp_eA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943675001A6TK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(199002)(189002)(24454001)(124975001)(243025002)(377454001)(31966008)(512954001)(63696002)(16406001)(79102001)(53806001)(46102001)(4396001)(33656001)(49866001)(77982001)(54316002)(44976002)(56816002)(5343635001)(47446002)(76482001)(74502001)(74662001)(51856001)(50986001)(69226001)(20776003)(16297215001)(15202345001)(59766001)(66066001)(56776001)(65816001)(47736001)(47976001)(80022001)(55846006)(54356001)(5343655001)(16236675001); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB035; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 078310077C
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2013 20:21:03 -0000

As previously extensively discussed, the McGrew draft does two things - one helpful and one not:

1.  It specifies using a key that is actually the concatenation of an AES-CBC key and an HMAC SHA-2 key, rather than use of a KDF.  That's good, as it's simple for implementers.

2.  It specifies that the initialization vector and integrity value be concatenated with other values in particular ways, and conversely, how to extract them when decrypting.  That's not good, as it adds complexity for implementers - especially when JWEs already utilize a straightforward representation for these values, which doesn't require the binary concatenation and extraction conventions specified by McGrew.

I know that John Bradley is going to ask the question tomorrow whether we should change to doing the first for our composite CBC+HMAC algorithms.  I believe that doing the second would be counterproductive.

                                                            -- Mike

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Richard Barnes
Sent: Tuesday, March 12, 2013 1:00 PM
To: Peck, Michael A
Cc: jose@ietf.org
Subject: Re: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK

Actually, for everything but key agreement, we can just use draft-mcgrew-aead-aes-cbc-hmac-sha2, with larger keys.  We should not be specifying key expansion here when we can avoid it.

--Richard


On Tue, Mar 12, 2013 at 2:29 PM, Peck, Michael A <mpeck@mitre.org<mailto:mpeck@mitre.org>> wrote:
draft-ietf-jose-json-web-algorithms-08 section 4.7.1 describes the use of Concat KDF on the shared secret Z established by ECDH-ES.

The draft allows for an empty PartyUInfo and PartyVInfo but that may not be allowed by NIST SP 800-56A (where the Concat KDF is defined).
The current (March 2007) version of NIST SP 800-56A requires "At a minimum, PartyUInfo shall include IDU, the identifier of party U." and an equivalent requirement for PartyVInfo. (Page 46 of http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf )
The August 2012 draft update to NIST SP 800-56A requires "At a minimum, PartyUInfo shall include IDu, an identifier for party U, as a distinct item of information." and an equivalent requirement for PartyVInfo. (Page 59 of http://csrc.nist.gov/publications/drafts/800-56a/draft-sp-800-56a.pdf )  My interpretation of this text (others may interpret it differently) is that PartyUInfo and PartyVInfo can't be empty.

Instead of using the Concat KDF, a more appropriate choice may be the KDF described in NIST SP 800-56C and RFC 5869.

Its requirements are not as strict.  (SP 800-56C Page 13: "If the information is available, Context should include the identifiers of the parties who are deriving and/or using the derived keying material")

It would look something like this:

Step 1 - Randomness Extraction:
Key Derivation Key := HMAC(salt, Z)         (HMAC-SHA256 should suffice for all of the current algorithms)

Step 2 - Expansion Step:
Use the Counter Mode KDF defined in SP 800-108 or section 2.3 of RFC 5869 with the same HMAC algorithm used in step 1 to produce needed keys from the Key Derivation Key produced in step 1.
The needed keys would depend on the values of alg and enc.
If alg is ECDH-ES+A128KW or ECDH-ES+A256KW, a single 128 bit or 256 bit key is needed (used to decrypt the CMK, which may then need to be split into CEK/CIK).
If alg is ECDH-ES, then the needed keys depend on "enc":
If enc is AES-GCM, a 128 bit key or 256 bit key is needed.
If enc is one of the AEAD AES-CBC algorithms in draft-mcgrew-aead-aes-cbc-hmac-sha2-01, a key of ENC_KEY_LEN + MAC_KEY_LEN is needed as it's then split into two by the AEAD algorithm.
If enc is one of the current CBC+HMAC options in draft-ietf-jose-json-web-algorithms-08, then two keys are needed, a CEK and a CIK.  Counter Mode KDF could be invoked twice, with different labels each time, or Counter Mode KDF could be invoked once to generate a big key which would then be split into the CEK and CIK.

Richard has already pointed out the issues with using the Concat KDF to derive the CEK/CIK from the CMK.  Instead, one option would be to use the Expansion Step above:  use the Counter Mode KDF with an HMAC to derive necessary keys from the CMK.
Even if we use encryption algorithms that combine the encryption and integrity key such as the CBC+HMAC algorithms in draft-mcgrew-aead-aes-cbc-hmac-sha2-01, there will still be a need to take a smaller master key and create the combined encryption + integrity key from it.


Mike


_______________________________________________
jose mailing list
jose@ietf.org<mailto:jose@ietf.org>
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email