Re: [jose] PBES2-HS256+A256KW or PBES2-HS512+A256KW?
Mike Jones <Michael.Jones@microsoft.com> Wed, 31 July 2013 15:43 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D8B121F9EA2 for <jose@ietfa.amsl.com>; Wed, 31 Jul 2013 08:43:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.148
X-Spam-Level:
X-Spam-Status: No, score=-5.148 tagged_above=-999 required=5 tests=[AWL=1.451, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vA0v7AHb2dW6 for <jose@ietfa.amsl.com>; Wed, 31 Jul 2013 08:43:50 -0700 (PDT)
Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe005.messaging.microsoft.com [207.46.163.28]) by ietfa.amsl.com (Postfix) with ESMTP id 600B121F997D for <jose@ietf.org>; Wed, 31 Jul 2013 08:43:38 -0700 (PDT)
Received: from mail59-co9-R.bigfish.com (10.236.132.245) by CO9EHSOBE024.bigfish.com (10.236.130.87) with Microsoft SMTP Server id 14.1.225.22; Wed, 31 Jul 2013 15:43:36 +0000
Received: from mail59-co9 (localhost [127.0.0.1]) by mail59-co9-R.bigfish.com (Postfix) with ESMTP id 51561D80122; Wed, 31 Jul 2013 15:43:36 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC101.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -26
X-BigFish: VS-26(zzbb2dI98dI9371Id772h542I1432I4015Izz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1de098h1033IL17326ah1de096h8275dh1de097hz2fh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1b0ah1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1155h)
Received-SPF: pass (mail59-co9: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC101.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail59-co9 (localhost.localdomain [127.0.0.1]) by mail59-co9 (MessageSwitch) id 1375285413698231_32572; Wed, 31 Jul 2013 15:43:33 +0000 (UTC)
Received: from CO9EHSMHS008.bigfish.com (unknown [10.236.132.225]) by mail59-co9.bigfish.com (Postfix) with ESMTP id 9AF99700047; Wed, 31 Jul 2013 15:43:33 +0000 (UTC)
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.8) by CO9EHSMHS008.bigfish.com (10.236.130.18) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 31 Jul 2013 15:43:33 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.38]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.03.0136.001; Wed, 31 Jul 2013 15:43:13 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Sean Turner <turners@ieca.com>
Thread-Topic: PBES2-HS256+A256KW or PBES2-HS512+A256KW?
Thread-Index: Ac6D/X6i731YwNWqSou0hS+H2eCoCwGBl8aAAP5saMA=
Date: Wed, 31 Jul 2013 15:43:11 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436B734A2A@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436B6EC773@TK5EX14MBXC284.redmond.corp.microsoft.com> <51F2793D.1010309@ieca.com>
In-Reply-To: <51F2793D.1010309@ieca.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.35]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] PBES2-HS256+A256KW or PBES2-HS512+A256KW?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2013 15:43:55 -0000
Hi Sean, HMAC SHA-512 would be used as the pseudo-random function (PDF) by PBKDF2. The key output size would still be 256 bits when used with A256KW, so truncation would occur as part of the key generation (see the statement about the dkLen values in http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section-4.9). The encrypted key size is whatever the size of the original Content Encryption Key (CEK) is, plus the A256KW overhead. So you're not carrying extra bytes on the wire. (You are computing extra bytes as intermediate results during the password-based encryption computation, but given that it's a *good thing* for this to be computationally intensive, that's probably not a bad thing.) Am I missing something here? If not, I think we should align with what McGrew has done and pair the use HMAC SHA-512 with the use of 256 bit AES keys (and pair HMAC SHA-384 with the use of 192 bit AES keys). For one thing, this would mean that we would have algorithm identifiers using a diversity of hash functions. I won't lose sleep over this either way, but my sense of symmetry tells me that it would be nice to match the algorithms in the way that McGrew did. Thoughts? -- Mike -----Original Message----- From: Sean Turner [mailto:turners@ieca.com] Sent: Friday, July 26, 2013 6:27 AM To: Mike Jones Cc: jose@ietf.org Subject: Re: PBES2-HS256+A256KW or PBES2-HS512+A256KW? Mike, Apologies for taking too long to get back to this. The -01 version used HMAC-512 untruncated. To me that didn't make much sense. You're getting some level of security but you're carrying a lot of extra bytes. Using either a truncated HMAC-512 as Dave's draft does or HMAC-SHA-256 lines up the bits of security provided by the algs. I guess the embedded question is whether we should align the 3. spt On 7/18/13 11:26 PM, Mike Jones wrote: > Currently JWA defines two password-based key encryption algorithms: > > PBES2-HS256+A128KW > > PBES2-HS256+A256KW > > I was surprised that when the AES key size was increased from 128 to > 256, the HMAC key size was not also increased from 256 to 512. Sean, > Matt had told me that this used to be the case in his individual draft, > but that you had requested that HMAC SHA-256 be used for both algorithms. > > If for no other reasons than symmetry, I'm curious why. For instance, > in McGrew's AES-CBC-HMAC-SHA2 draft, these pairings are made: > > 128 bit AES with 256 bit HMAC > > 192 bit AES with 384 bit HMAC > > 256 bit AES with 512 bit HMAC > > Sean, why aren't we doing the same for password-based encryption? > > Thanks, > > -- Mike >