IETF Logo Mail Archive

Re: [jose] Feedback request on jose tracker issue#11: Should we use RFC 5116 and remove the JWE Integrity Value field?

"Manger, James H" <James.H.Manger@team.telstra.com> Fri, 12 April 2013 02:37 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF41321E803A for <jose@ietfa.amsl.com>; Thu, 11 Apr 2013 19:37:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.9
X-Spam-Level:
X-Spam-Status: No, score=-0.9 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mtz74Ea-1TFx for <jose@ietfa.amsl.com>; Thu, 11 Apr 2013 19:37:37 -0700 (PDT)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by ietfa.amsl.com (Postfix) with ESMTP id 4D12821E8042 for <jose@ietf.org>; Thu, 11 Apr 2013 19:37:36 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="4.87,460,1363093200"; d="scan'208,217"; a="129417113"
Received: from unknown (HELO ipcbvi.tcif.telstra.com.au) ([10.97.217.204]) by ipocvi.tcif.telstra.com.au with ESMTP; 12 Apr 2013 12:37:35 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,7042"; a="124972259"
Received: from wsmsg3704.srv.dir.telstra.com ([172.49.40.197]) by ipcbvi.tcif.telstra.com.au with ESMTP; 12 Apr 2013 12:37:35 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3704.srv.dir.telstra.com ([172.49.40.197]) with mapi; Fri, 12 Apr 2013 12:37:34 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: "odonoghue@isoc.org" <odonoghue@isoc.org>, "jose@ietf.org" <jose@ietf.org>
Date: Fri, 12 Apr 2013 12:37:34 +1000
Thread-Topic: [jose] Feedback request on jose tracker issue#11: Should we use RFC 5116 and remove the JWE Integrity Value field?
Thread-Index: Ac43EJSRagaqhpUVQeO8f/LbwpXZBAAEXPFw
Message-ID: <255B9BB34FB7D647A506DC292726F6E1150C5F1446@WSMSG3153V.srv.dir.telstra.com>
References: <51674E3D.7030004@isoc.org>
In-Reply-To: <51674E3D.7030004@isoc.org>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E1150C5F1446WSMSG3153Vsrv_"
MIME-Version: 1.0
Subject: Re: [jose] Feedback request on jose tracker issue#11: Should we use RFC 5116 and remove the JWE Integrity Value field?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2013 02:37:38 -0000

Karen,
I think this poll conflates 2 issues: a) making the integrity check value part of the ciphertext (as per RFC 5116); and b) not treating the IV in CBC-HMAC as an (app-supplied) AEAD nonce, but as part of the randomized (crypto-library-supplied) ciphertext (as per draft-mcgrew-aead-aes-cbc-hmac-sha2).

RFC 5116 “An interface and algorithms for authenticated encryption” has a nonce (N) and a separate field to the ciphertext. N is a separate input to the encryption and decryption operations.
draft-mcgrew-aead-aes-cbc-hmac-sha2 defines AEAD algorithms that take a zero-length nonce, but prefix the ciphertext with a random IV.


So my answer to the poll:

2b.
Switch to using RFC 5116.
A JWE should have separate nonce and ciphertext fields (but no separate integrity value field).
JWE should use the term “nonce”, instead of “initialization vector”.
Any integrity value that an algorithm creates should be part of the ciphertext.
When draft-mcgrew-aead-aes-cbc-hmac-sha2 is used as the AEAD algorithm the nonce field will be empty, and the ciphertext field will be a concatenation of an IV, AES output, and the truncated HMAC output.

--
James Manger

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Karen O'Donoghue
Sent: Friday, 12 April 2013 9:59 AM
To: jose@ietf.org
Subject: [jose] Feedback request on jose tracker issue#11: Should we use RFC 5116 and remove the JWE Integrity Value field?

Issue #11 http://trac.tools.ietf.org/wg/jose/trac/ticket/11 proposes restructuring the JWE representation to remove the JWE Integrity Value field and instead use the RFC 5116 (AEAD) binary serialization to represent the Ciphertext, Initialization Vector, and Integrity Value values.  If this proposal is adopted, JWEs would then have three fields – the header, the encrypted key, and the RFC 5116 combination of the Ciphertext, Initialization Vector, and Integrity Value values.
This issue is also related to issue #3.  Note that the updated McGrew draft described there could be used whether or not we switched to using RFC 5116.

Which of these best describes your preferences on this issue?
1.  Continue having separate Ciphertext, Initialization Vector, and Integrity Value values in the JWE representation.
2.  Switch to using the RFC 5116 (AEAD) serialization to represent the combination of these three values.
3.  Another resolution (please specify in detail).
0.  I need more information to decide.

Your reply is requested by Friday, April 19th or earlier.

v2.23.0 | Report a Bug | By Email