[jose] #19: JWA needs to specify an IV for use with JWE AES Key Wrap

"jose issue tracker" <trac+jose@trac.tools.ietf.org> Tue, 09 April 2013 19:45 UTC

Return-Path: <trac+jose@trac.tools.ietf.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6974521F9915 for <jose@ietfa.amsl.com>; Tue, 9 Apr 2013 12:45:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id k8sirlvAsQPP for <jose@ietfa.amsl.com>; Tue, 9 Apr 2013 12:45:12 -0700 (PDT)
Received: from grenache.tools.ietf.org (grenache.tools.ietf.org [IPv6:2a01:3f0:1:2::30]) by ietfa.amsl.com (Postfix) with ESMTP id 9FC1B21F9913 for <jose@ietf.org>; Tue, 9 Apr 2013 12:45:11 -0700 (PDT)
Received: from localhost ([]:60822 helo=grenache.tools.ietf.org ident=www-data) by grenache.tools.ietf.org with esmtp (Exim 4.80) (envelope-from <trac+jose@trac.tools.ietf.org>) id 1UPeTc-0000CJ-Hx; Tue, 09 Apr 2013 21:45:08 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: jose issue tracker <trac+jose@trac.tools.ietf.org>
X-Trac-Version: 0.12.3
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.12.3, by Edgewall Software
To: draft-ietf-jose-json-web-algorithms@tools.ietf.org, watsonm@netflix.com
X-Trac-Project: jose
Date: Tue, 09 Apr 2013 19:45:08 -0000
X-URL: http://tools.ietf.org/jose/
X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/jose/trac/ticket/19
Message-ID: <058.8ab7e9fb3e5c44c53a9f01ea0b317516@trac.tools.ietf.org>
X-Trac-Ticket-ID: 19
X-SA-Exim-Rcpt-To: draft-ietf-jose-json-web-algorithms@tools.ietf.org, watsonm@netflix.com, jose@ietf.org
X-SA-Exim-Mail-From: trac+jose@trac.tools.ietf.org
X-SA-Exim-Scanned: No (on grenache.tools.ietf.org); SAEximRunCond expanded to false
Resent-To: mbj@microsoft.com
Resent-Message-Id: <20130409194511.9FC1B21F9913@ietfa.amsl.com>
Resent-Date: Tue, 09 Apr 2013 12:45:11 -0700
Resent-From: trac+jose@trac.tools.ietf.org
Cc: jose@ietf.org
Subject: [jose] #19: JWA needs to specify an IV for use with JWE AES Key Wrap
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2013 19:45:12 -0000

#19: JWA needs to specify an IV for use with JWE AES Key Wrap

 Section 4.5 of JSON Web Algorithms specifies the use of AES Key Wrap with
 JWE with reference to RFC3394. The RFC does not require a particular
 Initial Value to be used, although it defined a "default Initial Value".

 (a) The JWA specification needs to specify that the default Initial Value
 from RFC3394 must be used, or
 (b) The JWE specification needs to include an object member to specify the
 Initial Value that was used (note that is this distinct from the
 Initialization Vector used for the payload encryption).

 I suggest (a) and I am uncertain of the security properties of (b).

 Reporter:               |      Owner:  draft-ietf-jose-json-web-
  watsonm@netflix.com    |  algorithms@tools.ietf.org
     Type:  defect       |     Status:  new
 Priority:  minor        |  Milestone:
Component:  json-web-    |    Version:
  algorithms             |   Keywords:
 Severity:  -            |

Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/19>
jose <http://tools.ietf.org/jose/>