IETF Logo Mail Archive

Re: [jose] PBES2-HS256+A128KW: where do salt and iteration count go?

Richard Barnes <rlb@ipv.sx> Tue, 16 July 2013 23:17 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A087221F9D71 for <jose@ietfa.amsl.com>; Tue, 16 Jul 2013 16:17:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MxDecNjs6+p4 for <jose@ietfa.amsl.com>; Tue, 16 Jul 2013 16:17:12 -0700 (PDT)
Received: from mail-oa0-f48.google.com (mail-oa0-f48.google.com [209.85.219.48]) by ietfa.amsl.com (Postfix) with ESMTP id CF86321F9DAF for <jose@ietf.org>; Tue, 16 Jul 2013 16:17:11 -0700 (PDT)
Received: by mail-oa0-f48.google.com with SMTP id f4so1634573oah.21 for <jose@ietf.org>; Tue, 16 Jul 2013 16:17:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=DJgE9c5T2ePL6J1dA3I42bXDju2F8/LBV3SGr3KEAps=; b=P2JeTFlzujYBEO9wunt8BksZRO6jHNd9E+N2o3usPhWXDq5aDkLQZW9AVpBkp2nNP5 gYrzS0imQrY8jVYOgwnCiYaxw6e3/9uETaR0lAuiWTHAITYGt71MimmzZXFr1Sgt+axI rvdK1QUg6CXtPQUWz0bdaSaERwvv6oxqhQeJW/Ds448EB0cD2OJW/vhGhDvgpwgbbIvj 3y06I2W7GP0GKP6+5TVp3WDeu9+DSyWdk3fusKx53q4uWkBpT7TVwbvpF0s4ShJknFv5 3CkLFvosI/WWYh1zJ/m492H6dUxhzLK6MLeS+yqJIqBH7KkhldLGMYoa5kZ81Q6iOZ0X 57Dg==
MIME-Version: 1.0
X-Received: by 10.60.134.239 with SMTP id pn15mr4627701oeb.99.1374016628632; Tue, 16 Jul 2013 16:17:08 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Tue, 16 Jul 2013 16:17:08 -0700 (PDT)
X-Originating-IP: [72.66.6.13]
In-Reply-To: <BF7E36B9C495A6468E8EC573603ED941152C0944@xmb-aln-x11.cisco.com>
References: <255B9BB34FB7D647A506DC292726F6E1151C7C31BF@WSMSG3153V.srv.dir.telstra.com> <BF7E36B9C495A6468E8EC573603ED941152C0944@xmb-aln-x11.cisco.com>
Date: Tue, 16 Jul 2013 19:17:08 -0400
Message-ID: <CAL02cgQF1O67LMivM+tzuAb-6BawPDL1m0mPC7+s=FzN7zrjwg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "Matt Miller (mamille2)" <mamille2@cisco.com>
Content-Type: multipart/alternative; boundary="047d7b41ce4810bcb404e1a92d51"
X-Gm-Message-State: ALoCoQmLoRaFwooPjEefl7AcUC2msDBGLSDtUpVjfjNnjfx/m7Hot0Zs3WNBUMAVGbsclKgqLMg3
Cc: "Manger, James H" <James.H.Manger@team.telstra.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] PBES2-HS256+A128KW: where do salt and iteration count go?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2013 23:17:16 -0000

Like James, I don't think -13 (or draft-miller-jose-jwe-protected-jwk) is
quite right in how the parameters are laid out.  PBES should be exactly
like ECDH -- the parameters for the KEK derivation and key encryption all
go in the header.  The JWE header for an ECDH-protected JWE might look like
this:

{
  "alg":"ECDH-ES+A128KW",
  "kid":"27a4c46f-6d36-4a8c-814c-c954165f6dc9",
  "epk":{...},
  "apu":"...",
  "apv":"...",
  "enc":"A128CBC+HS256",
  "cty":"application/jwk+json"
}

So the example JWE header in draft-miller-jose-jwe-protected-jwk would be:

{
  "alg":"PBES2-HS256+A128KW",
  "kid":"27a4c46f-6d36-4a8c-814c-c954165f6dc9",
  "s":"2WCTcJZ1Rvd_CJuJripQ1w",
  "c":4096,
  "enc":"A128CBC+HS256",
  "cty":"application/jwk+json"
}

Similarly, if we were to, say, define an algorithm identifier
"PBES2-HS256+A128GCM", the "iv" and "tag" fields would go in the header as
well.

{
  "alg":"PBES2-HS256+A128KW",
  "kid":"27a4c46f-6d36-4a8c-814c-c954165f6dc9",
  "s":"2WCTcJZ1Rvd_CJuJripQ1w",
  "c":4096,
  "iv":"lyjGhnbbzu6nEx2MkgTl2Q",
  "tag":"S7mmAbr3AeXVbsTP0M3e4w",
  "enc":"A128CBC+HS256",
  "cty":"application/jwk+json"
}







On Tue, Jul 16, 2013 at 5:52 PM, Matt Miller (mamille2)
<mamille2@cisco.com>wrote:

> I would like to first note that the vast majority of the password-based
> text came from draft-miller-jose-jwe-protected-jwk (discussed a few times
> on this list), and was included between the end of the JOSE virtual interim
> (2013-07-15T17:00Z) and the submission deadline.
>
> On Jul 15, 2013, at 7:13 PM, "Manger, James H" <
> James.H.Manger@team.telstra.com> wrote:
>
> > draft-ietf-jose-json-web-algorithms-13 adds password-based encryption
> algorithms that involve a salt (s) and iteration count (c). I cannot quite
> tell how s & c are conveyed. Section 4.9.1 "PBES2-HS256+A128KW" says s & c
> come from the "applicable PBKDF2 JWK object".
> >
> > Is the "applicable PBKDF2 JWK object" the value of the "jwk" header
> parameter in a JWE message?
> > Or is the "applicable PBKDF2 JWK object" part of each parties
> locally-configured key set (which is not part of a message, but can be
> referenced by a "kid" header parameter)?
>
> The "applicable PBKDF2 JWK object" is whichever of the key-identifying
> fields ("jwk", "jku", or "kid") works for your application.  The intent of
> these algorithms is to protect private- or symmetric-key JWK objects, and
> to be as self-contained as possible, so the original examples used "jwk".
>  When this was put together, using JWK objects seemed to make the most
> sense and fit the syntax and semantics.
>
> >
> > The latter makes little sense as salt and iteration count are parameters
> of a particular message, not fixed for a given password.
> >
>
> Those are good points, and favor moving "c" and "s" from a JWK into the
> JWE header (as implicitly proposed elsewhere in this thread).  See above
> for the original rationale.
>
> > The former is at best underspecified. "jwk" is defined as "the public
> key to which the JWE was encrypted" [
> http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-13#section-4.1.5].
> s & c obviously are not a public key so that definition would need to
> change.
> >
> > A PBKDF2 JWK object is also defined to have a 'hint' parameter ("a
> descriptive clue to the password"). It would be awful if 'hint's were sent
> in JOSE messages. JWK needs to do a much better job of separating sensitive
> fields (secret key, private key, password hint) from public fields. If we
> need text to display when prompting for a password I think we need a
> different field to 'hint'.
> >
>
> Do you have suggested changes/replacements.
>
> > An example of PBES2-HS256+A128KW would help.
> >
>
> I'll let Mike Jones speak to this revision specifically.  An example does
> exist in the original draft-miller-jose-jwe-protected-jwk.
>
>
> - m&m
>
> Matt Miller < mamille2@cisco.com >
> Cisco Systems, Inc.
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>

v2.23.0 | Report a Bug | By Email