IETF Logo Mail Archive

Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt

"Jim Schaad" <ietf@augustcellars.com> Thu, 25 April 2013 20:55 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FB6921F9671 for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 13:55:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W-boO0+wCZKb for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 13:55:52 -0700 (PDT)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 75E7021F965F for <jose@ietf.org>; Thu, 25 Apr 2013 13:55:52 -0700 (PDT)
Received: from Philemon (173-160-230-154-Washington.hfc.comcastbusiness.net [173.160.230.154]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 291132CA43; Thu, 25 Apr 2013 13:55:52 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mike Jones' <Michael.Jones@microsoft.com>
References: <20130424002901.19246.69134.idtracker@ietfa.amsl.com> <014201ce416a$82761a80$87624f80$@augustcellars.com> <4E1F6AAD24975D4BA5B1680429673943676ACD2E@TK5EX14MBXC284.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943676ACD2E@TK5EX14MBXC284.redmond.corp.microsoft.com>
Date: Thu, 25 Apr 2013 13:55:08 -0700
Message-ID: <01d401ce41f7$2c1982c0$844c8840$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGMAkutZDO/mM1MbqdkRoeXZXifIQLyRoVOAcuhJmmZRfkRgA==
Content-Language: en-us
Cc: jose@ietf.org
Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 20:55:53 -0000

Mike,

There are two possible reasons for me to make the statement.

First - that it is unacceptable that we are making the statement that the
use of AES-GCM - the current standard AEAD algorithm - cannot be used with
this or

Second - that the statement of non-use is insufficiently broad to cover the
needed cases.  The correct statement would be that 

This JSON serialization format re-uses the same IV/Key pair for multiple
recipients.  This means that the algorithm used MUST NOT have any issues
with IV/Key pair re-use.  It is known at this time this will eliminate the
ability to use any algorithm which uses counter mode for encryption.  Among
the AEAD algorithms that use counter mode for their encryption mode is
AES-GCM and thus AES-GCM MUST NOT be used with multiple recipients.

It is noted that almost all (if not all) of the current crop of AEAD
algorithms are using CTR mode and thus cannot be used with this
specification.

Jim


> -----Original Message-----
> From: Mike Jones [mailto:Michael.Jones@microsoft.com]
> Sent: Wednesday, April 24, 2013 11:48 PM
> To: Jim Schaad
> Cc: jose@ietf.org
> Subject: RE: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
> 
> Jim - I am surprised that you would say that my co-authors Eric Rescorla
or Joe
> Hildebrand or the working group would advocate using AES GCM in a way that
> would result in severe security vulnerabilities - in particular, allowing
> attackers to obtain the XOR of the messages to multiple recipients
encrypted
> using GCM - a vulnerability identified by the CFRG.
> 
> Not stating this in the document would seem to me to be highly
irresponsible,
> given the brittleness of GCM in this regard, as identified by the CRFG.
As I said
> to Richard Barnes over dinner last night, while unpleasant, and possibly
> surprising to those who aren't familiar to how GCM actually works, as an
> editor, I viewed including the statement that "AES GCM MUST NOT be used
> when using the JWE JSON Serialization for multiple recipients, since this
would
> result in the same Initialization Vector and Plaintext values being used
for
> multiple GCM encryptions" as necessary, and "truth in advertising".
> 
> 				-- Mike
> 
> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
Jim
> Schaad
> Sent: Wednesday, April 24, 2013 9:07 PM
> To: Mike Jones
> Cc: jose@ietf.org
> Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
> 
> Mike,
> 
> AES GCM MUST NOT be used when using the JWE JSON Serialization for
>    multiple recipients, since this would result in the same
>    Initialization Vector and Plaintext values being used for multiple
>    GCM encryptions.
> 
> I doubt your co-authors would agree with this.
> I doubt the working group with agree with this.
> I know that at least one co-chair does not agree with this I can predict
that the
> AD and IESG along with the security directorate would crucify me if I
allowed
> this to stand in the document..
> 
> Jim
> 
> 
> 
> > -----Original Message-----
> > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf
> > Of internet-drafts@ietf.org
> > Sent: Tuesday, April 23, 2013 5:29 PM
> > To: i-d-announce@ietf.org
> > Cc: jose@ietf.org
> > Subject: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
> >
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> >  This draft is a work item of the Javascript Object Signing and
> > Encryption Working Group of the IETF.
> >
> > 	Title           : JSON Web Encryption (JWE)
> > 	Author(s)       : Michael B. Jones
> >                           Eric Rescorla
> >                           Joe Hildebrand
> > 	Filename        : draft-ietf-jose-json-web-encryption-09.txt
> > 	Pages           : 54
> > 	Date            : 2013-04-23
> >
> > Abstract:
> >    JSON Web Encryption (JWE) is a means of representing encrypted
> >    content using JavaScript Object Notation (JSON) data structures.
> >    Cryptographic algorithms and identifiers for use with this
> >    specification are described in the separate JSON Web Algorithms (JWA)
> >    specification.  Related digital signature and MAC capabilities are
> >    described in the separate JSON Web Signature (JWS) specification.
> >
> >
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-jose-json-web-encryption
> >
> > There's also a htmlized version available at:
> > http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-09
> >
> > A diff from the previous version is available at:
> > http://www.ietf.org/rfcdiff?url2=draft-ietf-jose-json-web-encryption-0
> > 9
> >
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> > _______________________________________________
> > jose mailing list
> > jose@ietf.org
> > https://www.ietf.org/mailman/listinfo/jose
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email