Re: [jose] Draft describing encrypting JWK key representations, with JWE
"Jim Schaad" <ietf@augustcellars.com> Fri, 15 March 2013 18:36 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 367F221F89FC for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 11:36:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.298
X-Spam-Level:
X-Spam-Status: No, score=-3.298 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0h-ob0LbHK5B for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 11:36:42 -0700 (PDT)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id B471721F89AF for <jose@ietf.org>; Fri, 15 Mar 2013 11:36:42 -0700 (PDT)
Received: from Philemon (dhcp-1431.meeting.ietf.org [130.129.20.49]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 3CD662CA0B; Fri, 15 Mar 2013 11:36:41 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: "'Peck, Michael A'" <mpeck@mitre.org>, 'Richard Barnes' <rlb@ipv.sx>, 'Mike Jones' <Michael.Jones@microsoft.com>
References: <mailman.4019.1363356696.3432.cfrg@irtf.org> <51433B12.1020703@gmail.com> <4E1F6AAD24975D4BA5B168042967394367526568@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgQ8=yKwArwvR228Z=xi0N3U6yvoOHt6M-3EuCD_HYkyww@mail.gmail.com> <4E1F6AAD24975D4BA5B168042967394367526789@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgRbh7EYLwp01t0yMMPHbhtVsQjY8379YF9_gRgGeO08eQ@mail.gmail.com> <8B4C063947CD794BB6FF90C78BAE9B321EFD5DFC@IMCMBX04.MITRE.ORG>
In-Reply-To: <8B4C063947CD794BB6FF90C78BAE9B321EFD5DFC@IMCMBX04.MITRE.ORG>
Date: Fri, 15 Mar 2013 14:36:07 -0400
Message-ID: <07c801ce21ab$f63d74b0$e2b85e10$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_07C9_01CE218A.6F30DDC0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHWSvveXif1uBJMdQIlAIR3tfOciwIBGSONAb2I7vQB2Zw5NAJhN+hpAaclu5ICD9JAc5g5Pjfw
Content-Language: en-us
Cc: 'Yaron Sheffer' <yaronf.ietf@gmail.com>, cfrg@irtf.org, jose@ietf.org
Subject: Re: [jose] Draft describing encrypting JWK key representations, with JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 18:36:46 -0000
Use PBKDF2 as a general key wrap mechanism seems to be a bad idea. Take the key and use it as a key wrap key for randomly generated content encryption key. Thus alg should be "AES128KW" rather than direct. Jim From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Peck, Michael A Sent: Friday, March 15, 2013 12:59 PM To: Richard Barnes; Mike Jones Cc: Yaron Sheffer; cfrg@irtf.org; jose@ietf.org Subject: Re: [jose] Draft describing encrypting JWK key representations, with JWE +1 NIST Special Publication 800-132 provides recommendations for the parameters that the group may find useful. http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf It may also be worth thinking about using PBKDF2 instead of the "dir" (Direct Encryption with a Shared Symmetric Key) mechanism described in draft-ietf-jose-json-web-algorithms-08 section 4.6. The shared symmetric key would be used as the PBKDF2 "password", and this would force a new key to be used for each encryption, rather than the current "dir" approach of using the same encryption key repeatedly. Mike From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Richard Barnes Sent: Friday, March 15, 2013 12:53 PM To: Mike Jones Cc: Yaron Sheffer; cfrg@irtf.org; jose@ietf.org Subject: Re: [jose] Draft describing encrypting JWK key representations, with JWE Do I count as an expert? :) As I understand it, PBDKF2 is completely fine for key protection. PBKDF2 has mechanisms to mitigate the dictionary attack risks, e.g., having a high number of iterations. We might want to make some recommendations as to how you set those parameters. And the actual key wrapping is done with something like AES-KW, so that step is fine. So I would be completely fine with adding this to JWE / JWA. We should do this. --Richard On Fri, Mar 15, 2013 at 12:48 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: That's up to the working group. I'm actually hoping that experts on the lists will respond to Yaron's comments before we make a decision on whether PBKDF2 as specified is an appropriate key wrapping algorithm or not. Assuming that the content in Matt's draft eventually becomes an RFC or part of one, the PBKDF2 definition would end up in the algorithms registry either way, even if it's not part of the JWA spec itself. Cheers, -- Mike From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Richard Barnes Sent: Friday, March 15, 2013 9:43 AM To: Mike Jones Cc: Yaron Sheffer; cfrg@irtf.org; jose@ietf.org Subject: Re: [jose] Draft describing encrypting JWK key representations, with JWE So, Mike, would you be OK with adding PBE to JWE / JWA, as a new key wrapping algorithm? --Richard On Fri, Mar 15, 2013 at 12:14 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: [Adding JOSE mailing list to the thread] For clarification, PBKDF2 is not the only algorithm that could be used to wrap keys in this scheme. This draft *adds* PBKDF2 to the set of algorithms already specified for use with encryption in the JSON Web Algorithms (JWA) specification (http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-08). In particular, other algorithms such as AES Key Wrap and AES GCM are also present there. I'll let others who are experts in PBKDF2 and password-based encryption respond to Yaron's specific comment. -- Mike -----Original Message----- From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com] Sent: Friday, March 15, 2013 8:16 AM To: cfrg@irtf.org; Mike Jones Subject: Re: Draft describing encrypting JWK key representations, with JWE Hi Mike, I'm probably missing something, but I'm worried about the security of this scheme (though I do appreciate the usability/convenience of passwords). PBKDF2 is meant to make dictionary attacks on stored passwords harder, as a second line defense, once the server has been breached. Using it to encrypt data and then sending the data on the wire, makes the data vulnerable to this same dictionary attack (in this case the effort comes to the space of all possible passwords - say 1 million - times 1000). Moreover, this also puts the password itself in danger. Thanks, Yaron > > ------------------------------ > > Message: 5 > Date: Fri, 15 Mar 2013 14:10:32 +0000 > From: Mike Jones <Michael.Jones@microsoft.com> > To: "cfrg@irtf.org" <cfrg@irtf.org> > Subject: [Cfrg] Draft describing encrypting JWK key representations > with JWE > Message-ID: > > <4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.redmond.corp. <mailto:4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.redmond.corp .%0b> > microsoft.com> > > Content-Type: text/plain; charset="us-ascii" > > http://tools.ietf.org/html/draft-miller-jose-jwe-protected-jwk-01 > > This also adds password-based encryption to the algorithm registry. > > -- Mike > > -------------- next part -------------- An HTML attachment was > scrubbed... > URL: > <http://www.irtf.org/mail-archive/web/cfrg/attachments/20130315/02e36b > 24/attachment.htm> > > ------------------------------ > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg > > > End of Cfrg Digest, Vol 95, Issue 3 > *********************************** > _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose
- Re: [jose] Draft describing encrypting JWK key re… Mike Jones
- Re: [jose] Draft describing encrypting JWK key re… Richard Barnes
- Re: [jose] Draft describing encrypting JWK key re… Mike Jones
- Re: [jose] Draft describing encrypting JWK key re… Richard Barnes
- Re: [jose] Draft describing encrypting JWK key re… Peck, Michael A
- Re: [jose] Draft describing encrypting JWK key re… Mike Jones
- Re: [jose] Draft describing encrypting JWK key re… Peck, Michael A
- Re: [jose] Draft describing encrypting JWK key re… Yaron Sheffer
- Re: [jose] Draft describing encrypting JWK key re… Yaron Sheffer
- Re: [jose] Draft describing encrypting JWK key re… Jim Schaad
- Re: [jose] Draft describing encrypting JWK key re… Matt Miller (mamille2)
- Re: [jose] Draft describing encrypting JWK key re… Yaron Sheffer
- Re: [jose] Draft describing encrypting JWK key re… Yaron Sheffer
- Re: [jose] Draft describing encrypting JWK key re… Ryan Sleevi
- Re: [jose] Draft describing encrypting JWK key re… Yaron Sheffer