Re: [jose] Draft describing encrypting JWK key representations, with JWE

["Jim Schaad" <ietf@augustcellars.com>]

Use PBKDF2 as a general key wrap mechanism seems to be a bad idea.  Take the
key and use it as a key wrap key for randomly generated content encryption
key.  Thus alg should be "AES128KW" rather than direct.

 

Jim

 

 

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
Peck, Michael A
Sent: Friday, March 15, 2013 12:59 PM
To: Richard Barnes; Mike Jones
Cc: Yaron Sheffer; cfrg@irtf.org; jose@ietf.org
Subject: Re: [jose] Draft describing encrypting JWK key representations,
with JWE

 

+1

 

NIST Special Publication 800-132 provides recommendations for the parameters
that the group may find useful.

http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf

 

It may also be worth thinking about using PBKDF2 instead of the "dir"
(Direct Encryption with a Shared Symmetric Key) mechanism described in
draft-ietf-jose-json-web-algorithms-08 section 4.6.  The shared symmetric
key would be used as the PBKDF2 "password", and this would force a new key
to be used for each encryption, rather than the current "dir" approach of
using the same encryption key repeatedly.

 

Mike

 

 

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
Richard Barnes
Sent: Friday, March 15, 2013 12:53 PM
To: Mike Jones
Cc: Yaron Sheffer; cfrg@irtf.org; jose@ietf.org
Subject: Re: [jose] Draft describing encrypting JWK key representations,
with JWE

 

Do I count as an expert?  :)

 

As I understand it, PBDKF2 is completely fine for key protection.  PBKDF2
has mechanisms to mitigate the dictionary attack risks, e.g., having a high
number of iterations. We might want to make some recommendations as to how
you set those parameters. And the actual key wrapping is done with something
like AES-KW, so that step is fine.

 

So I would be completely fine with adding this to JWE / JWA.  We should do
this.

 

--Richard

 

 

On Fri, Mar 15, 2013 at 12:48 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

That's up to the working group.  I'm actually hoping that experts on the
lists will respond to Yaron's comments before we make a decision on whether
PBKDF2 as specified is an appropriate key wrapping algorithm or not.

 

Assuming that the content in Matt's draft eventually becomes an RFC or part
of one, the PBKDF2 definition would end up in the algorithms registry either
way, even if it's not part of the JWA spec itself.

 

                                                            Cheers,

                                                            -- Mike

 

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
Richard Barnes
Sent: Friday, March 15, 2013 9:43 AM
To: Mike Jones
Cc: Yaron Sheffer; cfrg@irtf.org; jose@ietf.org
Subject: Re: [jose] Draft describing encrypting JWK key representations,
with JWE

 

So, Mike, would you be OK with adding PBE to JWE / JWA, as a new key
wrapping algorithm?

 

--Richard

 

 

 

On Fri, Mar 15, 2013 at 12:14 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

[Adding JOSE mailing list to the thread]

For clarification, PBKDF2 is not the only algorithm that could be used to
wrap keys in this scheme.  This draft *adds* PBKDF2 to the set of algorithms
already specified for use with encryption in the JSON Web Algorithms (JWA)
specification
(http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-08).  In
particular, other algorithms such as AES Key Wrap and AES GCM are also
present there.

I'll let others who are experts in PBKDF2 and password-based encryption
respond to Yaron's specific comment.

                                -- Mike

-----Original Message-----
From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com]
Sent: Friday, March 15, 2013 8:16 AM
To: cfrg@irtf.org; Mike Jones
Subject: Re: Draft describing encrypting JWK key representations, with JWE

Hi Mike,

I'm probably missing something, but I'm worried about the security of this
scheme (though I do appreciate the usability/convenience of passwords).

PBKDF2 is meant to make dictionary attacks on stored passwords harder, as a
second line defense, once the server has been breached. Using it to encrypt
data and then sending the data on the wire, makes the data vulnerable to
this same dictionary attack (in this case the effort comes to the space of
all possible passwords - say 1 million - times 1000).
Moreover, this also puts the password itself in danger.

Thanks,
        Yaron

>
> ------------------------------
>
> Message: 5
> Date: Fri, 15 Mar 2013 14:10:32 +0000
> From: Mike Jones <Michael.Jones@microsoft.com>
> To: "cfrg@irtf.org" <cfrg@irtf.org>
> Subject: [Cfrg] Draft describing encrypting JWK key representations
>       with JWE
> Message-ID:
>
> <4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.redmond.corp.
<mailto:4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.redmond.corp
.%0b> 
> microsoft.com>
>
> Content-Type: text/plain; charset="us-ascii"
>
> http://tools.ietf.org/html/draft-miller-jose-jwe-protected-jwk-01
>
> This also adds password-based encryption to the algorithm registry.
>
>                                                              -- Mike
>
> -------------- next part -------------- An HTML attachment was
> scrubbed...
> URL:
> <http://www.irtf.org/mail-archive/web/cfrg/attachments/20130315/02e36b
> 24/attachment.htm>
>
> ------------------------------
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>
>
> End of Cfrg Digest, Vol 95, Issue 3
> ***********************************
>
_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose