Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
Mike Jones <Michael.Jones@microsoft.com> Thu, 25 April 2013 22:29 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A135D21F8EBB for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 15:29:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id goMha0phAG-d for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 15:29:14 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0207.outbound.protection.outlook.com [207.46.163.207]) by ietfa.amsl.com (Postfix) with ESMTP id 0C3E221F8E7A for <jose@ietf.org>; Thu, 25 Apr 2013 15:29:13 -0700 (PDT)
Received: from BY2FFO11FD007.protection.gbl (10.1.15.204) by BY2FFO11HUB032.protection.gbl (10.1.14.177) with Microsoft SMTP Server (TLS) id 15.0.675.0; Thu, 25 Apr 2013 22:29:11 +0000
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD007.mail.protection.outlook.com (10.1.14.128) with Microsoft SMTP Server (TLS) id 15.0.675.0 via Frontend Transport; Thu, 25 Apr 2013 22:29:11 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.233]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.02.0318.003; Thu, 25 Apr 2013 22:28:10 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Russ Housley <housley@vigilsec.com>
Thread-Topic: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
Thread-Index: AQHOQIL4trz81TOedUqxu9faqHUMmpjmU7yAgAAqctCAAPu+AIAADGrA
Date: Thu, 25 Apr 2013 22:28:10 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943676C0535@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <20130424002901.19246.69134.idtracker@ietfa.amsl.com> <014201ce416a$82761a80$87624f80$@augustcellars.com> <4E1F6AAD24975D4BA5B1680429673943676ACD2E@TK5EX14MBXC284.redmond.corp.microsoft.com> <74C39AC5-0C6B-4DC1-A273-3996D97D90A9@vigilsec.com>
In-Reply-To: <74C39AC5-0C6B-4DC1-A273-3996D97D90A9@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.75]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943676C0535TK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(377424002)(24454001)(199002)(13464002)(189002)(51704004)(4396001)(47976001)(564824004)(16297215002)(49866001)(31966008)(16406001)(6806003)(47736001)(77982001)(50986001)(20776003)(69226001)(16236675002)(512954001)(54356001)(71186001)(33656001)(74502001)(56776001)(66066001)(74662001)(79102001)(65816001)(81342001)(63696002)(76482001)(53806001)(47446002)(81542001)(55846006)(56816002)(51856001)(59766001)(80022001)(74366001)(54316002)(44976003)(15202345002)(46102001); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB032; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0827D7ACB9
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 22:29:17 -0000
The same message isn't being encrypted with multiple GCM keys. It is only encrypted with one key. Indeed, the proposed change that I discussed in my earlier message to you that would enable the use of GCM with multiple recipients would only encrypt the plaintext once. The originator and all recipients use exactly the key stream - just as you said. -- Mike From: Russ Housley [mailto:housley@vigilsec.com] Sent: Thursday, April 25, 2013 2:40 PM To: Mike Jones Cc: jose@ietf.org Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt Mike: The same message encrypted with different GCM keys is a problem, but that is not what ought to be going on here. I tried to explain that in my previous message. The same GCM key is delivered to multiple recipients, perhaps using different key management techniques. Since the originator and all of the recipients use exactly the same key stream, this XOR concern does not arise. Russ On Thu, Apr 25, 2013 at 2:48 AM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote: Jim - I am surprised that you would say that my co-authors Eric Rescorla or Joe Hildebrand or the working group would advocate using AES GCM in a way that would result in severe security vulnerabilities - in particular, allowing attackers to obtain the XOR of the messages to multiple recipients encrypted using GCM - a vulnerability identified by the CFRG. Not stating this in the document would seem to me to be highly irresponsible, given the brittleness of GCM in this regard, as identified by the CRFG. As I said to Richard Barnes over dinner last night, while unpleasant, and possibly surprising to those who aren't familiar to how GCM actually works, as an editor, I viewed including the statement that "AES GCM MUST NOT be used when using the JWE JSON Serialization for multiple recipients, since this would result in the same Initialization Vector and Plaintext values being used for multiple GCM encryptions" as necessary, and "truth in advertising". -- Mike -----Original Message----- From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>] On Behalf Of Jim Schaad Sent: Wednesday, April 24, 2013 9:07 PM To: Mike Jones Cc: jose@ietf.org<mailto:jose@ietf.org> Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt Mike, AES GCM MUST NOT be used when using the JWE JSON Serialization for multiple recipients, since this would result in the same Initialization Vector and Plaintext values being used for multiple GCM encryptions. I doubt your co-authors would agree with this. I doubt the working group with agree with this. I know that at least one co-chair does not agree with this I can predict that the AD and IESG along with the security directorate would crucify me if I allowed this to stand in the document.. Jim > -----Original Message----- > From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>] On Behalf > Of internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> > Sent: Tuesday, April 23, 2013 5:29 PM > To: i-d-announce@ietf.org<mailto:i-d-announce@ietf.org> > Cc: jose@ietf.org<mailto:jose@ietf.org> > Subject: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Javascript Object Signing and > Encryption Working Group of the IETF. > > Title : JSON Web Encryption (JWE) > Author(s) : Michael B. Jones > Eric Rescorla > Joe Hildebrand > Filename : draft-ietf-jose-json-web-encryption-09.txt > Pages : 54 > Date : 2013-04-23 > > Abstract: > JSON Web Encryption (JWE) is a means of representing encrypted > content using JavaScript Object Notation (JSON) data structures. > Cryptographic algorithms and identifiers for use with this > specification are described in the separate JSON Web Algorithms (JWA) > specification. Related digital signature and MAC capabilities are > described in the separate JSON Web Signature (JWS) specification. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-jose-json-web-encryption > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-09 > > A diff from the previous version is available at: > http://www.ietf.org/rfcdiff?url2=draft-ietf-jose-json-web-encryption-0 > 9 > > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > jose mailing list > jose@ietf.org<mailto:jose@ietf.org> > https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list jose@ietf.org<mailto:jose@ietf.org> https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list jose@ietf.org<mailto:jose@ietf.org> https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list jose@ietf.org<mailto:jose@ietf.org> https://www.ietf.org/mailman/listinfo/jose
- [jose] I-D Action: draft-ietf-jose-json-web-encry… internet-drafts
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Jim Schaad
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Russ Housley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Jim Schaad
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Russ Housley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Russ Housley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Matt Miller
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Dick Hardt
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Manger, James H