IETF Logo Mail Archive

Re: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK

"Jim Schaad" <ietf@augustcellars.com> Fri, 15 March 2013 18:10 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F33DC21F8696 for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 11:10:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.848
X-Spam-Level:
X-Spam-Status: No, score=-2.848 tagged_above=-999 required=5 tests=[AWL=-0.450, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_34=0.6, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SNPd1N1lThRc for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 11:10:15 -0700 (PDT)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id E11FD21F887F for <jose@ietf.org>; Fri, 15 Mar 2013 11:10:09 -0700 (PDT)
Received: from Philemon (dhcp-1431.meeting.ietf.org [130.129.20.49]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 8D0A72CA33; Fri, 15 Mar 2013 11:10:08 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: "'Manger, James H'" <James.H.Manger@team.telstra.com>, 'Mike Jones' <Michael.Jones@microsoft.com>, "'Peck, Michael A'" <mpeck@mitre.org>, 'John Bradley' <ve7jtb@ve7jtb.com>
References: <8B4C063947CD794BB6FF90C78BAE9B321EFC09EC@IMCMBX04.MITRE.ORG> <CAL02cgSn-_+_7RAHrETdbzvHBq3d=xa0kmuh9HuvAf9TjJp_eA@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943675001A6@TK5EX14MBXC283.redmond.corp.microsoft.com> <D1DEAADA-5879-4D05-BDF4-D2D1EA0998B0@ve7jtb.com> <8B4C063947CD794BB6FF90C78BAE9B321EFC0B77@IMCMBX04.MITRE.ORG> <4E1F6AAD24975D4BA5B16804296739436750053A@TK5EX14MBXC283.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E1150B8467A5@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1150B8467A5@WSMSG3153V.srv.dir.telstra.com>
Date: Fri, 15 Mar 2013 14:09:34 -0400
Message-ID: <07b701ce21a8$40b502f0$c21f08d0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_07B8_01CE2186.B9A8BA20"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIfUvokC2KN1bP9hZD3WzbTW1wpuwJJuz3QAMb1EvwBDVdg+AMdMmNBAgT8d5gCo7yYCJelipLg
Content-Language: en-us
Cc: 'Richard Barnes' <rlb@ipv.sx>, jose@ietf.org
Subject: Re: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 18:10:17 -0000

 

 

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Manger, James H
Sent: Tuesday, March 12, 2013 8:59 PM
To: Mike Jones; Peck, Michael A; John Bradley
Cc: Richard Barnes; jose@ietf.org
Subject: Re: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK

 

+1 for using the McGrew draft and RFC 5116 interface.

 

The JOSE-specific A128CBC+HS256 algorithm looks like a valiant attempt to hide some of the binary processing involved with crypto – which has always been defined on bytes, not text. But the result is a poor chimera.

 

For instance, JWE includes the IV as part of the additional authenticated data (AAD). No other AEAD system is defined like this. Everywhere else the IV/nonce and AAD are separate. I hope that doesn’t adversely affect the crypto properties, but it does raise questions about whether it is important for some crypto reason.

 

[JLS] For this algorithm it is absolutely vital that the IV be protected.  Since the authentication is computed on the post encrypted text not the pre-encyrpted text, a decryption could never be able to correctly determine that the IV passed in was correct if it is not validated!!!!!!

 

Every AEAD algorithm treats the AAD and ciphertext as bytes arrays with no restrictions on their content (only restrictions on their length). Hence they use some binary packing when processing both to calculate an integrity check. EXCEPT the JOSE-specific AEAD algorithms (A128CBC+HS256 and A256CBC+HS512). They force base64url-encoding *inside* the AEAD algorithm so they can use a text dot “.” as a separator.

 

While A128CBC+HS256 is implemented by hand in JOSE-specific code using AES and HMAC primitives the problems with this chimera are mainly hidden. However, I don’t believe any generic AEAD interface can ever handle this JOSE-specific algorithm efficiently.

 

The “extra work” of adopting the AEAD encoding/decoding conventions is: concatenating byte arrays; and taking a known-length prefix and suffix from a byte array. You cannot get much simpler. It can only be an annoyance for a language that is not byte-array-friendly, but even such a language will have to handle byte arrays at some point to interface with crypto.

 

Even using the McGrew draft then separating the output into IV/ciphertext/MAC to re-package as a JOSE message would be better than the JOSE-specific A128CBC+HS256 and A256CBC+HS512.

 

P.S. I think ECMAScript edition 6 is introducing support for byte arrays so even hassle handling bytes in JavaScript should fade.

 

--

James Manger

 

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Wednesday, 13 March 2013 8:06 AM
To: Peck, Michael A; John Bradley
Cc: Richard Barnes; jose@ietf.org
Subject: Re: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK

 

Possibly using the McGrew draft had been discussed before, but there was strong push-back on it.  It would change more than the CBC/HMAC representation – it would change all the JWE representations, as it would remove the Initialization Vector and Integrity Value fields, and instead require all implementations to implement and apply the AEAD binary encoding and decoding conventions.  Note that this would change AES-GCM too – not just AES-CBC/HMAC.

 

If commonly available crypto libraries implemented algorithms using the AEAD encoding conventions I would have no problem with this.  But in fact, they don’t.  I don’t know of a single library in the attached set of surveyed implementations that do.  Thus, adopting the AEAD encoding/decoding conventions would create extra work for all implementations in practice – not make things simpler.  It would only be simpler if the existing crypto libraries implemented this standard interface.

 

We should therefore steer clear of this.

 

                                                            Best wishes,

                                                            -- Mike

 

P.S.  Jim Schaad also points out that CMS doesn’t use the RFC 5116 interface either.

 

From: Peck, Michael A [mailto:mpeck@mitre.org] 
Sent: Tuesday, March 12, 2013 2:02 PM
To: John Bradley; Mike Jones
Cc: Richard Barnes; jose@ietf.org
Subject: RE: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK

 

I think that #2 actually reduces complexity for implementers.

They can implement the RFC 5116 interface once (or eventually just invoke a crypto library that implements it for them) – then use that implementation for all protocols that use the RFC 5116 interface, not just JOSE, and know that the details of authenticated encryption have been taken care of. 

 

Mike

 

 

From: John Bradley [mailto:ve7jtb@ve7jtb.com] 
Sent: Tuesday, March 12, 2013 4:49 PM
To: Mike Jones
Cc: Richard Barnes; Peck, Michael A; jose@ietf.org
Subject: Re: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK

 

Yes I have the recommendation to change from using a KDF to generate the CEK and CIK from the CMK to concatenating the CEK and CIK together as in the McGrew draft.

 

I don't yet have a slide on the new/old issue of concatenating the tag to the message body vs sending it in a separate field.   

 

If people want me to I can add it as well.  Though I thought that was a closed issue.  

 

John B.

 

On 2013-03-12, at 4:19 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:

 

As previously extensively discussed, the McGrew draft does two things – one helpful and one not:

 

1.  It specifies using a key that is actually the concatenation of an AES-CBC key and an HMAC SHA-2 key, rather than use of a KDF.  That’s good, as it’s simple for implementers.

 

2.  It specifies that the initialization vector and integrity value be concatenated with other values in particular ways, and conversely, how to extract them when decrypting.  That’s not good, as it adds complexity for implementers – especially when JWEs already utilize a straightforward representation for these values, which doesn’t require the binary concatenation and extraction conventions specified by McGrew.

 

I know that John Bradley is going to ask the question tomorrow whether we should change to doing the first for our composite CBC+HMAC algorithms.  I believe that doing the second would be counterproductive.

 

                                                            -- Mike

 

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Richard Barnes
Sent: Tuesday, March 12, 2013 1:00 PM
To: Peck, Michael A
Cc: jose@ietf.org
Subject: Re: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK

 

Actually, for everything but key agreement, we can just use draft-mcgrew-aead-aes-cbc-hmac-sha2, with larger keys.  We should not be specifying key expansion here when we can avoid it.

 

--Richard

 

 

On Tue, Mar 12, 2013 at 2:29 PM, Peck, Michael A < <mailto:mpeck@mitre.org> mpeck@mitre.org> wrote:

draft-ietf-jose-json-web-algorithms-08 section 4.7.1 describes the use of Concat KDF on the shared secret Z established by ECDH-ES.

 

The draft allows for an empty PartyUInfo and PartyVInfo but that may not be allowed by NIST SP 800-56A (where the Concat KDF is defined).

The current (March 2007) version of NIST SP 800-56A requires “At a minimum, PartyUInfo shall include IDU, the identifier of party U.” and an equivalent requirement for PartyVInfo. (Page 46 of <http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf> http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf )

The August 2012 draft update to NIST SP 800-56A requires “At a minimum, PartyUInfo shall include IDu, an identifier for party U, as a distinct item of information.” and an equivalent requirement for PartyVInfo. (Page 59 of  <http://csrc.nist.gov/publications/drafts/800-56a/draft-sp-800-56a.pdf> http://csrc.nist.gov/publications/drafts/800-56a/draft-sp-800-56a.pdf )  My interpretation of this text (others may interpret it differently) is that PartyUInfo and PartyVInfo can’t be empty.

 

Instead of using the Concat KDF, a more appropriate choice may be the KDF described in NIST SP 800-56C and RFC 5869.

Its requirements are not as strict.  (SP 800-56C Page 13: “If the information is available, Context should include the identifiers of the parties who are deriving and/or using the derived keying material”)

 

It would look something like this:

 

Step 1 - Randomness Extraction:

Key Derivation Key := HMAC(salt, Z)         (HMAC-SHA256 should suffice for all of the current algorithms)

 

Step 2 - Expansion Step:

Use the Counter Mode KDF defined in SP 800-108 or section 2.3 of RFC 5869 with the same HMAC algorithm used in step 1 to produce needed keys from the Key Derivation Key produced in step 1.

The needed keys would depend on the values of alg and enc.

If alg is ECDH-ES+A128KW or ECDH-ES+A256KW, a single 128 bit or 256 bit key is needed (used to decrypt the CMK, which may then need to be split into CEK/CIK).

If alg is ECDH-ES, then the needed keys depend on “enc”:

If enc is AES-GCM, a 128 bit key or 256 bit key is needed.

If enc is one of the AEAD AES-CBC algorithms in draft-mcgrew-aead-aes-cbc-hmac-sha2-01, a key of ENC_KEY_LEN + MAC_KEY_LEN is needed as it’s then split into two by the AEAD algorithm.

If enc is one of the current CBC+HMAC options in draft-ietf-jose-json-web-algorithms-08, then two keys are needed, a CEK and a CIK.  Counter Mode KDF could be invoked twice, with different labels each time, or Counter Mode KDF could be invoked once to generate a big key which would then be split into the CEK and CIK.

 

Richard has already pointed out the issues with using the Concat KDF to derive the CEK/CIK from the CMK.  Instead, one option would be to use the Expansion Step above:  use the Counter Mode KDF with an HMAC to derive necessary keys from the CMK. 

Even if we use encryption algorithms that combine the encryption and integrity key such as the CBC+HMAC algorithms in draft-mcgrew-aead-aes-cbc-hmac-sha2-01, there will still be a need to take a smaller master key and create the combined encryption + integrity key from it.

 

 

Mike

 


_______________________________________________
jose mailing list
 <mailto:jose@ietf.org> jose@ietf.org
 <https://www.ietf.org/mailman/listinfo/jose> https://www.ietf.org/mailman/listinfo/jose

 

_______________________________________________
jose mailing list
jose@ietf.org
https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email