Re: [jose] PBES2-HS256+A128KW: where do salt and iteration count go?

Mike Jones <> Wed, 17 July 2013 00:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8770021F9B7F for <>; Tue, 16 Jul 2013 17:38:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.712
X-Spam-Status: No, score=-3.712 tagged_above=-999 required=5 tests=[AWL=-0.114, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id E9VqjyI01UiA for <>; Tue, 16 Jul 2013 17:38:29 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BDE7421F8F67 for <>; Tue, 16 Jul 2013 17:38:23 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.717.3; Wed, 17 Jul 2013 00:38:15 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.717.3 via Frontend Transport; Wed, 17 Jul 2013 00:38:15 +0000
Received: from ([]) by ([]) with mapi id 14.03.0136.001; Wed, 17 Jul 2013 00:37:43 +0000
From: Mike Jones <>
To: "Manger, James H" <>, Richard Barnes <>, "Matt Miller (mamille2)" <>, "" <>
Thread-Topic: [jose] PBES2-HS256+A128KW: where do salt and iteration count go?
Thread-Index: Ac6Bwa7E5l6r/DDHRwe+2UU0iYcgFQA1v0SA///D1wCAABSpgP///k2w
Date: Wed, 17 Jul 2013 00:37:42 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436B6C867ATK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(199002)(189002)(51704005)(24454002)(377454003)(71186001)(20776003)(16406001)(50986001)(49866001)(74502001)(31966008)(76796001)(15202345003)(69226001)(47976001)(63696002)(33656001)(512874002)(77096001)(6806004)(66066001)(56776001)(83072001)(74366001)(54316002)(79102001)(51856001)(81342001)(65816001)(81542001)(54356001)(76786001)(47446002)(74706001)(56816003)(80022001)(74662001)(47736001)(16236675002)(551544002)(46102001)(76482001)(74876001)(19300405004)(77982001)(44976005)(59766001)(55846006)(53806001)(4396001); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB051;; CLIP:; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0910AAF391
Subject: Re: [jose] PBES2-HS256+A128KW: where do salt and iteration count go?
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 17 Jul 2013 00:38:34 -0000

The registry is there exactly to prevent such messes.  They have a good track record of preventing them to date. ;-)

                                                                -- Mike

From: [] On Behalf Of Manger, James H
Sent: Tuesday, July 16, 2013 5:31 PM
To: Richard Barnes; Matt Miller (mamille2);
Subject: Re: [jose] PBES2-HS256+A128KW: where do salt and iteration count go?

“s” and “c” at the top level (not under “jwk”) would at least be more consistent with other parts of JOSE and the design philosophy of “keep it flat”. I would actually prefer sticking “s” and “c” into a sub-object, but it only makes sense if other fields are moved there as well. What if a key wrapping algorithm and a content encryption algorithm both need a salt? What if a sender key and recipient key have the same sort of parameter (such as a “kid”)? The “simplicity” of a flat structure quickly becomes a mess.

James Manger

From: Richard Barnes []
Sent: Wednesday, 17 July 2013 9:17 AM
To: Matt Miller (mamille2)
Cc: Manger, James H;<>
Subject: Re: [jose] PBES2-HS256+A128KW: where do salt and iteration count go?

Like James, I don't think -13 (or draft-miller-jose-jwe-protected-jwk) is quite right in how the parameters are laid out.  PBES should be exactly like ECDH -- the parameters for the KEK derivation and key encryption all go in the header.  The JWE header for an ECDH-protected JWE might look like this:


So the example JWE header in draft-miller-jose-jwe-protected-jwk would be:


Similarly, if we were to, say, define an algorithm identifier "PBES2-HS256+A128GCM", the "iv" and "tag" fields would go in the header as well.


On Tue, Jul 16, 2013 at 5:52 PM, Matt Miller (mamille2) <<>> wrote:
I would like to first note that the vast majority of the password-based text came from draft-miller-jose-jwe-protected-jwk (discussed a few times on this list), and was included between the end of the JOSE virtual interim (2013-07-15T17:00Z) and the submission deadline.

On Jul 15, 2013, at 7:13 PM, "Manger, James H" <<>> wrote:

> draft-ietf-jose-json-web-algorithms-13 adds password-based encryption algorithms that involve a salt (s) and iteration count (c). I cannot quite tell how s & c are conveyed. Section 4.9.1 "PBES2-HS256+A128KW" says s & c come from the "applicable PBKDF2 JWK object".
> Is the "applicable PBKDF2 JWK object" the value of the "jwk" header parameter in a JWE message?
> Or is the "applicable PBKDF2 JWK object" part of each parties locally-configured key set (which is not part of a message, but can be referenced by a "kid" header parameter)?
The "applicable PBKDF2 JWK object" is whichever of the key-identifying fields ("jwk", "jku", or "kid") works for your application.  The intent of these algorithms is to protect private- or symmetric-key JWK objects, and to be as self-contained as possible, so the original examples used "jwk".  When this was put together, using JWK objects seemed to make the most sense and fit the syntax and semantics.

> The latter makes little sense as salt and iteration count are parameters of a particular message, not fixed for a given password.
Those are good points, and favor moving "c" and "s" from a JWK into the JWE header (as implicitly proposed elsewhere in this thread).  See above for the original rationale.

> The former is at best underspecified. "jwk" is defined as "the public key to which the JWE was encrypted" []. s & c obviously are not a public key so that definition would need to change.
> A PBKDF2 JWK object is also defined to have a 'hint' parameter ("a descriptive clue to the password"). It would be awful if 'hint's were sent in JOSE messages. JWK needs to do a much better job of separating sensitive fields (secret key, private key, password hint) from public fields. If we need text to display when prompting for a password I think we need a different field to 'hint'.
Do you have suggested changes/replacements.

> An example of PBES2-HS256+A128KW would help.
I'll let Mike Jones speak to this revision specifically.  An example does exist in the original draft-miller-jose-jwe-protected-jwk.

- m&m

Matt Miller <<> >
Cisco Systems, Inc.

jose mailing list<>