Re: [jose] AES GCM Key Wrapping Draft

[Russ Housley <housley@vigilsec.com>]

I would greatly prefer a document that describe the key wrap algorithm as a series of steps (both wrap and unwarp), and then defined the identifiers needed to use this algorithm with JOSE and CMS,  The current document makes it see that the algorithm is only appropriate for JOSE.

At a minimum, the security consideration need to talk about:
- protection of the key-encryption key, and the consequences if it is not.
- generation of the key-encryption key, unless you choose to add that to the body of the document.

Implementers will greatly appreciate test vectors.

Russ


On Jun 13, 2013, at 9:04 PM, Mike Jones wrote:

> An action item I took on at the interim working group meeting was to produce a draft showing how key wrapping can be accomplished with AES GCM for JWE.  This draft is now available as http://tools.ietf.org/html/draft-jones-jose-aes-gcm-key-wrap-00.  The specification is also available in HTML format at http://self-issued.info/docs/draft-jones-jose-aes-gcm-key-wrap-00.html.
>  
> The core technical content is all in Section 3, which I’ve included in its entirety below because it’s so short.
>  
> 3.  Key Encryption with AES GCM
> 
> This section defines the specifics of encrypting a JWE Content Encryption Key (CEK) with Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) [AES] [NIST.800‑38D] using 128 or 256 bit keys. The alg header parameter values A128GCMKW orA256GCMKW are respectively used in this case.
> 
> Use of an Initialization Vector of size 96 bits is REQUIRED with this algorithm.
> 
> The Additional Authenticated Data value used is the empty octet string.
> 
> The requested size of the Authentication Tag output MUST be 128 bits, regardless of the key size.
> 
> Let JWE Encrypted Key value be the concatenation of the Initialization Vector value, the Ciphertext output, and the Authentication Tag output.
> 
> During key decryption, the JWE Encrypted Key value is split into three inputs to the AES GCM decryption algorithm: the first 96 bits are the Initialization Vector value, the last 128 bits are the Authentication Tag value, and the remaining bits in between are the Ciphertext value.
> 
>  
>                                                                 -- Mike
>  
> P.S.  Richard, unlike what I described in our private conversation, this specification uses no additional header parameter values.
>  
> -----Original Message-----
> From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] 
> Sent: Thursday, June 13, 2013 5:53 PM
> To: Mike Jones; Mike Jones
> Subject: New Version Notification for draft-jones-jose-aes-gcm-key-wrap-00.txt
>  
> A new version of I-D, draft-jones-jose-aes-gcm-key-wrap-00.txt
> has been successfully submitted by Michael B. Jones and posted to the IETF repository.
>  
> Filename:            draft-jones-jose-aes-gcm-key-wrap
> Revision:              00
> Title:                      Key Wrapping with AES GCM for JWE
> Creation date:   2013-06-13
> Group:                  Individual Submission
> Number of pages: 5
> URL:             http://www.ietf.org/internet-drafts/draft-jones-jose-aes-gcm-key-wrap-00.txt
> Status:          http://datatracker.ietf.org/doc/draft-jones-jose-aes-gcm-key-wrap
> Htmlized:        http://tools.ietf.org/html/draft-jones-jose-aes-gcm-key-wrap-00
>  
> Abstract:
>    This specification defines how to encrypt (wrap) keys with the AES
>    GCM algorithm for JSON Web Encryption (JWE) objects.
>  
> The IETF Secretariat
>  
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose