Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
John Bradley <ve7jtb@ve7jtb.com> Thu, 25 April 2013 23:26 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBAAE21F972B for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 16:26:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.165
X-Spam-Level:
X-Spam-Status: No, score=-2.165 tagged_above=-999 required=5 tests=[AWL=0.433, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t7tNI9uL0wRq for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 16:26:31 -0700 (PDT)
Received: from mail-ia0-x233.google.com (mail-ia0-x233.google.com [IPv6:2607:f8b0:4001:c02::233]) by ietfa.amsl.com (Postfix) with ESMTP id B950521F9732 for <jose@ietf.org>; Thu, 25 Apr 2013 16:26:30 -0700 (PDT)
Received: by mail-ia0-f179.google.com with SMTP id p22so3188866iad.24 for <jose@ietf.org>; Thu, 25 Apr 2013 16:26:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=wzH64KlJez2Sm1Yr1kbmRVmnMnUl1cKRd8R4JAGVhRY=; b=MWK8aDkNk68Q3f8WKhyAtqC0/vmCXCj9K2+3UhvdDpNoMYTPgQVYVpMuOK9H9/454w 6MEkQZ6W8KjDxJWm5TJWc8dbddGEDQmIvcI3oUhl1qh8nsmvfg6hIoSUBCAkCtC1AxIC HI1C1k8KZIEwhzHqGPNl3FoBdW/vzcJBcUtb5xFnXVsHLOyj6DvuESHg/xXUsgkEN/sn taExFFsixPp30i7ByE2cVtokrvQq7wpKaM5FRAs0PILGoKvLXeYZh7otraJmHhOOPMj0 LrH1N14F6s+Jsc4StkVFn49QxurJF0tALIpij1jjYGFIjRUZb7VHph+GOUpli/HRAxih Tj1A==
X-Received: by 10.50.77.110 with SMTP id r14mr299397igw.85.1366932388488; Thu, 25 Apr 2013 16:26:28 -0700 (PDT)
Received: from [192.168.1.39] (190-20-37-138.baf.movistar.cl. [190.20.37.138]) by mx.google.com with ESMTPSA id q3sm297267igw.0.2013.04.25.16.26.23 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 25 Apr 2013 16:26:27 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_9ADB272D-A61B-42AB-A35E-81FA76B9F319"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAL02cgRzQMKuQj-upKDVo0QBtD3rEXJPrWLjcAuvZ1v6pxMY8A@mail.gmail.com>
Date: Thu, 25 Apr 2013 20:26:15 -0300
Message-Id: <96BF09A5-22AC-4FE9-A28C-746D8D269F06@ve7jtb.com>
References: <20130424002901.19246.69134.idtracker@ietfa.amsl.com> <014201ce416a$82761a80$87624f80$@augustcellars.com> <B9EADFAC-382A-40C3-937C-C07E77777273@vigilsec.com> <4E1F6AAD24975D4BA5B1680429673943676C00E2@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgTmv_A+cs4eJ6oK4v3AqgxZA2q=wdV69ey4xydcaupGuw@mail.gmail.com> <95BF000E-50B4-4D42-8F21-A6D5BE9D7A59@cisco.com> <18BB8C27-5373-40A3-B1F6-F21F66B5BF75@ve7jtb.com> <CAL02cgRzQMKuQj-upKDVo0QBtD3rEXJPrWLjcAuvZ1v6pxMY8A@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQn7oyG0T4xFTO8l8cBFgqrr3ZkWabbyd7T1z4gOygI9kWl76RWX7ZdjN565cLffHqZQHqaD
Cc: Mike Jones <Michael.Jones@microsoft.com>, Russ Housley <housley@vigilsec.com>, "jose@ietf.org" <jose@ietf.org>, Matt Miller <mamille2@cisco.com>
Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 23:26:32 -0000
I suspect you are overstating the case:) It is hard to have per endpoint recipient information in the header when the sender doesn't know what the endpoints that are going to receive the JWE are before it sends it. I would prefer to avoid using XMPP as a football for this. There is probably a better use case someplace that would show how a sender knowing beforehand the information for multiple recipients would encrypt the same plain text to all of them. Mostly what I would like to understand is if there is a real requirement for incremental encryption to new recipients after the fact using the same CMK & IV, or can the CMK & IV change for additional recipients. John B. On 2013-04-25, at 8:16 PM, Richard Barnes <rlb@ipv.sx> wrote: > Again, this is because Matt has hacked around the current system to remove per-recipient data from integrity protection. And the fact that you're OK with that would mean that you would be OK with removing per-recipient data from integrity protection in general, if you were to be logically consistent ;) > > --Richard > > > On Thu, Apr 25, 2013 at 7:13 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > I agree with Matt. I don't think there is anything in the XMPP use case that would break if the envelope is integrity protected. > I think there is only a single envelope anyway as I understand it. > > John B. > > On 2013-04-25, at 7:02 PM, Matt Miller <mamille2@cisco.com> wrote: > > > > > On Apr 25, 2013, at 3:56 PM, Richard Barnes <rlb@ipv.sx> > > wrote: > > > >> On Thu, Apr 25, 2013 at 3:09 PM, Mike Jones <Michael.Jones@microsoft.com>wrote: > >> > >>> Hi Russ, > >>> > >>> I agree that enabling GCM to be safely used in the multiple recipients > >>> case would be highly desirable. It is currently prohibited because if the > >>> recipients share a common key and initialization vector (IV) but use > >>> different AAD values, this results in the identified vulnerability. One > >>> possible solution that continues integrity protecting the headers but > >>> enables the safe use of GCM was identified off-list by John Bradley. > >>> > >>> That solution is to have each recipient always use the same key, IV, and > >>> AAD values. This could be accomplished by including all the header values > >>> in a single combined AAD value, rather than having the integrity protection > >>> for each recipient's headers be independent. > >>> > >>> This change could be done in a manner that doesn't affect the computation > >>> for the single recipients case. Given the upcoming interim JOSE meeting > >>> next week, and given the (understandable) strong negative reaction to the > >>> unusability of GCM with the current multiple recipients processing rules, > >>> I'll plan on quickly producing a draft -10 that changes the processing > >>> rules in the manner described above, so that idea can be concretely > >>> considered by the working group next week. > >>> > >>> Just so people are clear on the properties on the new processing rules - > >>> this would mean that the integrity computations for each recipients would > >>> no longer be independent. The only downside of this (which could be an > >>> upside in some ways) is that it would no longer be possible to add > >>> recipients over time without performing a new encryption computation with a > >>> new CEK and IV. > >>> > >> > >> As I said to John, that is not an acceptable solution because it breaks the > >> XMPP use case. The minimum sensible change is to remove the per-recipient > >> info from the integrity check. > >> > > > > It is not clear to me how John's suggestion utterly breaks the XMPP use case, unless you have this alternate-reality version of XMPP-E2E you've not yet told me about (-: > > > > The current XMPP document already separates per-recipient info from the actual protected content. > > > > > > - m&m > > > > Matt Miller < mamille2@cisco.com > > > Cisco Systems, Inc. > > > > _______________________________________________ > > jose mailing list > > jose@ietf.org > > https://www.ietf.org/mailman/listinfo/jose > >
- [jose] I-D Action: draft-ietf-jose-json-web-encry… internet-drafts
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Jim Schaad
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Russ Housley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Jim Schaad
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Russ Housley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Russ Housley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Matt Miller
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Dick Hardt
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Manger, James H