IETF Logo Mail Archive

Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt

John Bradley <ve7jtb@ve7jtb.com> Thu, 25 April 2013 23:26 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBAAE21F972B for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 16:26:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.165
X-Spam-Level:
X-Spam-Status: No, score=-2.165 tagged_above=-999 required=5 tests=[AWL=0.433, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t7tNI9uL0wRq for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 16:26:31 -0700 (PDT)
Received: from mail-ia0-x233.google.com (mail-ia0-x233.google.com [IPv6:2607:f8b0:4001:c02::233]) by ietfa.amsl.com (Postfix) with ESMTP id B950521F9732 for <jose@ietf.org>; Thu, 25 Apr 2013 16:26:30 -0700 (PDT)
Received: by mail-ia0-f179.google.com with SMTP id p22so3188866iad.24 for <jose@ietf.org>; Thu, 25 Apr 2013 16:26:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=wzH64KlJez2Sm1Yr1kbmRVmnMnUl1cKRd8R4JAGVhRY=; b=MWK8aDkNk68Q3f8WKhyAtqC0/vmCXCj9K2+3UhvdDpNoMYTPgQVYVpMuOK9H9/454w 6MEkQZ6W8KjDxJWm5TJWc8dbddGEDQmIvcI3oUhl1qh8nsmvfg6hIoSUBCAkCtC1AxIC HI1C1k8KZIEwhzHqGPNl3FoBdW/vzcJBcUtb5xFnXVsHLOyj6DvuESHg/xXUsgkEN/sn taExFFsixPp30i7ByE2cVtokrvQq7wpKaM5FRAs0PILGoKvLXeYZh7otraJmHhOOPMj0 LrH1N14F6s+Jsc4StkVFn49QxurJF0tALIpij1jjYGFIjRUZb7VHph+GOUpli/HRAxih Tj1A==
X-Received: by 10.50.77.110 with SMTP id r14mr299397igw.85.1366932388488; Thu, 25 Apr 2013 16:26:28 -0700 (PDT)
Received: from [192.168.1.39] (190-20-37-138.baf.movistar.cl. [190.20.37.138]) by mx.google.com with ESMTPSA id q3sm297267igw.0.2013.04.25.16.26.23 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 25 Apr 2013 16:26:27 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_9ADB272D-A61B-42AB-A35E-81FA76B9F319"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAL02cgRzQMKuQj-upKDVo0QBtD3rEXJPrWLjcAuvZ1v6pxMY8A@mail.gmail.com>
Date: Thu, 25 Apr 2013 20:26:15 -0300
Message-Id: <96BF09A5-22AC-4FE9-A28C-746D8D269F06@ve7jtb.com>
References: <20130424002901.19246.69134.idtracker@ietfa.amsl.com> <014201ce416a$82761a80$87624f80$@augustcellars.com> <B9EADFAC-382A-40C3-937C-C07E77777273@vigilsec.com> <4E1F6AAD24975D4BA5B1680429673943676C00E2@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgTmv_A+cs4eJ6oK4v3AqgxZA2q=wdV69ey4xydcaupGuw@mail.gmail.com> <95BF000E-50B4-4D42-8F21-A6D5BE9D7A59@cisco.com> <18BB8C27-5373-40A3-B1F6-F21F66B5BF75@ve7jtb.com> <CAL02cgRzQMKuQj-upKDVo0QBtD3rEXJPrWLjcAuvZ1v6pxMY8A@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQn7oyG0T4xFTO8l8cBFgqrr3ZkWabbyd7T1z4gOygI9kWl76RWX7ZdjN565cLffHqZQHqaD
Cc: Mike Jones <Michael.Jones@microsoft.com>, Russ Housley <housley@vigilsec.com>, "jose@ietf.org" <jose@ietf.org>, Matt Miller <mamille2@cisco.com>
Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 23:26:32 -0000

I suspect you are overstating the case:)

It is hard to have per endpoint recipient information in the header when the sender doesn't know what the endpoints that are going to receive the JWE are before it sends it.

I would prefer to avoid using XMPP as a football for this.

There is probably a better use case someplace that would show how a sender knowing beforehand the information for multiple recipients would encrypt the same plain text to all of them.   Mostly what I would like to understand is if there is a real requirement for incremental encryption to new recipients after the fact using the same CMK & IV, or can the CMK & IV change for additional recipients.

John B.

On 2013-04-25, at 8:16 PM, Richard Barnes <rlb@ipv.sx> wrote:

> Again, this is because Matt has hacked around the current system to remove per-recipient data from integrity protection.  And the fact that you're OK with that would mean that you would be OK with removing per-recipient data from integrity protection in general, if you were to be logically consistent ;)
> 
> --Richard
> 
> 
> On Thu, Apr 25, 2013 at 7:13 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
> I agree with Matt.   I don't think there is anything in the XMPP use case that would break if the envelope is integrity protected.
> I think there is only a single envelope anyway as I understand it.
> 
> John B.
> 
> On 2013-04-25, at 7:02 PM, Matt Miller <mamille2@cisco.com> wrote:
> 
> >
> > On Apr 25, 2013, at 3:56 PM, Richard Barnes <rlb@ipv.sx>
> > wrote:
> >
> >> On Thu, Apr 25, 2013 at 3:09 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:
> >>
> >>> Hi Russ,
> >>>
> >>> I agree that enabling GCM to be safely used in the multiple recipients
> >>> case would be highly desirable.  It is currently prohibited because if the
> >>> recipients share a common key and initialization vector (IV) but use
> >>> different AAD values, this results in the identified vulnerability.  One
> >>> possible solution that continues integrity protecting the headers but
> >>> enables the safe use of GCM was identified off-list by John Bradley.
> >>>
> >>> That solution is to have each recipient always use the same key, IV, and
> >>> AAD values.  This could be accomplished by including all the header values
> >>> in a single combined AAD value, rather than having the integrity protection
> >>> for each recipient's headers be independent.
> >>>
> >>> This change could be done in a manner that doesn't affect the computation
> >>> for the single recipients case.  Given the upcoming interim JOSE meeting
> >>> next week, and given the (understandable) strong negative reaction to the
> >>> unusability of GCM with the current multiple recipients processing rules,
> >>> I'll plan on quickly producing a draft -10 that changes the processing
> >>> rules in the manner described above, so that idea can be concretely
> >>> considered by the working group next week.
> >>>
> >>> Just so people are clear on the properties on the new processing rules -
> >>> this would mean that the integrity computations for each recipients would
> >>> no longer be independent.  The only downside of this (which could be an
> >>> upside in some ways) is that it would no longer be possible to add
> >>> recipients over time without performing a new encryption computation with a
> >>> new CEK and IV.
> >>>
> >>
> >> As I said to John, that is not an acceptable solution because it breaks the
> >> XMPP use case.  The minimum sensible change is to remove the per-recipient
> >> info from the integrity check.
> >>
> >
> > It is not clear to me how John's suggestion utterly breaks the XMPP use case, unless you have this alternate-reality version of XMPP-E2E you've not yet told me about (-:
> >
> > The current XMPP document already separates per-recipient info from the actual protected content.
> >
> >
> > - m&m
> >
> > Matt Miller < mamille2@cisco.com >
> > Cisco Systems, Inc.
> >
> > _______________________________________________
> > jose mailing list
> > jose@ietf.org
> > https://www.ietf.org/mailman/listinfo/jose
> 
>

v2.23.0 | Report a Bug | By Email