Re: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK
Richard Barnes <rlb@ipv.sx> Mon, 18 March 2013 15:42 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30E6521F8A18 for <jose@ietfa.amsl.com>; Mon, 18 Mar 2013 08:42:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.575
X-Spam-Level:
X-Spam-Status: No, score=-1.575 tagged_above=-999 required=5 tests=[AWL=-1.150, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c6m1OChnRybh for <jose@ietfa.amsl.com>; Mon, 18 Mar 2013 08:42:11 -0700 (PDT)
Received: from mail-ob0-x22c.google.com (mail-ob0-x22c.google.com [IPv6:2607:f8b0:4003:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 47B9B21F8A0C for <jose@ietf.org>; Mon, 18 Mar 2013 08:42:11 -0700 (PDT)
Received: by mail-ob0-f172.google.com with SMTP id tb18so5473983obb.17 for <jose@ietf.org>; Mon, 18 Mar 2013 08:42:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=qpD0AyaQQZl/XdWRBIILYM+wuvQ3iMbvJKDYEspZ80Q=; b=gr+8zWGtdfySwWiQmW1MWQY7fC2quS7SpBIw+07cVGaUk12iDYEbxSkQHTUVbJ+ZeM kN8RoMVr+lVCX9qfUYlOts4T2HTOgx4MrITunHeKdC0RhW7mDs4z3nJUjBlCcvyVWjrF LWg9NrteRkU3ftC5OlS0/FW3FijD/ognZHIzxTmFvobyA4XJYDVwzYke23Pz0zaKnKaC j98VEd4zO7O8+IZSyOPciYJCn88/Tu4UOrw2VZoX9QwAaZANkS7OSL/rGKbCmpcuRe4m SzD7oGed4stCeNVCh1t9iCW70TvoAgmVYG6OGDQfwP9ubrd0xkdN3etpFlA2bB2G60iJ VEQA==
MIME-Version: 1.0
X-Received: by 10.60.172.18 with SMTP id ay18mr6877146oec.126.1363621330543; Mon, 18 Mar 2013 08:42:10 -0700 (PDT)
Received: by 10.60.40.233 with HTTP; Mon, 18 Mar 2013 08:42:10 -0700 (PDT)
X-Originating-IP: [192.1.51.16]
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1150B9AE692@WSMSG3153V.srv.dir.telstra.com>
References: <8B4C063947CD794BB6FF90C78BAE9B321EFC09EC@IMCMBX04.MITRE.ORG> <CAL02cgSn-_+_7RAHrETdbzvHBq3d=xa0kmuh9HuvAf9TjJp_eA@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943675001A6@TK5EX14MBXC283.redmond.corp.microsoft.com> <D1DEAADA-5879-4D05-BDF4-D2D1EA0998B0@ve7jtb.com> <8B4C063947CD794BB6FF90C78BAE9B321EFC0B77@IMCMBX04.MITRE.ORG> <4E1F6AAD24975D4BA5B16804296739436750053A@TK5EX14MBXC283.redmond.corp.microsoft.com> <255B9BB34FB7D647A506DC292726F6E1150B8467A5@WSMSG3153V.srv.dir.telstra.com> <07b701ce21a8$40b502f0$c21f08d0$@augustcellars.com> <255B9BB34FB7D647A506DC292726F6E1150B9AE692@WSMSG3153V.srv.dir.telstra.com>
Date: Mon, 18 Mar 2013 11:42:10 -0400
Message-ID: <CAL02cgThcn2N7GxodxMOUZUs=DzbnzR6wcKP686E9D24op5AhA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: multipart/alternative; boundary="bcaec54fae480436b004d834d5a4"
X-Gm-Message-State: ALoCoQnGvT+njML/2d88uD0LqRAV9QhfMktWQ08DzDaKiEVBR1FpByaLgiM4R6QosGGAlrTXZZdH
Cc: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Concat KDF issues with ECDH-ES and for deriving CEK/CIK from CMK
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2013 15:42:12 -0000
This sounds to me like yet another argument for (1) removing the integrity protection from the JOSE header, and (2) creating a separate binary component in JWE to hold the AAD. --Richard On Sun, Mar 17, 2013 at 8:02 PM, Manger, James H < James.H.Manger@team.telstra.com> wrote: > >> For instance, JWE includes the IV as part of the additional > authenticated data (AAD). No other AEAD system is defined like this. > Everywhere else the IV/nonce and AAD are separate. I hope that doesn’t > adversely affect the crypto properties, but it does raise questions about > whether it is important for some crypto reason.**** > > ** ** > > [JLS] For this algorithm it is absolutely vital that the IV be protected. > Since the authentication is computed on the post encrypted text not the > pre-encyrpted text, a decryption could never be able to correctly determine > that the IV passed in was correct if it is not validated!!!!!!**** > > ** ** > > ** ** > > Jim,**** > > ** ** > > A256CBC+HS512 needs to integrity-protect the IV. I am not disagreeing with > that.**** > > ** ** > > Every other AEAD algorithm accepts an IV and AAD as separate inputs and **internally > to the AEAD algorithm** ensures the appropriate integrity protection is > applied. This is what GCM, CCM, and SIV do. It is the what RFC5116 (AEAD > interface) assumes. It is what any crypto library with an explicit AEAD > interface will support (separate calls or separate parameters for the IV > and AAD).**** > > ** ** > > JWE defines the AAD to be the Header+WrappedKey+IV. That is, the IV is > included in the AAD.**** > > ** ** > > Consequently every other AEAD algorithm (such as A128GCM) will process the > JWE IV twice. In A128GCM, for example, the IV will be passed from JOSE code > to an underlying crypto API once as a 12-byte (96-bit) binary value, and > also as 16 base64url characters at the end of the AAD. For all these AEAD > algorithms this duplication is merely slightly wasteful, but I guess (hope) > it has no impact on security.**** > > ** ** > > The JOSE-specific A256CBC+HS512 algorithm, in contrast, is different. This > algorithm would be insecure if the AAD did not include the IV. What would > happen if A256CBC+HS512 was implemented in a crypto library accessed via a > generic AEAD interface? Perhaps it would have to base64url-encode the IV it > was passed and check that it matches the end of the AAD it was passed > (making it unsuitable as a generic AEAD alg in any other context)?**** > > ** ** > > --**** > > James Manger**** > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- Re: [jose] Concat KDF issues with ECDH-ES and for… Mike Jones
- [jose] Concat KDF issues with ECDH-ES and for der… Peck, Michael A
- Re: [jose] Concat KDF issues with ECDH-ES and for… Richard Barnes
- Re: [jose] Concat KDF issues with ECDH-ES and for… John Bradley
- Re: [jose] Concat KDF issues with ECDH-ES and for… Peck, Michael A
- Re: [jose] Concat KDF issues with ECDH-ES and for… Mike Jones
- Re: [jose] Concat KDF issues with ECDH-ES and for… Manger, James H
- Re: [jose] Concat KDF issues with ECDH-ES and for… Richard Barnes
- Re: [jose] Concat KDF issues with ECDH-ES and for… Jim Schaad
- Re: [jose] Concat KDF issues with ECDH-ES and for… Manger, James H
- Re: [jose] Concat KDF issues with ECDH-ES and for… Richard Barnes