Re: [jose] [Cfrg] Use of authenticated encryption for key wrapping
John Bradley <ve7jtb@ve7jtb.com> Sun, 17 March 2013 22:40 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B301721F8AB2 for <jose@ietfa.amsl.com>; Sun, 17 Mar 2013 15:40:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.47
X-Spam-Level:
X-Spam-Status: No, score=-1.47 tagged_above=-999 required=5 tests=[AWL=1.530, BAYES_00=-2.599, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UMEp99le7-rs for <jose@ietfa.amsl.com>; Sun, 17 Mar 2013 15:40:33 -0700 (PDT)
Received: from mail-qe0-f46.google.com (mail-qe0-f46.google.com [209.85.128.46]) by ietfa.amsl.com (Postfix) with ESMTP id DFF7621F8A00 for <jose@ietf.org>; Sun, 17 Mar 2013 15:40:32 -0700 (PDT)
Received: by mail-qe0-f46.google.com with SMTP id a11so2958150qen.19 for <jose@ietf.org>; Sun, 17 Mar 2013 15:40:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=f6go32YwU6Q9PQ+LmP7MNc4K/CgNXhtns4lvRozu9U0=; b=IIZmg3A1fjQwrOFUY4L/+wIupgBUAP5cXhgcthM2QFjRN6vUoifcBjeer6WDitdEvq bWeIGTa4v7OF+nQyayA1LjjEQ2k1UkIvLXVu1s1/7kEZmvoTDtctao5OcVOQ/MnArIou sMi5buA/MYx6NTAvQDNzVaPqVwxFDYDLZjKZ2U/jQvBzNytRZ1JehEJ/vy5i2NpaH7HB KoRNtzHP5HIKbj1aNYIT5nMgYtzyPrBXU965cjMXdpguEooLH2O8BgNoqi38pWO9cQs5 YmcuBb1sS3IB8uYJILc9BaCUQYsNQ/ZnumyQMF6RqkIYy+0EcNmC46cn95Be0otHDsR1 ft3A==
X-Received: by 10.229.106.162 with SMTP id x34mr3893112qco.90.1363560032210; Sun, 17 Mar 2013 15:40:32 -0700 (PDT)
Received: from [192.168.1.37] (190-20-39-218.baf.movistar.cl. [190.20.39.218]) by mx.google.com with ESMTPS id u4sm22763678qao.13.2013.03.17.15.40.28 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 17 Mar 2013 15:40:30 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_3B564EEC-78E5-4225-96DB-21DD142282BB"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <BDE5BBCC-D6B4-4A3F-890E-498079C6F9C5@vigilsec.com>
Date: Sun, 17 Mar 2013 18:40:21 -0400
Message-Id: <0A3D2079-279F-4D6C-AEE9-2B4BBF97B609@ve7jtb.com>
References: <31556AB6-899F-4D81-9FBC-40708864EA55@cisco.com> <BDE5BBCC-D6B4-4A3F-890E-498079C6F9C5@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQnkzEqewfHtqXbZ17rNdt8U3Ax/iFnUbbGtmZ1P32gi1U3WbpEWyiD9hCy2btr7Ak622fHd
Cc: Brian Weis <bew@cisco.com>, cfrg@ietf.org, jose@ietf.org
Subject: Re: [jose] [Cfrg] Use of authenticated encryption for key wrapping
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2013 22:40:33 -0000
That is true. However the main reason AES-GWC would be used is to allow transport of keys (RSA, EC and Symmetric) that are intended for use outside the crypto module. Where I agree, is that it is probably not such a good idea to start using AESKW on the message body just because that body contains a JWK with a private key. I think that is where this particular question started. Some people thought that only AES-KW was appropriate for encrypting keys. My preference is to keep AES-KW for wrapping session keys,and not change to the newer version that would allow us to encrypt arbitrary length messages. That at least still provides some additional protection for session keys in that the KW alg remains internal, so can not be used to expose session keys accidentally if that is what you are getting at. Regards, John B. On 2013-03-15, at 2:42 PM, Russ Housley <housley@vigilsec.com> wrote: > There are some system design issues to be considered. The use of different modes for encryption of user data and keying material makes it easier to prevent the decryption of keying material outside of the crypto module. > > Russ > > > On Mar 15, 2013, at 11:42 AM, Brian Weis wrote: > >> Jim Schaad gave a presentation on JOSE to CFRG today (<http://www.ietf.org/proceedings/86/slides/slides-86-cfrg-5.pdf>). The question came up as to whether AES key wrap was necessarily the only method that was safe for key wrapping in JOSE. The other algorithm under consideration is AES-GCM. >> >> Section 3.1 of NIST 800-38F (Methods for Key Wrapping) says: >> >> "Previously approved authenticated-encryption modes—as well as combinations of an approved encryption mode with an approved authentication method—are approved for the protection of cryptographic keys, in addition to general data." >> >> So if one considers that to be good enough advice, AES-GCM would indeed be an acceptable method of key wrapping. The chairs asked me to cross-post this for discussion. >> >> Brian > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- [jose] Use of authenticated encryption for key wr… Brian Weis
- Re: [jose] Use of authenticated encryption for ke… Russ Housley
- Re: [jose] [Cfrg] Use of authenticated encryption… John Bradley
- Re: [jose] [Cfrg] Use of authenticated encryption… David McGrew (mcgrew)
- Re: [jose] [Cfrg] Use of authenticated encryption… Dan Harkins