IETF Logo Mail Archive

Re: [jose] Draft describing encrypting JWK key representations, with JWE

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 15 March 2013 18:20 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 824AE21F856D for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 11:20:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.299
X-Spam-Level:
X-Spam-Status: No, score=-103.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_14=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ThEOl55krfk for <jose@ietfa.amsl.com>; Fri, 15 Mar 2013 11:20:36 -0700 (PDT)
Received: from mail-ee0-f43.google.com (mail-ee0-f43.google.com [74.125.83.43]) by ietfa.amsl.com (Postfix) with ESMTP id CE37621F8494 for <jose@ietf.org>; Fri, 15 Mar 2013 11:20:35 -0700 (PDT)
Received: by mail-ee0-f43.google.com with SMTP id c50so1776824eek.16 for <jose@ietf.org>; Fri, 15 Mar 2013 11:20:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=WTkO75xO7uTe3BzUnqHpJZPjLYfxcvaQ6VQrsy2BjGQ=; b=JlazpskRgq9VpETqiEZSXTPPxOavHe0cJgkpFuBaQZPUOuGbVpjwrnCa0aq7HxIO+6 LnGHq+3xDuwjP/OQH4BNC8Cb4Ec2Nf6d/GJfcgZ9/P1TljO3jW3e/LkDLw5HgK9cxzKf E5RH6l84wutVSqM3jBbaqYQlK8OaEKtlhpZlYFClnhUhunGwgQX97W2TUNys5j9AeI7d LCirIc7bJdcrr7TGZhIWI0dpcjIs46spnqG/cU9WOe1qBosWxhPX3613kBgrj1dcNF9i 81h5M0xqPB0FqVoloxMJnfZ6pOM7odZ9CeQEi0iIK86fUSABDdDFMI7bdq9f4GX2EbbJ Z7zA==
X-Received: by 10.15.45.201 with SMTP id b49mr20880776eew.9.1363371635001; Fri, 15 Mar 2013 11:20:35 -0700 (PDT)
Received: from [10.0.0.5] (bzq-109-64-148-173.red.bezeqint.net. [109.64.148.173]) by mx.google.com with ESMTPS id q5sm11568556eeo.17.2013.03.15.11.20.33 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 15 Mar 2013 11:20:34 -0700 (PDT)
Message-ID: <5143666F.7080701@gmail.com>
Date: Fri, 15 Mar 2013 20:20:31 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130221 Thunderbird/17.0.3
MIME-Version: 1.0
To: "Peck, Michael A" <mpeck@mitre.org>
References: <mailman.4019.1363356696.3432.cfrg@irtf.org> <51433B12.1020703@gmail.com> <4E1F6AAD24975D4BA5B168042967394367526568@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgQ8=yKwArwvR228Z=xi0N3U6yvoOHt6M-3EuCD_HYkyww@mail.gmail.com> <4E1F6AAD24975D4BA5B168042967394367526789@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgRbh7EYLwp01t0yMMPHbhtVsQjY8379YF9_gRgGeO08eQ@mail.gmail.com> <8B4C063947CD794BB6FF90C78BAE9B321EFD5DFC@IMCMBX04.MITRE.ORG> <51435D7A.7050800@gmail.com> <8B4C063947CD794BB6FF90C78BAE9B321EFD5FBC@IMCMBX04.MITRE.ORG>
In-Reply-To: <8B4C063947CD794BB6FF90C78BAE9B321EFD5FBC@IMCMBX04.MITRE.ORG>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Fri, 15 Mar 2013 11:25:46 -0700
Cc: Richard Barnes <rlb@ipv.sx>, Mike Jones <Michael.Jones@microsoft.com>, "cfrg@irtf.org" <cfrg@irtf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Draft describing encrypting JWK key representations, with JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 18:20:37 -0000

Hi Mike,

I understand your point, I believe. At the technical level, using PBKDF2 
for crypto keys simply does not buy you any security, but has a high 
cost in performance (the performance cost is after all the whole point 
of PBKDF2).

But the more important level is educational: I suggest that the document 
should make a very clear distinction between passwords and keys, so that 
implementors know what they're dealing with and the risks involved. 
Using password processing for keys would go against this goal.

Thanks,
	Yaron

On 03/15/2013 07:55 PM, Peck, Michael A wrote:
> I'll try to clarify (and hopefully not dig a deeper hole).
>
> JWE currently provides a "dir" mechanism allowing a symmetric key previously agreed to out of band to be used for content encryption.
> All of the other JWE mechanisms use a fresh symmetric key for each encryption.
>
> My suggestion was that instead of directly using the pre-shared symmetric key to encrypt content, if JWE makes the PBKDF2 mechanism available the symmetric key could be used as the PBKDF2 "password", resulting in a fresh key generated for each content encryption.  In this particular case the password input to PBKDF2 would hopefully be very random - I would think there would be no more risk than using the pre-shared key directly, rather less risk.
>
> General password considerations are a different matter.  Passwords have lots of issues but if we're stuck with them we should at least advise how to do the best we can.
>
> Mike
>
>> -----Original Message-----
>> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com]
>> Sent: Friday, March 15, 2013 1:42 PM
>> To: Peck, Michael A
>> Cc: Richard Barnes; Mike Jones; cfrg@irtf.org; jose@ietf.org
>> Subject: Re: [jose] Draft describing encrypting JWK key representations, with
>> JWE
>>
>> Hi Mike and Mike,
>>
>> The NIST SP is about using PBKDF2 for storage encryption (which I'm not
>> thrilled with, either). Not for sending the encrypted blob over the
>> wire, for an attacker to intercept and decrypt off-line. And if we read
>> the NIST document, let's adopt the whole thing - quoting from sec. A.1:
>> "Passwords shorter than 10 characters are usually considered to be
>> weak." Are we going to make this recommendation too? Well I guess not.
>>
>> *Please* do not mix passwords with cryptographic keys. If the WG goes
>> through the risk vs. benefit analysis and decides to have a
>> password-based mechanism, fine. But please leave the shared-key
>> mechanism as-is. It's important that readers of JOSE specs are very
>> clear about the difference between randomly generated keys and
>> user-memorable (or even -generated) passwords.
>>
>> Let's be clear: even a single use of a user-generated password for
>> on-the-wire encryption is risky. So-called key rotation of actual
>> cryptographic keys is a whole different matter.
>>
>> Thanks,
>> 	Yaron
>>
>>
>> On 03/15/2013 06:58 PM, Peck, Michael A wrote:
>>> +1
>>>
>>> NIST Special Publication 800-132 provides recommendations for the
>>> parameters that the group may find useful.
>>>
>>> http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
>>>
>>> It may also be worth thinking about using PBKDF2 instead of the "dir"
>>> (Direct Encryption with a Shared Symmetric Key) mechanism described in
>>> draft-ietf-jose-json-web-algorithms-08 section 4.6.  The shared
>>> symmetric key would be used as the PBKDF2 "password", and this would
>>> force a new key to be used for each encryption, rather than the current
>>> "dir" approach of using the same encryption key repeatedly.
>>>
>>> Mike
>>>
>>> *From:*jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf
>>> Of *Richard Barnes
>>> *Sent:* Friday, March 15, 2013 12:53 PM
>>> *To:* Mike Jones
>>> *Cc:* Yaron Sheffer; cfrg@irtf.org; jose@ietf.org
>>> *Subject:* Re: [jose] Draft describing encrypting JWK key
>>> representations, with JWE
>>>
>>> Do I count as an expert?  :)
>>>
>>> As I understand it, PBDKF2 is completely fine for key protection.
>>>    PBKDF2 has mechanisms to mitigate the dictionary attack risks, e.g.,
>>> having a high number of iterations. We might want to make some
>>> recommendations as to how you set those parameters. And the actual key
>>> wrapping is done with something like AES-KW, so that step is fine.
>>>
>>> So I would be completely fine with adding this to JWE / JWA.  We should
>>> do this.
>>>
>>> --Richard
>>>
>>> On Fri, Mar 15, 2013 at 12:48 PM, Mike Jones
>>> <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>>
>> wrote:
>>>
>>> That's up to the working group.  I'm actually hoping that experts on the
>>> lists will respond to Yaron's comments before we make a decision on
>>> whether PBKDF2 as specified is an appropriate key wrapping algorithm or
>> not.
>>>
>>> Assuming that the content in Matt's draft eventually becomes an RFC or
>>> part of one, the PBKDF2 definition would end up in the algorithms
>>> registry either way, even if it's not part of the JWA spec itself.
>>>
>>>                                                               Cheers,
>>>
>>>                                                               -- Mike
>>>
>>> *From:*jose-bounces@ietf.org <mailto:jose-bounces@ietf.org>
>>> [mailto:jose-bounces@ietf.org <mailto:jose-bounces@ietf.org>] *On
>> Behalf
>>> Of *Richard Barnes
>>> *Sent:* Friday, March 15, 2013 9:43 AM
>>> *To:* Mike Jones
>>> *Cc:* Yaron Sheffer; cfrg@irtf.org <mailto:cfrg@irtf.org>; jose@ietf.org
>>> <mailto:jose@ietf.org>
>>> *Subject:* Re: [jose] Draft describing encrypting JWK key
>>> representations, with JWE
>>>
>>> So, Mike, would you be OK with adding PBE to JWE / JWA, as a new key
>>> wrapping algorithm?
>>>
>>> --Richard
>>>
>>> On Fri, Mar 15, 2013 at 12:14 PM, Mike Jones
>>> <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>>
>> wrote:
>>>
>>> [Adding JOSE mailing list to the thread]
>>>
>>> For clarification, PBKDF2 is not the only algorithm that could be used
>>> to wrap keys in this scheme.  This draft *adds* PBKDF2 to the set of
>>> algorithms already specified for use with encryption in the JSON Web
>>> Algorithms (JWA) specification
>>> (http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-08).  In
>>> particular, other algorithms such as AES Key Wrap and AES GCM are also
>>> present there.
>>>
>>> I'll let others who are experts in PBKDF2 and password-based encryption
>>> respond to Yaron's specific comment.
>>>
>>>                                   -- Mike
>>>
>>> -----Original Message-----
>>> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com
>>> <mailto:yaronf.ietf@gmail.com>]
>>> Sent: Friday, March 15, 2013 8:16 AM
>>> To: cfrg@irtf.org <mailto:cfrg@irtf.org>; Mike Jones
>>> Subject: Re: Draft describing encrypting JWK key representations, with JWE
>>>
>>> Hi Mike,
>>>
>>> I'm probably missing something, but I'm worried about the security of
>>> this scheme (though I do appreciate the usability/convenience of
>> passwords).
>>>
>>> PBKDF2 is meant to make dictionary attacks on stored passwords harder,
>>> as a second line defense, once the server has been breached. Using it to
>>> encrypt data and then sending the data on the wire, makes the data
>>> vulnerable to this same dictionary attack (in this case the effort comes
>>> to the space of all possible passwords - say 1 million - times 1000).
>>> Moreover, this also puts the password itself in danger.
>>>
>>> Thanks,
>>>           Yaron
>>>
>>>   >
>>>   > ------------------------------
>>>   >
>>>   > Message: 5
>>>   > Date: Fri, 15 Mar 2013 14:10:32 +0000
>>>   > From: Mike Jones <Michael.Jones@microsoft.com
>>> <mailto:Michael.Jones@microsoft.com>>
>>>   > To: "cfrg@irtf.org <mailto:cfrg@irtf.org>" <cfrg@irtf.org
>>> <mailto:cfrg@irtf.org>>
>>>   > Subject: [Cfrg] Draft describing encrypting JWK key representations
>>>   >       with JWE
>>>   > Message-ID:
>>>   >
>>>   >
>> <4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.redmon
>> d.corp.
>>>
>> <mailto:4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.r
>> edmond.corp.%0b>>
>>> microsoft.com <http://microsoft.com>>
>>>   >
>>>   > Content-Type: text/plain; charset="us-ascii"
>>>   >
>>>   > http://tools.ietf.org/html/draft-miller-jose-jwe-protected-jwk-01
>>>   >
>>>   > This also adds password-based encryption to the algorithm registry.
>>>   >
>>>   >                                                              -- Mike
>>>   >
>>>   > -------------- next part -------------- An HTML attachment was
>>>   > scrubbed...
>>>   > URL:
>>>   > <http://www.irtf.org/mail-
>> archive/web/cfrg/attachments/20130315/02e36b
>>>   > 24/attachment.htm>
>>>   >
>>>   > ------------------------------
>>>   >
>>>   > _______________________________________________
>>>   > Cfrg mailing list
>>>   > Cfrg@irtf.org <mailto:Cfrg@irtf.org>
>>>   > http://www.irtf.org/mailman/listinfo/cfrg
>>>   >
>>>   >
>>>   > End of Cfrg Digest, Vol 95, Issue 3
>>>   > ***********************************
>>>   >
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org <mailto:jose@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/jose
>>>

v2.23.0 | Report a Bug | By Email