Re: [jose] [Cfrg] GCM nonce reuse question
Matt Miller <mamille2@cisco.com> Mon, 15 April 2013 15:51 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F221121F940E for <jose@ietfa.amsl.com>; Mon, 15 Apr 2013 08:51:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OFWOFTWVBHWP for <jose@ietfa.amsl.com>; Mon, 15 Apr 2013 08:51:01 -0700 (PDT)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id 6E71121F940A for <jose@ietf.org>; Mon, 15 Apr 2013 08:51:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6551; q=dns/txt; s=iport; t=1366041061; x=1367250661; h=mime-version:subject:from:in-reply-to:date:cc:message-id: references:to; bh=Wdf6pyRSDzVfRYkMolT8qdDE7X7M8u79f+EOcGOWlfI=; b=Zbcg5YPpRxG9nP8Xps5svfJzic4waxxQ4kfz3tklLfcuBUs6Ds3+lVir tEIYU85120Q/CpT27STDdMz9EkHTDEfHR7Rfgc4DxRFaGPqsy/vdAh3EE J0kkOOJxofJD8v7nVUr01qOEwsvuFdkcL+MXaz8+G9jbAMG5SwL8iGfsf 4=;
X-Files: smime.p7s : 2283
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AlQFAAUhbFGrRDoI/2dsb2JhbABQgwbBOoEHFnSCHwEBAQR5BQsLDgouAlUGE4gCAw6yDR2JTY1ggTcHgmBhA4kFhk+HMYYFiwyDKh2BLw
X-IronPort-AV: E=Sophos; i="4.87,476,1363132800"; d="p7s'?scan'208"; a="76142439"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-3.cisco.com with ESMTP; 15 Apr 2013 15:51:00 +0000
Received: from [10.129.24.59] ([10.129.24.59]) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r3FFowAC020233 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 15 Apr 2013 15:50:58 GMT
Content-Type: multipart/signed; boundary="Apple-Mail=_2AF97ACA-A06A-4A34-9077-7DFC3AB0E11A"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Matt Miller <mamille2@cisco.com>
In-Reply-To: <CAL02cgQwz4136CTEoz-RBude+pwAxB1pUFBzh6y=pMtL4ZuVLw@mail.gmail.com>
Date: Mon, 15 Apr 2013 09:50:57 -0600
Message-Id: <57A12B7F-30D2-4406-A66F-1FA0B03B4313@cisco.com>
References: <006a01ce2b3c$8f0d03b0$ad270b10$@augustcellars.com> <747787E65E3FBD4E93F0EB2F14DB556B183EF2E3@xmb-rcd-x04.cisco.com> <4E1F6AAD24975D4BA5B1680429673943675A0978@TK5EX14MBXC283.redmond.corp.microsoft.com> <004e01ce2fb9$74979730$5dc6c590$@augustcellars.com> <4EC6AC2C-8EE6-4433-8302-E884DD0B3C06@ve7jtb.com> <734D4714-BEF1-4E0C-8DB4-6753083F0F11@bbn.com> <255B9BB34FB7D647A506DC292726F6E1150C74DDCF@WSMSG3153V.srv.dir.telstra.com> <CAL02cgQwz4136CTEoz-RBude+pwAxB1pUFBzh6y=pMtL4ZuVLw@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.1503)
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] [Cfrg] GCM nonce reuse question
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 15:51:03 -0000
On Apr 15, 2013, at 9:25 AM, Richard Barnes <rlb@ipv.sx> wrote: > On Sun, Apr 14, 2013 at 9:55 PM, Manger, James H < > James.H.Manger@team.telstra.com> wrote: > >> I think there are more options for handling multiple recipients of >> AEAD-secured content: >> >> >> Option 3: Put all per-recipient info into one header; keep this header >> under the AEAD integrity check; have one nonce. >> COST: All recipients need to be known (and their key exchange info >> created) before the AEAD algorithm is applied. >> COST: The JWE JSON header structure needs to be adjusted (eg to have an >> array of recipient info) so it is not backward compatible with current >> drafts. >> COST: Doesn't help use cases where one recipient forwards an >> AEAD-secured message on to a new recipient (eg an XMPP system receives a >> message secured for a user and re-secures it for a specific device of that >> user). Changing recipients requires reapplying the AEAD operations. >> COST: Each recipient needs to see key exchange info of all recipients >> (privacy impact?). >> POSSIBLE-BENEFIT: Recipients, key exchanges, parameters, and content is >> secured as a complete unit. >> >> >> Option 2b: Remove per-recipient info from AEAD integrity check; but add >> AEAD details to each key exchange. For instance, info about an AEAD >> operation (alg id, key id etc) potentially even including the whole >> ciphertext is used as the "label" for the RSAES-OAEP-ENCRYPT operation that >> encrypts the AEAD secret key for a recipient. >> BENEFIT: The key exchange is tied to a specific AEAD operation. >> COST: Crypto is not typically done like this; uncertain as to what exact >> security properties you are getting. Perhaps there are some similarities to >> NIST Concat KDF that adds "context" to key derivation: this adds "context" >> about an AEAD operation to the key exchange. >> >> >> I agree with Richard Barnes that the per-recipient key exchange details >> should be outside the AEAD operation (not covered by the AEAD integrity >> check). Go with option 2 or 2b. >> Then, separately, we can decide which details of the AEAD operation should >> be bound to each key exchange: none? AEAD key length? AEAD alg id? whole >> AEAD header? AEAD ciphertext? other context? >> >> >> -- >> James Manger >> >> > > At the same time, this attribute should be optional, since I think there > are use cases where the CMK is not entirely ephemeral. For example, I > think the current XMPP e2e document uses it as a session key rather than an > individual message key, so you wouldn't want to limit the key to a single > JWE. > XMPP e2e has both a session key and a per-message key. The per-message key is protected by the session key. That said, I also think Option 2 or 2b makes the most sense. - m&m Matt Miller < mamille2@cisco.com > Cisco Systems, Inc.
- [jose] FW: GCM nonce reuse question Jim Schaad
- Re: [jose] FW: GCM nonce reuse question Mike Jones
- Re: [jose] FW: GCM nonce reuse question Mike Jones
- Re: [jose] FW: GCM nonce reuse question Richard Barnes
- Re: [jose] FW: GCM nonce reuse question Vijay Bharadwaj
- Re: [jose] [Cfrg] GCM nonce reuse question Richard Barnes
- Re: [jose] [Cfrg] GCM nonce reuse question Manger, James H
- Re: [jose] [Cfrg] GCM nonce reuse question Richard Barnes
- Re: [jose] [Cfrg] GCM nonce reuse question Matt Miller
- Re: [jose] [Cfrg] GCM nonce reuse question Richard Barnes