Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
Richard Barnes <rlb@ipv.sx> Thu, 25 April 2013 21:56 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 216F621F970E for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 14:56:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.536
X-Spam-Level: *
X-Spam-Status: No, score=1.536 tagged_above=-999 required=5 tests=[AWL=-0.638, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BcVYTHC1VKku for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 14:56:34 -0700 (PDT)
Received: from mail-ob0-x22c.google.com (mail-ob0-x22c.google.com [IPv6:2607:f8b0:4003:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id EBDC021F9706 for <jose@ietf.org>; Thu, 25 Apr 2013 14:56:33 -0700 (PDT)
Received: by mail-ob0-f172.google.com with SMTP id v19so2991532obq.3 for <jose@ietf.org>; Thu, 25 Apr 2013 14:56:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=d0tRU484BNmL5jNB/ugamvZXOCSfGs8FEA5PBnnn9XQ=; b=Kvbow/4+BLC/s3kApstcKXaT19/cFF2Vp2JC5xEpNAUYgcPhn9W6HOnuAVwbwNdlPP XMfhG0sHDUetD7RM3UXwyANYY281L/6x6+a5fSyBgLfQD1r6QbN+t+EEOC4a7bb+NS4t NLE5c1aPJwnGII5kigFUSnYrn3xI9erCdqVWQaFxCKfapKfXv1OJeneYpVCNE33O2z0A EXlXqm6zLapk5zuGHUWyUee9V/PufzHnquQz4KyszA2G9VfezsCNjCIlN2WOPpVlH7JK xjLDLgtISq25YvGfvd8fZhx8rnlmDrl5/v55z6LlBhLqOg34G8fHoJD7hos1lKlOyKdK OGNA==
MIME-Version: 1.0
X-Received: by 10.60.34.98 with SMTP id y2mr21329762oei.74.1366926993538; Thu, 25 Apr 2013 14:56:33 -0700 (PDT)
Received: by 10.60.41.225 with HTTP; Thu, 25 Apr 2013 14:56:33 -0700 (PDT)
X-Originating-IP: [128.89.253.101]
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943676C00E2@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <20130424002901.19246.69134.idtracker@ietfa.amsl.com> <014201ce416a$82761a80$87624f80$@augustcellars.com> <B9EADFAC-382A-40C3-937C-C07E77777273@vigilsec.com> <4E1F6AAD24975D4BA5B1680429673943676C00E2@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Thu, 25 Apr 2013 17:56:33 -0400
Message-ID: <CAL02cgTmv_A+cs4eJ6oK4v3AqgxZA2q=wdV69ey4xydcaupGuw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="089e01175d07e2529b04db367d4a"
X-Gm-Message-State: ALoCoQmsfzMyI+7EualpkJJHkOUsa3IF/FB6Q8OfAdp9Bl3VhIF9ZV6lsbFZ/OMGGCDmhV1Mmnr5
Cc: Russ Housley <housley@vigilsec.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 21:56:35 -0000
On Thu, Apr 25, 2013 at 3:09 PM, Mike Jones <Michael.Jones@microsoft.com>wrote: > Hi Russ, > > I agree that enabling GCM to be safely used in the multiple recipients > case would be highly desirable. It is currently prohibited because if the > recipients share a common key and initialization vector (IV) but use > different AAD values, this results in the identified vulnerability. One > possible solution that continues integrity protecting the headers but > enables the safe use of GCM was identified off-list by John Bradley. > > That solution is to have each recipient always use the same key, IV, and > AAD values. This could be accomplished by including all the header values > in a single combined AAD value, rather than having the integrity protection > for each recipient's headers be independent. > > This change could be done in a manner that doesn't affect the computation > for the single recipients case. Given the upcoming interim JOSE meeting > next week, and given the (understandable) strong negative reaction to the > unusability of GCM with the current multiple recipients processing rules, > I'll plan on quickly producing a draft -10 that changes the processing > rules in the manner described above, so that idea can be concretely > considered by the working group next week. > > Just so people are clear on the properties on the new processing rules - > this would mean that the integrity computations for each recipients would > no longer be independent. The only downside of this (which could be an > upside in some ways) is that it would no longer be possible to add > recipients over time without performing a new encryption computation with a > new CEK and IV. > As I said to John, that is not an acceptable solution because it breaks the XMPP use case. The minimum sensible change is to remove the per-recipient info from the integrity check. --Richard > > Cheers, > -- Mike > > -----Original Message----- > From: Russ Housley [mailto:housley@vigilsec.com] > Sent: Thursday, April 25, 2013 10:31 AM > To: Mike Jones > Cc: jose@ietf.org > Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt > > Mike: > > Like Jim, I cannot support this statement: AES GCM MUST NOT be used when > using the JWE JSON Serialization for multiple recipients > > All recipients ought to be performing decryption and integrity checking > with the same GCM key. The manner in which they obtain that key may be > different (key transport: decrypt the GCM key with the recipient's private > key, key agreement: agreement of a pairwise KEK and then unwrapping the GCM > key with the KEK, pre-shared KEK: unwrapping the GCM key with the already > known KEK, etc). > > Russ > > > On Apr 25, 2013, at 12:07 AM, Jim Schaad wrote: > > > Mike, > > > > AES GCM MUST NOT be used when using the JWE JSON Serialization for > > multiple recipients, since this would result in the same > > Initialization Vector and Plaintext values being used for multiple > > GCM encryptions. > > > > I doubt your co-authors would agree with this. > > I doubt the working group with agree with this. > > I know that at least one co-chair does not agree with this I can > > predict that the AD and IESG along with the security directorate would > > crucify me if I allowed this to stand in the document.. > > > > Jim > > > > > > > >> -----Original Message----- > >> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf > >> Of internet-drafts@ietf.org > >> Sent: Tuesday, April 23, 2013 5:29 PM > >> To: i-d-announce@ietf.org > >> Cc: jose@ietf.org > >> Subject: [jose] I-D Action: > >> draft-ietf-jose-json-web-encryption-09.txt > >> > >> > >> A New Internet-Draft is available from the on-line Internet-Drafts > > directories. > >> This draft is a work item of the Javascript Object Signing and > >> Encryption Working Group of the IETF. > >> > >> Title : JSON Web Encryption (JWE) > >> Author(s) : Michael B. Jones > >> Eric Rescorla > >> Joe Hildebrand > >> Filename : draft-ietf-jose-json-web-encryption-09.txt > >> Pages : 54 > >> Date : 2013-04-23 > >> > >> Abstract: > >> JSON Web Encryption (JWE) is a means of representing encrypted > >> content using JavaScript Object Notation (JSON) data structures. > >> Cryptographic algorithms and identifiers for use with this > >> specification are described in the separate JSON Web Algorithms (JWA) > >> specification. Related digital signature and MAC capabilities are > >> described in the separate JSON Web Signature (JWS) specification. > >> > >> > >> The IETF datatracker status page for this draft is: > >> https://datatracker.ietf.org/doc/draft-ietf-jose-json-web-encryption > >> > >> There's also a htmlized version available at: > >> http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-09 > >> > >> A diff from the previous version is available at: > >> http://www.ietf.org/rfcdiff?url2=draft-ietf-jose-json-web-encryption- > >> 09 > >> > >> > >> Internet-Drafts are also available by anonymous FTP at: > >> ftp://ftp.ietf.org/internet-drafts/ > >> > >> _______________________________________________ > >> jose mailing list > >> jose@ietf.org > >> https://www.ietf.org/mailman/listinfo/jose > > > > _______________________________________________ > > jose mailing list > > jose@ietf.org > > https://www.ietf.org/mailman/listinfo/jose > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >
- [jose] I-D Action: draft-ietf-jose-json-web-encry… internet-drafts
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Jim Schaad
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Russ Housley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Jim Schaad
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Russ Housley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Russ Housley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Matt Miller
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Dick Hardt
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Richard Barnes
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… John Bradley
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Mike Jones
- Re: [jose] I-D Action: draft-ietf-jose-json-web-e… Manger, James H