IETF Logo Mail Archive

Re: [jose] Support for Wrapped Keys?

Mike Jones <Michael.Jones@microsoft.com> Wed, 24 October 2012 22:04 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A37221F8653 for <jose@ietfa.amsl.com>; Wed, 24 Oct 2012 15:04:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.03
X-Spam-Level:
X-Spam-Status: No, score=-3.03 tagged_above=-999 required=5 tests=[AWL=-0.431, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mP9J7Tb6v5mu for <jose@ietfa.amsl.com>; Wed, 24 Oct 2012 15:04:08 -0700 (PDT)
Received: from NA01-BL2-obe.outbound.protection.outlook.com (na01-bl2-obe.ptr.protection.outlook.com [65.55.169.23]) by ietfa.amsl.com (Postfix) with ESMTP id 65CBF21F85A6 for <jose@ietf.org>; Wed, 24 Oct 2012 15:04:08 -0700 (PDT)
Received: from BL2FFO11FD005.protection.gbl (10.173.161.200) by BL2FFO11HUB028.protection.gbl (10.173.161.52) with Microsoft SMTP Server (TLS) id 15.0.545.8; Wed, 24 Oct 2012 22:04:06 +0000
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD005.mail.protection.outlook.com (10.173.161.1) with Microsoft SMTP Server (TLS) id 15.0.545.8 via Frontend Transport; Wed, 24 Oct 2012 22:04:05 +0000
Received: from TK5EX14MBXC285.redmond.corp.microsoft.com ([169.254.3.15]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.02.0318.003; Wed, 24 Oct 2012 22:03:42 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Matt Miller (mamille2)" <mamille2@cisco.com>, "<jose@ietf.org>" <jose@ietf.org>
Thread-Topic: Support for Wrapped Keys?
Thread-Index: AQHNsixtFQh89Wn5MUGS4dRC2YkxtZfI+/JA
Date: Wed, 24 Oct 2012 22:03:42 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436687BED7@TK5EX14MBXC285.redmond.corp.microsoft.com>
References: <BF7E36B9C495A6468E8EC573603ED94115074062@xmb-aln-x11.cisco.com>
In-Reply-To: <BF7E36B9C495A6468E8EC573603ED94115074062@xmb-aln-x11.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(52314002)(13464001)(74662001)(50986001)(2666001)(47736001)(74502001)(49866001)(48376001)(44976002)(4396001)(47976001)(4196001)(1076001)(47446002)(16826001)(3846001)(47776002)(16696001)(31966008)(20776001)(46102001)(16406001)(54356001)(53806001)(51856001)(5343635001)(5343655001)(54316001)(8716001)(33656001)(50466001)(316001)(491001)(3746001)(3556001); DIR:OUT; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0644578634
Subject: Re: [jose] Support for Wrapped Keys?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2012 22:04:09 -0000

Per our discussions, there's an approach we could discuss that's very close to what you're already doing.  JWE already has a way to encrypt a key.  This key is then currently always used to encrypt the plaintext.

One obvious solution then appears to be to have no plaintext and only perform the first of the two steps - create a JWE Encrypted Key value, leaving the JWE Initialization Vector, JWE Ciphertext, and JWE Integrity value fields empty.

The objection that I'm sure people would raise to this obvious solution is that then the contents of the header and encrypted key are not integrity protected.  One potential solution to this would be to use an "enc" algorithm that only provides integrity but performs no encryption.

The most simple such solution would be to use a cryptographic hash function such as SHA-256 to compute an integrity value over the other fields.  You could look at this as a degenerate AEAD algorithm, accepting an "additional authenticated data" input and producing an "authentication tag" output, but with no plaintext input or ciphertext output.

That would give you an integrity-protected encrypted key, doing the key encryption in the same way that the JWE "alg" values already do.

Anyway, hopefully the above will at least seed a productive discussion of the possibilities.  I do completely understand the value of Matt's use case and want us to think about how to best solve it.

				-- Mike

-----Original Message-----
From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Matt Miller (mamille2)
Sent: Wednesday, October 24, 2012 2:14 PM
To: <jose@ietf.org>
Subject: [jose] Support for Wrapped Keys?

This is a topic that has been discussed some off-list between myself, Mike Jones, John Bradley, and Nat Sakimura.

For XMPP E2E, there is a need to disseminate a "session" master (symmetric) key between the sender and recipients as a wrapped key.  To date, this is done in a very custom manner by encrypting the session key with the recipient's public key, and packaging as a partial (read: broken) JWE value.

Ideally, I would like a nice way of handling wrapped keys in JWE.  The more standardized alternatives I can see are:

* Follow JWE, using the session key for both the content key and the content plaintext (feels very awkward)
* Follow JWE, generating yet-another-CMK and using the session key as the content plaintext (feels very wasteful)

Does anyone else think this is worth supporting?


- m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.

PS: JSMS supports wrapped keys, as does CMS.

v2.23.0 | Report a Bug | By Email