IETF Logo Mail Archive

Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt

Matt Miller <mamille2@cisco.com> Thu, 25 April 2013 22:02 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B67121F9716 for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 15:02:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Level:
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hR87uUkAp+Ql for <jose@ietfa.amsl.com>; Thu, 25 Apr 2013 15:02:21 -0700 (PDT)
Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id A92C821F9715 for <jose@ietf.org>; Thu, 25 Apr 2013 15:02:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6001; q=dns/txt; s=iport; t=1366927341; x=1368136941; h=mime-version:subject:from:in-reply-to:date:cc:message-id: references:to; bh=vufrh5bX0Ca2oVWtAT2byblob3rk6eIoT3NrPigIL+8=; b=JyOBarZsE+5UasZHDCyUT/oWnOZzak1bHsGCOKhYGnY4xrUy5H47Hkk6 02pIoamtbuKBv1YIxfVWNftqkeMx0zaF+Q6/t9mMSExXSgJtT887EEP96 cFoXqM9CknsYGP6ZV1zi2lVzJ5nGU+crd85QtMhLvsWRHS/s6u4UKKhjR Q=;
X-Files: smime.p7s : 2283
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAMameVGrRDoH/2dsb2JhbABRgwY3vjCBBBZ0gh8BAQEDAXkFCwsOOAJVBhMbh3MFvk+PNQeCbWEDiRGGV4c0hg+LE4MtHQ
X-IronPort-AV: E=Sophos; i="4.87,553,1363132800"; d="p7s'?scan'208"; a="79631373"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-2.cisco.com with ESMTP; 25 Apr 2013 22:02:21 +0000
Received: from [10.129.24.59] ([10.129.24.59]) by mtv-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id r3PM2J8E027248 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 25 Apr 2013 22:02:20 GMT
Content-Type: multipart/signed; boundary="Apple-Mail=_BCFFE21A-D509-480D-9DC6-7362B2DF69B0"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Matt Miller <mamille2@cisco.com>
In-Reply-To: <CAL02cgTmv_A+cs4eJ6oK4v3AqgxZA2q=wdV69ey4xydcaupGuw@mail.gmail.com>
Date: Thu, 25 Apr 2013 16:02:19 -0600
Message-Id: <95BF000E-50B4-4D42-8F21-A6D5BE9D7A59@cisco.com>
References: <20130424002901.19246.69134.idtracker@ietfa.amsl.com> <014201ce416a$82761a80$87624f80$@augustcellars.com> <B9EADFAC-382A-40C3-937C-C07E77777273@vigilsec.com> <4E1F6AAD24975D4BA5B1680429673943676C00E2@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgTmv_A+cs4eJ6oK4v3AqgxZA2q=wdV69ey4xydcaupGuw@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.1503)
Cc: Mike Jones <Michael.Jones@microsoft.com>, Russ Housley <housley@vigilsec.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] I-D Action: draft-ietf-jose-json-web-encryption-09.txt
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 22:02:22 -0000

On Apr 25, 2013, at 3:56 PM, Richard Barnes <rlb@ipv.sx>
 wrote:

> On Thu, Apr 25, 2013 at 3:09 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:
> 
>> Hi Russ,
>> 
>> I agree that enabling GCM to be safely used in the multiple recipients
>> case would be highly desirable.  It is currently prohibited because if the
>> recipients share a common key and initialization vector (IV) but use
>> different AAD values, this results in the identified vulnerability.  One
>> possible solution that continues integrity protecting the headers but
>> enables the safe use of GCM was identified off-list by John Bradley.
>> 
>> That solution is to have each recipient always use the same key, IV, and
>> AAD values.  This could be accomplished by including all the header values
>> in a single combined AAD value, rather than having the integrity protection
>> for each recipient's headers be independent.
>> 
>> This change could be done in a manner that doesn't affect the computation
>> for the single recipients case.  Given the upcoming interim JOSE meeting
>> next week, and given the (understandable) strong negative reaction to the
>> unusability of GCM with the current multiple recipients processing rules,
>> I'll plan on quickly producing a draft -10 that changes the processing
>> rules in the manner described above, so that idea can be concretely
>> considered by the working group next week.
>> 
>> Just so people are clear on the properties on the new processing rules -
>> this would mean that the integrity computations for each recipients would
>> no longer be independent.  The only downside of this (which could be an
>> upside in some ways) is that it would no longer be possible to add
>> recipients over time without performing a new encryption computation with a
>> new CEK and IV.
>> 
> 
> As I said to John, that is not an acceptable solution because it breaks the
> XMPP use case.  The minimum sensible change is to remove the per-recipient
> info from the integrity check.
> 

It is not clear to me how John's suggestion utterly breaks the XMPP use case, unless you have this alternate-reality version of XMPP-E2E you've not yet told me about (-:

The current XMPP document already separates per-recipient info from the actual protected content.


- m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.

v2.23.0 | Report a Bug | By Email