Re: [jose] WebCrypto feedback on key wrapping
Mike Jones <Michael.Jones@microsoft.com> Tue, 19 March 2013 00:14 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED8BF21F85E0 for <jose@ietfa.amsl.com>; Mon, 18 Mar 2013 17:14:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.269
X-Spam-Level:
X-Spam-Status: No, score=-2.269 tagged_above=-999 required=5 tests=[AWL=0.329, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LkfpZv1amKsT for <jose@ietfa.amsl.com>; Mon, 18 Mar 2013 17:14:26 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0241.outbound.protection.outlook.com [207.46.163.241]) by ietfa.amsl.com (Postfix) with ESMTP id 9916021F85DC for <jose@ietf.org>; Mon, 18 Mar 2013 17:14:25 -0700 (PDT)
Received: from BL2FFO11FD027.protection.gbl (10.173.161.204) by BL2FFO11HUB013.protection.gbl (10.173.160.105) with Microsoft SMTP Server (TLS) id 15.0.641.9; Tue, 19 Mar 2013 00:02:31 +0000
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD027.mail.protection.outlook.com (10.173.161.106) with Microsoft SMTP Server (TLS) id 15.0.641.9 via Frontend Transport; Tue, 19 Mar 2013 00:02:30 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.224]) by TK5EX14HUBC106.redmond.corp.microsoft.com ([157.54.80.61]) with mapi id 14.02.0318.003; Tue, 19 Mar 2013 00:02:18 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Richard Barnes <rlb@ipv.sx>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] WebCrypto feedback on key wrapping
Thread-Index: AQHOJC/fb0UrhnxpB0CL7KQe/F+ugpisIMPA
Date: Tue, 19 Mar 2013 00:02:18 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436755A50C@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <CAL02cgQQ4YejJOS_BHJWDYwy4SChQ4XfinTG+6px4=JN1=UCBQ@mail.gmail.com>
In-Reply-To: <CAL02cgQQ4YejJOS_BHJWDYwy4SChQ4XfinTG+6px4=JN1=UCBQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.72]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436755A50CTK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(189002)(199002)(377454001)(56776001)(65816001)(77982001)(512954001)(44976002)(16236675001)(76482001)(80022001)(56816002)(69226001)(63696002)(47976001)(33656001)(15202345001)(16406001)(79102001)(53806001)(74662001)(54356001)(59766001)(5343655001)(51856001)(74502001)(50986001)(20776003)(49866001)(55846006)(5343635001)(47446002)(4396001)(66066001)(46102001)(47736001)(31966008)(54316002); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB013; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0790FB1F33
Subject: Re: [jose] WebCrypto feedback on key wrapping
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 00:14:28 -0000
Given that we require RSA keys to be a minimum of 2048 bits in length, there's no problem wrapping 768 bit keys with OAEP in practice.
-- Mike
From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Richard Barnes
Sent: Monday, March 18, 2013 4:25 PM
To: jose@ietf.org
Subject: [jose] WebCrypto feedback on key wrapping
On today's call with the W3C WebCrypto working group, I reported on the discussion of JOSE key wrapping at the last IETF. I was asked to relay a few bits of feedback:
1. Vijay Bharadwaj (Microsoft) observed that AES key wrap has fallen out of favor with some parts of the cryptographic community. People prefer to be able to use AEAD algorithms for key wrapping, since they are perceived to be faster and offer a higher level of security than AES-KW. He gave the example that IEEE 802.1 uses AES CCM.
2. Mark Watson (Netflix) noted that if we use RSA directly to encrypt wrapped key objects, then we would need something other than OAEP in order to carry arbitrary-length payloads. I agreed, and suggested that something like RSA-KEM would be necessary. Ryan Sleevi (Google) and Vijay observed that KEM is troublesome due to the lack of support by native crypto libraries.
It seems to me that these comments have impacts on JWE and JWS (pending ISSUE-2), as well as the wrapping discussion. The former has more impact than the latter.
Point number 1 implies that we should offer AEAD for key wrapping in JWE as well as for wrapped keys. It seems to me that the simplest approach to this would be to make the "alg" field contain an object that is semantically equivalent to an AlgorithmIdentifier in CMS/PKCS8. For example, { name: "A128GCM", iv: "PCIGJe0DjunuM7s0" }. This syntax, incidentally, is roughly the same form that algorithm identifiers have in the WebCrypto API. Note that this type of key wrapping is supported in CMS by the use of an AEAD AlgorithmIdentifier in the KEKRecipientInfo structure.
Point number 2 likely applies for some scenarios of JWE, especially if we adopt the McGrew approach. For example, if using HMAC-SHA1 and AES with a 256-bit key, the total key length is 788 bits, which is too long to be encrypted with OAEP under a 1,024-bit RSA key. I'm not sure how to resolve it. The best idea I've got is to allow wrapped keys to nest, so that you can wrap a key inside of another wrapped key.
I will try to take these points into account in my forthcoming key wrapping draft, and I've filed two issues against JWE to track them.
--Richard
- [jose] WebCrypto feedback on key wrapping Richard Barnes
- Re: [jose] WebCrypto feedback on key wrapping Mike Jones
- Re: [jose] WebCrypto feedback on key wrapping Jim Schaad
- Re: [jose] WebCrypto feedback on key wrapping Richard Barnes
- Re: [jose] WebCrypto feedback on key wrapping Mike Jones
- Re: [jose] WebCrypto feedback on key wrapping Richard Barnes
- Re: [jose] WebCrypto feedback on key wrapping Mark Watson
- Re: [jose] WebCrypto feedback on key wrapping Mike Jones
- Re: [jose] WebCrypto feedback on key wrapping Vijay Bharadwaj
- Re: [jose] WebCrypto feedback on key wrapping Mark Watson