Re: [jose] PBES2-HS256+A128KW: where do salt and iteration count go?

Richard Barnes <rlb@ipv.sx> Tue, 16 July 2013 23:37 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5266421F9DA0 for <jose@ietfa.amsl.com>; Tue, 16 Jul 2013 16:37:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.9
X-Spam-Level:
X-Spam-Status: No, score=-2.9 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fGgTWkWoIMOG for <jose@ietfa.amsl.com>; Tue, 16 Jul 2013 16:37:22 -0700 (PDT)
Received: from mail-ob0-f173.google.com (mail-ob0-f173.google.com [209.85.214.173]) by ietfa.amsl.com (Postfix) with ESMTP id 3E49521F9D90 for <jose@ietf.org>; Tue, 16 Jul 2013 16:37:21 -0700 (PDT)
Received: by mail-ob0-f173.google.com with SMTP id wc20so1473108obb.4 for <jose@ietf.org>; Tue, 16 Jul 2013 16:37:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=HSI6UHb+To5b5pWkd7r0VBx+ppMiOeQRfT/nK9zcs3A=; b=QC5TFpD35Rl1qht8y8EaLnM6RIteayaXR6a3Cipk4L56IjAYF1TmgujAjWyfWenJX3 kAWkHAdNfrwwqzrPj82tJSDLXqRd8n/d9IdfRPH8apRQ0hdwdizCRogptjwYZ+8L609B JL/cWhHSuWb2g8DE1mnAVN25SeCvSlZ0fEi2BSYPhI5zF7U80kFuidgd0mb3pd8pmWyy 3zhZyg60qblWNbkI2piRrHoiCxbbOJ8G0FPw7ex2bFGzYMw+nHEGyO6sD/36h8btRt7M xZRYODeHhFjk8oskEDy1Lca+8U/vml7A8Zts5Z3BOMxFMvUOm4OFTiD1Elk1/MiKlURN FbHw==
MIME-Version: 1.0
X-Received: by 10.60.115.199 with SMTP id jq7mr4913526oeb.19.1374017841147; Tue, 16 Jul 2013 16:37:21 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Tue, 16 Jul 2013 16:37:21 -0700 (PDT)
X-Originating-IP: [72.66.6.13]
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436B6C8153@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <255B9BB34FB7D647A506DC292726F6E1151C7C31BF@WSMSG3153V.srv.dir.telstra.com> <BF7E36B9C495A6468E8EC573603ED941152C0944@xmb-aln-x11.cisco.com> <CAL02cgQF1O67LMivM+tzuAb-6BawPDL1m0mPC7+s=FzN7zrjwg@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436B6C8153@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Tue, 16 Jul 2013 19:37:21 -0400
Message-ID: <CAL02cgS8iVs5Qz0T6CeA-6uCoVGYwfjvDf4KvZ7svxwkVvmcGg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="089e0115e8e85634ba04e1a9752b"
X-Gm-Message-State: ALoCoQn7Iot03VsG3t+RapS0R+jlei6zgLeJGWDTcOCe9zvKewYO9SjFZSEQaZaVeazkPh1bUboA
Cc: "Manger, James H" <James.H.Manger@team.telstra.com>, "jose@ietf.org" <jose@ietf.org>, "Matt Miller (mamille2)" <mamille2@cisco.com>
Subject: Re: [jose] PBES2-HS256+A128KW: where do salt and iteration count go?
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2013 23:37:27 -0000

I was thinking that the "jwk" would be unnecessary.  We could have "hint"
at the top level, or just use "kid" for that purpose.

--Richard


On Tue, Jul 16, 2013 at 7:30 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:

>  If we move “s” and “c” to being header parameters from the JWK, would we
> still need the JWK with “kty”:”PBKDF2”?  All that would be left would be
> the “hint” JWK parameter.****
>
> ** **
>
>                                                                 -- Mike***
> *
>
> ** **
>
> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf
> Of *Richard Barnes
> *Sent:* Tuesday, July 16, 2013 4:17 PM
> *To:* Matt Miller (mamille2)
> *Cc:* Manger, James H; jose@ietf.org
> *Subject:* Re: [jose] PBES2-HS256+A128KW: where do salt and iteration
> count go?****
>
> ** **
>
> Like James, I don't think -13 (or draft-miller-jose-jwe-protected-jwk) is
> quite right in how the parameters are laid out.  PBES should be exactly
> like ECDH -- the parameters for the KEK derivation and key encryption all
> go in the header.  The JWE header for an ECDH-protected JWE might look like
> this:****
>
> ** **
>
> {****
>
>   "alg":"ECDH-ES+A128KW",****
>
>   "kid":"27a4c46f-6d36-4a8c-814c-c954165f6dc9",****
>
>   "epk":{...},****
>
>   "apu":"...",****
>
>   "apv":"...",****
>
>   "enc":"A128CBC+HS256",****
>
>   "cty":"application/jwk+json"****
>
> }****
>
> ** **
>
> So the example JWE header in draft-miller-jose-jwe-protected-jwk would be:
> ****
>
> ** **
>
> {****
>
>   "alg":"PBES2-HS256+A128KW",****
>
>   "kid":"27a4c46f-6d36-4a8c-814c-c954165f6dc9",****
>
>   "s":"2WCTcJZ1Rvd_CJuJripQ1w",****
>
>   "c":4096,****
>
>   "enc":"A128CBC+HS256",****
>
>   "cty":"application/jwk+json"****
>
> }****
>
> ** **
>
> Similarly, if we were to, say, define an algorithm identifier
> "PBES2-HS256+A128GCM", the "iv" and "tag" fields would go in the header as
> well.****
>
> ** **
>
> {****
>
>   "alg":"PBES2-HS256+A128KW",****
>
>   "kid":"27a4c46f-6d36-4a8c-814c-c954165f6dc9",****
>
>   "s":"2WCTcJZ1Rvd_CJuJripQ1w",****
>
>   "c":4096,****
>
>   "iv":"lyjGhnbbzu6nEx2MkgTl2Q",****
>
>   "tag":"S7mmAbr3AeXVbsTP0M3e4w",****
>
>   "enc":"A128CBC+HS256",****
>
>   "cty":"application/jwk+json"****
>
> }****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> On Tue, Jul 16, 2013 at 5:52 PM, Matt Miller (mamille2) <
> mamille2@cisco.com> wrote:****
>
> I would like to first note that the vast majority of the password-based
> text came from draft-miller-jose-jwe-protected-jwk (discussed a few times
> on this list), and was included between the end of the JOSE virtual interim
> (2013-07-15T17:00Z) and the submission deadline.****
>
>
> On Jul 15, 2013, at 7:13 PM, "Manger, James H" <
> James.H.Manger@team.telstra.com> wrote:
>
> > draft-ietf-jose-json-web-algorithms-13 adds password-based encryption
> algorithms that involve a salt (s) and iteration count (c). I cannot quite
> tell how s & c are conveyed. Section 4.9.1 "PBES2-HS256+A128KW" says s & c
> come from the "applicable PBKDF2 JWK object".
> >
> > Is the "applicable PBKDF2 JWK object" the value of the "jwk" header
> parameter in a JWE message?
> > Or is the "applicable PBKDF2 JWK object" part of each parties
> locally-configured key set (which is not part of a message, but can be
> referenced by a "kid" header parameter)?****
>
> The "applicable PBKDF2 JWK object" is whichever of the key-identifying
> fields ("jwk", "jku", or "kid") works for your application.  The intent of
> these algorithms is to protect private- or symmetric-key JWK objects, and
> to be as self-contained as possible, so the original examples used "jwk".
>  When this was put together, using JWK objects seemed to make the most
> sense and fit the syntax and semantics.****
>
>
> >
> > The latter makes little sense as salt and iteration count are parameters
> of a particular message, not fixed for a given password.
> >****
>
> Those are good points, and favor moving "c" and "s" from a JWK into the
> JWE header (as implicitly proposed elsewhere in this thread).  See above
> for the original rationale.****
>
>
> > The former is at best underspecified. "jwk" is defined as "the public
> key to which the JWE was encrypted" [
> http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-13#section-4.1.5].
> s & c obviously are not a public key so that definition would need to
> change.
> >
> > A PBKDF2 JWK object is also defined to have a 'hint' parameter ("a
> descriptive clue to the password"). It would be awful if 'hint's were sent
> in JOSE messages. JWK needs to do a much better job of separating sensitive
> fields (secret key, private key, password hint) from public fields. If we
> need text to display when prompting for a password I think we need a
> different field to 'hint'.
> >****
>
> Do you have suggested changes/replacements.****
>
>
> > An example of PBES2-HS256+A128KW would help.
> >****
>
> I'll let Mike Jones speak to this revision specifically.  An example does
> exist in the original draft-miller-jose-jwe-protected-jwk.
>
>
> - m&m
>
> Matt Miller < mamille2@cisco.com >
> Cisco Systems, Inc.
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose****
>
> ** **
>