Re: [jose] Concat KDF
"Manger, James H" <James.H.Manger@team.telstra.com> Fri, 21 June 2013 01:50 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62F2321E80F8 for <jose@ietfa.amsl.com>; Thu, 20 Jun 2013 18:50:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.672
X-Spam-Level:
X-Spam-Status: No, score=-1.672 tagged_above=-999 required=5 tests=[AWL=1.229, BAYES_00=-2.599, GB_I_LETTER=-2, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aguQMZ2ALwKX for <jose@ietfa.amsl.com>; Thu, 20 Jun 2013 18:50:02 -0700 (PDT)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by ietfa.amsl.com (Postfix) with ESMTP id A7FB611E8144 for <jose@ietf.org>; Thu, 20 Jun 2013 18:50:00 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.87,909,1363093200"; d="scan'208";a="142740154"
Received: from unknown (HELO ipcbvi.tcif.telstra.com.au) ([10.97.217.204]) by ipocvi.tcif.telstra.com.au with ESMTP; 21 Jun 2013 11:49:59 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,7112"; a="140249358"
Received: from wsmsg3702.srv.dir.telstra.com ([172.49.40.170]) by ipcbvi.tcif.telstra.com.au with ESMTP; 21 Jun 2013 11:49:59 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3702.srv.dir.telstra.com ([172.49.40.170]) with mapi; Fri, 21 Jun 2013 11:49:49 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Richard Barnes <rlb@ipv.sx>, Jim Schaad <ietf@augustcellars.com>
Date: Fri, 21 Jun 2013 11:49:43 +1000
Thread-Topic: [jose] Concat KDF
Thread-Index: Ac5uAG20UjuawbqlQIaVY1C52sOChQAE6v5Q
Message-ID: <255B9BB34FB7D647A506DC292726F6E1151BB8F972@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E1151B930A31@WSMSG3153V.srv.dir.telstra.com> <033601ce6c6c$492fa4d0$db8eee70$@augustcellars.com> <CAL02cgQCquK9KVdnXWoeK5HJLBrU_TFaw9wNPydFRA9t1wS5jw@mail.gmail.com>
In-Reply-To: <CAL02cgQCquK9KVdnXWoeK5HJLBrU_TFaw9wNPydFRA9t1wS5jw@mail.gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Concat KDF
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jun 2013 01:50:28 -0000
> PartyUInfo seems compliant with the letter of the SP800-56A. SP800-56A
> doesn't place any constraints on the form or duration of the identifier
> ID_U, so the 512-bit value provided seems sufficient if you regard that
> as ID_U.
One aspect that has been confusing me is whether the recipient is expected to recognize ID_U as a known identifier for the originator, and ID_V as its own name?
Alternatively, do requirements on these items only apply to the originator? Is it completely safe for a recipient to treat ID_U and ID_V as opaque bytes to be hashed as part of the KDF, but with no other processing? Is it, in fact, safe for a recipient to treat OtherInfo (AlgorithmID + PartyUInfo +...) as an opaque blob, or even OtherInput (keydatalen + OtherInfo) as an opaque blob? In which case, we could simply include B64(OtherInput) in a JOSE message, perhaps with a suggested way an originator could construct OtherInput (eg from alg, enc, kid/jku, nonce).
> The better option would be to use the same KDF that CMS uses
> [RFC3278][SEC1]. It's simpler, and also complies with USG mandates
> (Suite B [RFC5008]). If we use the RFC 5008 variant, it also takes as
> input exactly what the current JWS spec provides:
>
> KM = Hash ( Z || Counter || ECC-CMS-SharedInfo )
>
> ECC-CMS-SharedInfo = {
> keyInfo, // The algorithm with which the key will be used,
> currently in AlgorithmID
> entityUInfo, // The entropy source we're currently putting in
> PartyUInfo
> suppPubInfo // The derived key length, currently in SuppPubInfo
> }
>
> In other words, CMS does exactly what JWS wants to do now. Let's just
> do it for real. Proposed text for Section 4.7.1 of JWA:
Your proposal is "logically" the same as CMS (so same security properties), but the precise calculation is incompatible as you don't use a DER-encoding of ECC-CMS-SharedInfo. Just wanted to clarify this intention.
> """
> The key derivation process derives the agreed upon key from the shared
> secret Z established through the ECDH algorithm using the single-pass
> KDF defined in [SEC1]. The inputs to the key derivation process are as
> follows:
>
> Z This is set to the representation of the shared secret Z as an octet
> sequence.
>
> SharedInfo This is set to the concatenation of the following octet
> strings, in order:
> 1. The algorithm with which the derived key is to be used. If the
> "alg" value is "ECDH", then this field contains the value of the "alg"
> parameter. Otherwise, it contains the value of the "enc" parameter.
Wrong way around. If "alg" is "ECDH" use "enc" value, otherwise use "alg" value.
You also need to separate this field from the next: with a length prefix, or separator char/byte.
With 2 variable-sized fields (algorithm and apu) you only theoretically need 1 length field to be unambiguous, but it needs to be at the start or end, not in between the 2 fields.
> 2. The length of the value of the "apu" parameter, as a 32-bit big
> endian integer. If the "apu" parameter is not present, then this field
> is set to all zeros (0x00000000).
> 3. The value of the "apu" parameter, if present. If provided, this
> value MUST contain at least 512 bits and a unique value SHOULD be used
> for each recipient. The "apu" parameter MAY be omitted only if a
> different ephemeral key is used for each key agreement transaction.
> 4. The length of the derived key, as a 32-bit big endian integer.
> For "ECDH-ES", this is length of the key used by the "enc" algorithm.
> For "ECDH-ES+A128KW" or "ECDH-ES+A256KW", it is 128 (0x00000080) or
> 256 (0x00000100), respectively.
Symmetric key lengths are hardwired into "alg" and "enc" values in JOSE (eg "A256KW", "A128CGM") so we don't actually need a separate field.
> """
>
> Two side notes:
> 1. We need hash agility here (as in RFC 5008) to be able to meet higher
> levels of security for which SHA-256 is unacceptable. Suggest adding
> hash algorithms to the ECDH algorithm identifiers, e.g., "ECDH256",
> "ECDH284+KW".
"ECDH256", "ECDH256+A128KW", "ECDH384", "ECH384+A192KW"?
> 2. The "-ES" is unnecessary, since the entropy added in entityUInfo is
> sufficient to address both ES and SS cases.
--
James Manger
- [jose] Concat KDF Manger, James H
- Re: [jose] Concat KDF Russ Housley
- Re: [jose] Concat KDF Mike Jones
- Re: [jose] Concat KDF Jim Schaad
- Re: [jose] Concat KDF Richard Barnes
- Re: [jose] Concat KDF Manger, James H
- Re: [jose] Concat KDF Mike Jones
- Re: [jose] Concat KDF Mike Jones
- Re: [jose] Concat KDF Richard Barnes
- Re: [jose] Concat KDF Jim Schaad
- Re: [jose] Concat KDF Mike Jones
- Re: [jose] Concat KDF Russ Housley
- Re: [jose] Concat KDF Mike Jones
- Re: [jose] Concat KDF Jim Schaad
- Re: [jose] Concat KDF Mike Jones
- Re: [jose] Concat KDF Mike Jones
- Re: [jose] Concat KDF Jim Schaad
- Re: [jose] Concat KDF Jim Schaad
- Re: [jose] Concat KDF Manger, James H
- Re: [jose] Concat KDF Mike Jones
- Re: [jose] Concat KDF Mike Jones
- Re: [jose] Concat KDF Manger, James H