Re: [jose] WebCrypto feedback on key wrapping
Richard Barnes <rlb@ipv.sx> Tue, 19 March 2013 13:44 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27FAA21F8B75 for <jose@ietfa.amsl.com>; Tue, 19 Mar 2013 06:44:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.214
X-Spam-Level:
X-Spam-Status: No, score=-2.214 tagged_above=-999 required=5 tests=[AWL=0.762, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hXjvoLkXAZWa for <jose@ietfa.amsl.com>; Tue, 19 Mar 2013 06:44:46 -0700 (PDT)
Received: from mail-oa0-f41.google.com (mail-oa0-f41.google.com [209.85.219.41]) by ietfa.amsl.com (Postfix) with ESMTP id AC12021F860A for <jose@ietf.org>; Tue, 19 Mar 2013 06:44:45 -0700 (PDT)
Received: by mail-oa0-f41.google.com with SMTP id i10so456333oag.28 for <jose@ietf.org>; Tue, 19 Mar 2013 06:44:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=DDBggJoaCUMOzzVDXfKSUC/xp0Im+Upd7FeizNlf2o0=; b=h7MYw8NZ3jdd6e3wj6AIU7l3NmNq/c3A1OdI3wLnQ1otmLtAvKITh5yasbUCYeCeu2 GbrJoAzypS8Bg2ClhI+Sm7Oyi9X5wIDcDwnBbm5iVthyWNJH14stjHrSE+5/dQOB3ca8 Wb0+cknsyc9WeTz+xBdkl63uUUdeEj4WfQG0vhSqltw7YJKBnKybRlX4nUq/eraYL/57 rWFfR0X9BsePQgNZRQ1et5koQUrKgZMgRm4nmBHpLS0qR191nA1lfEahcRPclo6tYsjL 5emo4whX638uchKLq1AQLyiZKIkZw7sa8WzdgU3i2rB6MuvBpXqrpCs6R5QrFXE0pk35 b1OQ==
MIME-Version: 1.0
X-Received: by 10.60.171.102 with SMTP id at6mr1348547oec.60.1363700685232; Tue, 19 Mar 2013 06:44:45 -0700 (PDT)
Received: by 10.60.40.233 with HTTP; Tue, 19 Mar 2013 06:44:45 -0700 (PDT)
X-Originating-IP: [192.1.255.184]
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436755CE48@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436755CE48@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Tue, 19 Mar 2013 09:44:45 -0400
Message-ID: <CAL02cgQ6n5b=dd9aNqjJFZReRYokFLJ8rSKN5WpXVvGPioSv8g@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="bcaec54ee094eccad104d8474e31"
X-Gm-Message-State: ALoCoQm1PajFPTqRDy1Owj/v/L2i3MU1T5L4qU9mfJ3F6cDrq/aaW8fWjMPSiC4odeItBn74RB5b
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] WebCrypto feedback on key wrapping
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 13:44:47 -0000
I don't disagree that the minimum size is a good thing for implementors to do. I just don't think that that restriction is necessary in a formatting document like JW*, since it has no impact on interoperability. At most, it should be RECOMMENDED in the security considerations. It should not be a MUST. --Richard On Mon, Mar 18, 2013 at 11:28 PM, Mike Jones <Michael.Jones@microsoft.com>wrote: > I believe that the 2048 restriction was motivated by a NIST evaluation > on acceptable key lengths in which the use of 1024 bit RSA keys has already > been deprecated. Eric Rescorla’s presentation to the working group several > IETFs ago specifically recommended this, as well as the other key size > restrictions in JWA. > > At the time, the working group felt that requiring that people use keys of > acceptable lengths for the current cryptographic client for new > applications was a good thing - especially since JWS and JWE have no legacy > applications to support. > > -- Mike > > *From:* Richard Barnes > *Sent:* March 18, 2013 7:31 PM > *To:* Mike Jones > *CC:* jose@ietf.org > *Subject:* Re: [jose] WebCrypto feedback on key wrapping > > ISSUE-(n+1): Remove silly restriction on key sizes. We're a formatting > working group, not a crypto parameters working group. > > --Richard > > > On Mon, Mar 18, 2013 at 8:02 PM, Mike Jones <Michael.Jones@microsoft.com>wrote: > >> Given that we require RSA keys to be a minimum of 2048 bits in length, >> there’s no problem wrapping 768 bit keys with OAEP in practice.**** >> >> ** ** >> >> -- Mike** >> ** >> >> ** ** >> >> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf >> Of *Richard Barnes >> *Sent:* Monday, March 18, 2013 4:25 PM >> *To:* jose@ietf.org >> *Subject:* [jose] WebCrypto feedback on key wrapping**** >> >> ** ** >> >> On today's call with the W3C WebCrypto working group, I reported on the >> discussion of JOSE key wrapping at the last IETF. I was asked to relay a >> few bits of feedback:**** >> >> ** ** >> >> 1. Vijay Bharadwaj (Microsoft) observed that AES key wrap has fallen out >> of favor with some parts of the cryptographic community. People prefer to >> be able to use AEAD algorithms for key wrapping, since they are perceived >> to be faster and offer a higher level of security than AES-KW. He gave the >> example that IEEE 802.1 uses AES CCM.**** >> >> ** ** >> >> 2. Mark Watson (Netflix) noted that if we use RSA directly to encrypt >> wrapped key objects, then we would need something other than OAEP in order >> to carry arbitrary-length payloads. I agreed, and suggested that something >> like RSA-KEM would be necessary. Ryan Sleevi (Google) and Vijay observed >> that KEM is troublesome due to the lack of support by native crypto >> libraries.**** >> >> ** ** >> >> It seems to me that these comments have impacts on JWE and JWS (pending >> ISSUE-2), as well as the wrapping discussion. The former has more impact >> than the latter. **** >> >> ** ** >> >> Point number 1 implies that we should offer AEAD for key wrapping in JWE >> as well as for wrapped keys. It seems to me that the simplest approach to >> this would be to make the "alg" field contain an object that is >> semantically equivalent to an AlgorithmIdentifier in CMS/PKCS8. For >> example, { name: "A128GCM", iv: "PCIGJe0DjunuM7s0" }. This syntax, >> incidentally, is roughly the same form that algorithm identifiers have in >> the WebCrypto API. Note that this type of key wrapping is supported in CMS >> by the use of an AEAD AlgorithmIdentifier in the KEKRecipientInfo >> structure. **** >> >> ** ** >> >> Point number 2 likely applies for some scenarios of JWE, especially if we >> adopt the McGrew approach. For example, if using HMAC-SHA1 and AES with a >> 256-bit key, the total key length is 788 bits, which is too long to be >> encrypted with OAEP under a 1,024-bit RSA key. I'm not sure how to resolve >> it. The best idea I've got is to allow wrapped keys to nest, so that you >> can wrap a key inside of another wrapped key.**** >> >> ** ** >> >> I will try to take these points into account in my forthcoming key >> wrapping draft, and I've filed two issues against JWE to track them.**** >> >> ** ** >> >> --Richard**** >> > >
- [jose] WebCrypto feedback on key wrapping Richard Barnes
- Re: [jose] WebCrypto feedback on key wrapping Mike Jones
- Re: [jose] WebCrypto feedback on key wrapping Jim Schaad
- Re: [jose] WebCrypto feedback on key wrapping Richard Barnes
- Re: [jose] WebCrypto feedback on key wrapping Mike Jones
- Re: [jose] WebCrypto feedback on key wrapping Richard Barnes
- Re: [jose] WebCrypto feedback on key wrapping Mark Watson
- Re: [jose] WebCrypto feedback on key wrapping Mike Jones
- Re: [jose] WebCrypto feedback on key wrapping Vijay Bharadwaj
- Re: [jose] WebCrypto feedback on key wrapping Mark Watson