IETF Logo Mail Archive

Re: [jose] WebCrypto feedback on key wrapping

Richard Barnes <rlb@ipv.sx> Tue, 19 March 2013 13:44 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27FAA21F8B75 for <jose@ietfa.amsl.com>; Tue, 19 Mar 2013 06:44:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.214
X-Spam-Level:
X-Spam-Status: No, score=-2.214 tagged_above=-999 required=5 tests=[AWL=0.762, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hXjvoLkXAZWa for <jose@ietfa.amsl.com>; Tue, 19 Mar 2013 06:44:46 -0700 (PDT)
Received: from mail-oa0-f41.google.com (mail-oa0-f41.google.com [209.85.219.41]) by ietfa.amsl.com (Postfix) with ESMTP id AC12021F860A for <jose@ietf.org>; Tue, 19 Mar 2013 06:44:45 -0700 (PDT)
Received: by mail-oa0-f41.google.com with SMTP id i10so456333oag.28 for <jose@ietf.org>; Tue, 19 Mar 2013 06:44:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=DDBggJoaCUMOzzVDXfKSUC/xp0Im+Upd7FeizNlf2o0=; b=h7MYw8NZ3jdd6e3wj6AIU7l3NmNq/c3A1OdI3wLnQ1otmLtAvKITh5yasbUCYeCeu2 GbrJoAzypS8Bg2ClhI+Sm7Oyi9X5wIDcDwnBbm5iVthyWNJH14stjHrSE+5/dQOB3ca8 Wb0+cknsyc9WeTz+xBdkl63uUUdeEj4WfQG0vhSqltw7YJKBnKybRlX4nUq/eraYL/57 rWFfR0X9BsePQgNZRQ1et5koQUrKgZMgRm4nmBHpLS0qR191nA1lfEahcRPclo6tYsjL 5emo4whX638uchKLq1AQLyiZKIkZw7sa8WzdgU3i2rB6MuvBpXqrpCs6R5QrFXE0pk35 b1OQ==
MIME-Version: 1.0
X-Received: by 10.60.171.102 with SMTP id at6mr1348547oec.60.1363700685232; Tue, 19 Mar 2013 06:44:45 -0700 (PDT)
Received: by 10.60.40.233 with HTTP; Tue, 19 Mar 2013 06:44:45 -0700 (PDT)
X-Originating-IP: [192.1.255.184]
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436755CE48@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436755CE48@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Tue, 19 Mar 2013 09:44:45 -0400
Message-ID: <CAL02cgQ6n5b=dd9aNqjJFZReRYokFLJ8rSKN5WpXVvGPioSv8g@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="bcaec54ee094eccad104d8474e31"
X-Gm-Message-State: ALoCoQm1PajFPTqRDy1Owj/v/L2i3MU1T5L4qU9mfJ3F6cDrq/aaW8fWjMPSiC4odeItBn74RB5b
Cc: "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] WebCrypto feedback on key wrapping
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 13:44:47 -0000

I don't disagree that the minimum size is a good thing for implementors to
do.  I just don't think that that restriction is necessary in a formatting
document like JW*, since it has no impact on interoperability.  At most, it
should be RECOMMENDED in the security considerations.  It should not be a
MUST.

--Richard


On Mon, Mar 18, 2013 at 11:28 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:

>  I believe that the 2048 restriction was motivated by a NIST evaluation
> on acceptable key lengths in which the use of 1024 bit RSA keys has already
> been deprecated.  Eric Rescorla’s presentation to the working group several
> IETFs ago specifically recommended this, as well as the other key size
> restrictions in JWA.
>
> At the time, the working group felt that requiring that people use keys of
> acceptable lengths for the current cryptographic client for new
> applications was a good thing - especially since JWS and JWE have no legacy
> applications to support.
>
> -- Mike
>
>  *From:* Richard Barnes
> *Sent:* March 18, 2013 7:31 PM
> *To:* Mike Jones
> *CC:* jose@ietf.org
> *Subject:* Re: [jose] WebCrypto feedback on key wrapping
>
> ISSUE-(n+1): Remove silly restriction on key sizes.  We're a formatting
> working group, not a crypto parameters working group.
>
>  --Richard
>
>
> On Mon, Mar 18, 2013 at 8:02 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:
>
>>  Given that we require RSA keys to be a minimum of 2048 bits in length,
>> there’s no problem wrapping 768 bit keys with OAEP in practice.****
>>
>> ** **
>>
>>                                                                 -- Mike**
>> **
>>
>> ** **
>>
>> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf
>> Of *Richard Barnes
>> *Sent:* Monday, March 18, 2013 4:25 PM
>> *To:* jose@ietf.org
>> *Subject:* [jose] WebCrypto feedback on key wrapping****
>>
>> ** **
>>
>> On today's call with the W3C WebCrypto working  group, I reported on the
>> discussion of JOSE key wrapping at the last IETF.  I was asked to relay a
>> few bits of feedback:****
>>
>> ** **
>>
>> 1. Vijay Bharadwaj (Microsoft) observed that AES key wrap has fallen out
>> of favor with some parts of the cryptographic community.  People prefer to
>> be able to use AEAD algorithms for key wrapping, since they are perceived
>> to be faster and offer a higher level of security than AES-KW. He gave the
>> example that IEEE 802.1 uses AES CCM.****
>>
>> ** **
>>
>> 2. Mark Watson (Netflix) noted that if we use RSA directly to encrypt
>> wrapped key objects, then we would need something other than OAEP in order
>> to carry arbitrary-length payloads.  I agreed, and suggested that something
>> like RSA-KEM would be necessary.  Ryan Sleevi (Google) and Vijay observed
>> that KEM is troublesome due to the lack of support by native crypto
>> libraries.****
>>
>> ** **
>>
>> It seems to me that these comments have impacts on JWE and JWS (pending
>> ISSUE-2), as well as the wrapping discussion.  The former has more impact
>> than the latter. ****
>>
>> ** **
>>
>> Point number 1 implies that we should offer AEAD for key wrapping in JWE
>> as well as for wrapped keys.  It seems to me that the simplest approach to
>> this would be to make the "alg" field contain an object that is
>> semantically equivalent to an AlgorithmIdentifier in CMS/PKCS8.  For
>> example, { name: "A128GCM", iv: "PCIGJe0DjunuM7s0" }.  This syntax,
>> incidentally, is roughly the same form that algorithm identifiers have in
>> the WebCrypto API.  Note that this type of key wrapping is supported in CMS
>> by the use of an AEAD AlgorithmIdentifier in the KEKRecipientInfo
>> structure.  ****
>>
>> ** **
>>
>> Point number 2 likely applies for some scenarios of JWE, especially if we
>> adopt the McGrew approach.  For example, if using HMAC-SHA1 and AES with a
>> 256-bit key, the total key length is 788 bits, which is too long to be
>> encrypted with OAEP under a 1,024-bit RSA key.  I'm not sure how to resolve
>> it.  The best idea I've got is to allow wrapped keys to nest, so that you
>> can wrap a key inside of another wrapped key.****
>>
>> ** **
>>
>> I will try to take these points into account in my forthcoming key
>> wrapping draft, and I've filed two issues against JWE to track them.****
>>
>> ** **
>>
>> --Richard****
>>
>
>

v2.23.0 | Report a Bug | By Email