IETF Logo Mail Archive

Re: [jose] Draft describing encrypting JWK key representations, with JWE

Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 16 March 2013 12:25 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB07721F8B4A for <jose@ietfa.amsl.com>; Sat, 16 Mar 2013 05:25:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.229
X-Spam-Level:
X-Spam-Status: No, score=-100.229 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, J_CHICKENPOX_14=0.6, RCVD_IN_PBL=0.905, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W9Xj7IqRbnta for <jose@ietfa.amsl.com>; Sat, 16 Mar 2013 05:25:12 -0700 (PDT)
Received: from mail-ea0-x22f.google.com (mail-ea0-x22f.google.com [IPv6:2a00:1450:4013:c01::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 8726321F8B35 for <jose@ietf.org>; Sat, 16 Mar 2013 05:25:11 -0700 (PDT)
Received: by mail-ea0-f175.google.com with SMTP id o10so1867245eaj.6 for <jose@ietf.org>; Sat, 16 Mar 2013 05:25:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=5qngBkUYommavs4HYAFjDOre0oN3Gs4uuoEmygRYB5w=; b=hMDdoy7PSdhD7nVp7cze3VrKQbezfnHT7qKDEN2tK/EhYBt/+GoeO9dDvPUDMJw+Cv sJNeyGaO4hGfYfEBgLh+lyZ5EqKHXsEaTFtJLrGkY3dL3O05tB1+DD8DQme0InFW3PJ8 Pu7rM1wXrbsO+jGvCT5G07bU70drwNecaN2c9U6razWQTLSOn+scwfdmEnQ/Cd8/sIRg KcYtq4D+njmbNJUu/po+ZyttPISsj0SU+v89TWZ6atlVsAFMg53wV+thPqrnYGvx8fJF tggs0OvYcwCXFMVSA0fID+S4SrecPJ1U1oqPxJyf7jUNHAea+LbJpvta6oIDBKZyOjOH XtEA==
X-Received: by 10.14.183.198 with SMTP id q46mr28693752eem.1.1363436704555; Sat, 16 Mar 2013 05:25:04 -0700 (PDT)
Received: from [10.0.0.2] (bzq-109-66-120-100.red.bezeqint.net. [109.66.120.100]) by mx.google.com with ESMTPS id a1sm15742380eep.2.2013.03.16.05.24.56 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 16 Mar 2013 05:25:03 -0700 (PDT)
Message-ID: <51446495.8020708@gmail.com>
Date: Sat, 16 Mar 2013 14:24:53 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130221 Thunderbird/17.0.3
MIME-Version: 1.0
To: "Matt Miller (mamille2)" <mamille2@cisco.com>
References: <mailman.4019.1363356696.3432.cfrg@irtf.org> <51433B12.1020703@gmail.com> <4E1F6AAD24975D4BA5B168042967394367526568@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgQ8=yKwArwvR228Z=xi0N3U6yvoOHt6M-3EuCD_HYkyww@mail.gmail.com> <4E1F6AAD24975D4BA5B168042967394367526789@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgRbh7EYLwp01t0yMMPHbhtVsQjY8379YF9_gRgGeO08eQ@mail.gmail.com> <8B4C063947CD794BB6FF90C78BAE9B321EFD5DFC@IMCMBX04.MITRE.ORG> <51435D7A.7050800@gmail.com> <8B4C063947CD794BB6FF90C78BAE9B321EFD5FBC@IMCMBX04.MITRE.ORG> <BF7E36B9C495A6468E8EC573603ED94115171F9A@xmb-aln-x11.cisco.com>
In-Reply-To: <BF7E36B9C495A6468E8EC573603ED94115171F9A@xmb-aln-x11.cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Sat, 16 Mar 2013 19:11:10 -0700
Cc: Richard Barnes <rlb@ipv.sx>, "cfrg@irtf.org" <cfrg@irtf.org>, Mike Jones <Michael.Jones@microsoft.com>, "Peck, Michael A" <mpeck@mitre.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Draft describing encrypting JWK key representations, with JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Mar 2013 12:25:13 -0000

Well I guess that's for me. So here goes:

Despite the protections afforded by PBKDF2 and PBES2, password-protected 
data is still subject to off-line dictionary attacks, when using 
human-generated passwords. The same applies to machine generated 
passwords, if they need to be memorable to humans.

Such dictionary attacks reveal both the data and the password to an 
eavesdropper. Therefore:

- Password-based encryption should not be used for high value data.
- Password-based encryption should not be used with high-value 
passwords, e.g. with a user's long-term password.

Thanks,
	Yaron

On 03/15/2013 09:47 PM, Matt Miller (mamille2) wrote:
> My intent for introducing PBES2 key wrapping algorithms was for those times when the key exchange is at the human-level.  I think there are probably better mechanisms when the input in appropriately random to start with, although I personally don't see a tremendous amount of harm using a PBES2-based algorithm with stronger "passwords".
>
> I tried to address some concerns around the use of passwords, but did rely on what RFC2898 already says about specific values for iteration counts and salts.  I'd be happy to incorporate more direction there, if someone could help provide some text.  I'd also be happy to help incorporate this into whatever other document we'd rather have it in.
>
>
> - m&m
>
> Matt Miller < mamille2@cisco.com >
> Cisco Systems, Inc.
>
> On Mar 15, 2013, at 1:55 PM, "Peck, Michael A" <mpeck@mitre.org>
>   wrote:
>
>> I'll try to clarify (and hopefully not dig a deeper hole).
>>
>> JWE currently provides a "dir" mechanism allowing a symmetric key previously agreed to out of band to be used for content encryption.
>> All of the other JWE mechanisms use a fresh symmetric key for each encryption.
>>
>> My suggestion was that instead of directly using the pre-shared symmetric key to encrypt content, if JWE makes the PBKDF2 mechanism available the symmetric key could be used as the PBKDF2 "password", resulting in a fresh key generated for each content encryption.  In this particular case the password input to PBKDF2 would hopefully be very random - I would think there would be no more risk than using the pre-shared key directly, rather less risk.
>>
>> General password considerations are a different matter.  Passwords have lots of issues but if we're stuck with them we should at least advise how to do the best we can.
>>
>> Mike
>>
>>> -----Original Message-----
>>> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com]
>>> Sent: Friday, March 15, 2013 1:42 PM
>>> To: Peck, Michael A
>>> Cc: Richard Barnes; Mike Jones; cfrg@irtf.org; jose@ietf.org
>>> Subject: Re: [jose] Draft describing encrypting JWK key representations, with
>>> JWE
>>>
>>> Hi Mike and Mike,
>>>
>>> The NIST SP is about using PBKDF2 for storage encryption (which I'm not
>>> thrilled with, either). Not for sending the encrypted blob over the
>>> wire, for an attacker to intercept and decrypt off-line. And if we read
>>> the NIST document, let's adopt the whole thing - quoting from sec. A.1:
>>> "Passwords shorter than 10 characters are usually considered to be
>>> weak." Are we going to make this recommendation too? Well I guess not.
>>>
>>> *Please* do not mix passwords with cryptographic keys. If the WG goes
>>> through the risk vs. benefit analysis and decides to have a
>>> password-based mechanism, fine. But please leave the shared-key
>>> mechanism as-is. It's important that readers of JOSE specs are very
>>> clear about the difference between randomly generated keys and
>>> user-memorable (or even -generated) passwords.
>>>
>>> Let's be clear: even a single use of a user-generated password for
>>> on-the-wire encryption is risky. So-called key rotation of actual
>>> cryptographic keys is a whole different matter.
>>>
>>> Thanks,
>>> 	Yaron
>>>
>>>
>>> On 03/15/2013 06:58 PM, Peck, Michael A wrote:
>>>> +1
>>>>
>>>> NIST Special Publication 800-132 provides recommendations for the
>>>> parameters that the group may find useful.
>>>>
>>>> http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
>>>>
>>>> It may also be worth thinking about using PBKDF2 instead of the "dir"
>>>> (Direct Encryption with a Shared Symmetric Key) mechanism described in
>>>> draft-ietf-jose-json-web-algorithms-08 section 4.6.  The shared
>>>> symmetric key would be used as the PBKDF2 "password", and this would
>>>> force a new key to be used for each encryption, rather than the current
>>>> "dir" approach of using the same encryption key repeatedly.
>>>>
>>>> Mike
>>>>
>>>> *From:*jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf
>>>> Of *Richard Barnes
>>>> *Sent:* Friday, March 15, 2013 12:53 PM
>>>> *To:* Mike Jones
>>>> *Cc:* Yaron Sheffer; cfrg@irtf.org; jose@ietf.org
>>>> *Subject:* Re: [jose] Draft describing encrypting JWK key
>>>> representations, with JWE
>>>>
>>>> Do I count as an expert?  :)
>>>>
>>>> As I understand it, PBDKF2 is completely fine for key protection.
>>>>   PBKDF2 has mechanisms to mitigate the dictionary attack risks, e.g.,
>>>> having a high number of iterations. We might want to make some
>>>> recommendations as to how you set those parameters. And the actual key
>>>> wrapping is done with something like AES-KW, so that step is fine.
>>>>
>>>> So I would be completely fine with adding this to JWE / JWA.  We should
>>>> do this.
>>>>
>>>> --Richard
>>>>
>>>> On Fri, Mar 15, 2013 at 12:48 PM, Mike Jones
>>>> <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>>
>>> wrote:
>>>>
>>>> That's up to the working group.  I'm actually hoping that experts on the
>>>> lists will respond to Yaron's comments before we make a decision on
>>>> whether PBKDF2 as specified is an appropriate key wrapping algorithm or
>>> not.
>>>>
>>>> Assuming that the content in Matt's draft eventually becomes an RFC or
>>>> part of one, the PBKDF2 definition would end up in the algorithms
>>>> registry either way, even if it's not part of the JWA spec itself.
>>>>
>>>>                                                              Cheers,
>>>>
>>>>                                                              -- Mike
>>>>
>>>> *From:*jose-bounces@ietf.org <mailto:jose-bounces@ietf.org>
>>>> [mailto:jose-bounces@ietf.org <mailto:jose-bounces@ietf.org>] *On
>>> Behalf
>>>> Of *Richard Barnes
>>>> *Sent:* Friday, March 15, 2013 9:43 AM
>>>> *To:* Mike Jones
>>>> *Cc:* Yaron Sheffer; cfrg@irtf.org <mailto:cfrg@irtf.org>; jose@ietf.org
>>>> <mailto:jose@ietf.org>
>>>> *Subject:* Re: [jose] Draft describing encrypting JWK key
>>>> representations, with JWE
>>>>
>>>> So, Mike, would you be OK with adding PBE to JWE / JWA, as a new key
>>>> wrapping algorithm?
>>>>
>>>> --Richard
>>>>
>>>> On Fri, Mar 15, 2013 at 12:14 PM, Mike Jones
>>>> <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>>
>>> wrote:
>>>>
>>>> [Adding JOSE mailing list to the thread]
>>>>
>>>> For clarification, PBKDF2 is not the only algorithm that could be used
>>>> to wrap keys in this scheme.  This draft *adds* PBKDF2 to the set of
>>>> algorithms already specified for use with encryption in the JSON Web
>>>> Algorithms (JWA) specification
>>>> (http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-08).  In
>>>> particular, other algorithms such as AES Key Wrap and AES GCM are also
>>>> present there.
>>>>
>>>> I'll let others who are experts in PBKDF2 and password-based encryption
>>>> respond to Yaron's specific comment.
>>>>
>>>>                                  -- Mike
>>>>
>>>> -----Original Message-----
>>>> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com
>>>> <mailto:yaronf.ietf@gmail.com>]
>>>> Sent: Friday, March 15, 2013 8:16 AM
>>>> To: cfrg@irtf.org <mailto:cfrg@irtf.org>; Mike Jones
>>>> Subject: Re: Draft describing encrypting JWK key representations, with JWE
>>>>
>>>> Hi Mike,
>>>>
>>>> I'm probably missing something, but I'm worried about the security of
>>>> this scheme (though I do appreciate the usability/convenience of
>>> passwords).
>>>>
>>>> PBKDF2 is meant to make dictionary attacks on stored passwords harder,
>>>> as a second line defense, once the server has been breached. Using it to
>>>> encrypt data and then sending the data on the wire, makes the data
>>>> vulnerable to this same dictionary attack (in this case the effort comes
>>>> to the space of all possible passwords - say 1 million - times 1000).
>>>> Moreover, this also puts the password itself in danger.
>>>>
>>>> Thanks,
>>>>          Yaron
>>>>
>>>>>
>>>>> ------------------------------
>>>>>
>>>>> Message: 5
>>>>> Date: Fri, 15 Mar 2013 14:10:32 +0000
>>>>> From: Mike Jones <Michael.Jones@microsoft.com
>>>> <mailto:Michael.Jones@microsoft.com>>
>>>>> To: "cfrg@irtf.org <mailto:cfrg@irtf.org>" <cfrg@irtf.org
>>>> <mailto:cfrg@irtf.org>>
>>>>> Subject: [Cfrg] Draft describing encrypting JWK key representations
>>>>>       with JWE
>>>>> Message-ID:
>>>>>
>>>>>
>>> <4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.redmon
>>> d.corp.
>>>>
>>> <mailto:4E1F6AAD24975D4BA5B168042967394367522C60@TK5EX14MBXC284.r
>>> edmond.corp.%0b>>
>>>> microsoft.com <http://microsoft.com>>
>>>>>
>>>>> Content-Type: text/plain; charset="us-ascii"
>>>>>
>>>>> http://tools.ietf.org/html/draft-miller-jose-jwe-protected-jwk-01
>>>>>
>>>>> This also adds password-based encryption to the algorithm registry.
>>>>>
>>>>>                                                              -- Mike
>>>>>
>>>>> -------------- next part -------------- An HTML attachment was
>>>>> scrubbed...
>>>>> URL:
>>>>> <http://www.irtf.org/mail-
>>> archive/web/cfrg/attachments/20130315/02e36b
>>>>> 24/attachment.htm>
>>>>>
>>>>> ------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> Cfrg mailing list
>>>>> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
>>>>> http://www.irtf.org/mailman/listinfo/cfrg
>>>>>
>>>>>
>>>>> End of Cfrg Digest, Vol 95, Issue 3
>>>>> ***********************************
>>>>>
>>>> _______________________________________________
>>>> jose mailing list
>>>> jose@ietf.org <mailto:jose@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/jose
>>>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>

v2.23.0 | Report a Bug | By Email