Re: [jose] Clean interop with "oth"
John Bradley <ve7jtb@ve7jtb.com> Mon, 17 November 2014 17:25 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C4431A802A for <jose@ietfa.amsl.com>; Mon, 17 Nov 2014 09:25:15 -0800 (PST)
X-Quarantine-ID: <CpjPYyXpKynS>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BANNED, message contains text/plain,.exe
X-Spam-Flag: NO
X-Spam-Score: -1.831
X-Spam-Level:
X-Spam-Status: No, score=-1.831 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CpjPYyXpKynS for <jose@ietfa.amsl.com>; Mon, 17 Nov 2014 09:25:12 -0800 (PST)
Received: from mail-qg0-f45.google.com (mail-qg0-f45.google.com [209.85.192.45]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB3EC1A86E0 for <jose@ietf.org>; Mon, 17 Nov 2014 09:25:11 -0800 (PST)
Received: by mail-qg0-f45.google.com with SMTP id z107so15428737qgd.18 for <jose@ietf.org>; Mon, 17 Nov 2014 09:25:10 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=KHBM4vG0qtiLWzYNIqIqtZPEGFZ009KRgd7p39h0+uo=; b=EaBicTBojpSIT90BE+ONJwiGoAfznrJBp1IMztraJAt2/S5tTYZ9DZF88Quzv3dlcb B2WXVvUVyXC5oPfNUJcv+RcLOuH24wB/MD7+FMkotET/UH5+ex7RLnodo3E6wqP4twOe CQ73UciDleOAwdAEizEjnpISKA/Gw4lDPy5owLArzspHZQyBN9UelMtQlYLKvagXWK8Z nhtp9NNBNMVCbzS69H05dqREIq+0eNTREKiksh4BlwBT9nrSyTyAZ2jwlFipfEzzy8th 2wym/8QB9l/78hj8YnqYk5AhI6Bl51v2gbM6zXPRfDDUmdJp8AK7k5PH2o5UcfyL9pJ3 01nQ==
X-Gm-Message-State: ALoCoQmrsnqMXnTy2vZ1o2d5uXxZgI86oVKpRJIzxOgstcAq6kbBYzYVst7w8f1GEM8EOS+cebfa
X-Received: by 10.224.75.73 with SMTP id x9mr22464002qaj.31.1416245110850; Mon, 17 Nov 2014 09:25:10 -0800 (PST)
Received: from [192.168.6.66] (ip-64-134-240-36.public.wayport.net. [64.134.240.36]) by mx.google.com with ESMTPSA id e6sm34790566qab.42.2014.11.17.09.25.09 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 17 Nov 2014 09:25:10 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_AC1AB3AF-0CF7-4CAC-AAE6-0A0917EECE33"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <546A1E4E.8020906@cisco.com>
Date: Mon, 17 Nov 2014 12:25:08 -0500
Message-Id: <A5EC5B4B-DB79-48BA-AE87-93D5897A4AA7@ve7jtb.com>
References: <CAL02cgToqHMvpeXdvnRTf7PEpvsbZf+kP7zM5i=r5rzJP86wCA@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439BB7A9E3@TK5EX14MBXC286.redmond.corp.microsoft.com> <546A1E4E.8020906@cisco.com>
To: Matt Miller <mamille2@cisco.com>
X-Mailer: Apple Mail (2.1990.1)
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/rucRPA_b6A83s3exOVelC8zahsM
Cc: Richard Barnes <rlb@ipv.sx>, Michael Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] Clean interop with "oth"
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Nov 2014 17:25:15 -0000
I think using multi prime is about 7 to 9 times faster in decryption than regular RSA decryption (depending on implementation). What I don't know is how much slower a key with r > 2 is when only using d is vs the standard case of using d where r = 2. I think looking at key generation that they are the same, but someone smarter than me needs to confirm that. As I recall the idea behind multi-prime was to speed up decryption to make RSA practical on mobile platforms of the day. (the alternative being EC) That is less of an issue now given speed improvements, though might now be an issue for IoT platforms (I suspect they are all using EC anyway). If using d is a significant enough slowdown that it can be a denial of service attack then perhaps the decrypter shouldn't be using RSA keys in the first place. If decryption using a multi prime private key only using d where r >2 is the same as or similar to decryption using d where r = 2 then I would go with Mike's wording, but add a security consideration around the performance issues with RSA decryption if people think that is required. John B. (PS this math stuff makes my head hurt so I may be completely wrong) > On Nov 17, 2014, at 11:11 AM, ⌘ Matt Miller <mamille2@cisco.com> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Technically, only the private exponent and the modulus are necessary > for the private operations. However, the performance can be so bad > that it be a Denial of Service attack. Better to reject, in my opinion. > > > - -- > - - m&m > > Matt Miller < mamille2@cisco.com > > Cisco Systems, Inc. > > On 11/10/14, 10:08 PM, Mike Jones wrote: >> Clarification question: Would the private key operate correctly, >> if possibly inefficiently, in the multi-prime case if all the >> private key parameters other than “d” were ignored? I ask, because >> if this is the case, your wording could be modified to the less >> severe text: >> >> >> >> If the consumer of a JWK does not support multi-prime RSA moduli >> and it encounters a private key that includes the "oth" parameter, >> then it MUST either reject the key or ignore all the private key >> parameters other than “d”. >> >> >> >> -- Mike >> >> >> >> *From:*jose [mailto:jose-bounces@ietf.org] *On Behalf Of *Richard >> Barnes *Sent:* Monday, November 10, 2014 7:02 PM *To:* >> jose@ietf.org *Subject:* [jose] Clean interop with "oth" >> >> >> >> It seems clear that there are no implementations today that support >> the "oth" element, i.e., that support RSA with a modulus with >> multiple factors. At least some of them simply ignore the "oth" >> element, which unfortunately leads to incorrect operation. I would >> propose something of the following form in JWA: >> >> """ >> >> If the consumer of a JWK does not support multi-prime RSA moduli >> and it encounters a private key that includes the "oth" parameter, >> then it MUST reject the key. >> >> """ >> >> >> >> _______________________________________________ jose mailing list >> jose@ietf.org https://www.ietf.org/mailman/listinfo/jose >> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.22 (Darwin) > Comment: GPGTools - https://gpgtools.org > > iQEcBAEBCgAGBQJUah5OAAoJEDWi+S0W7cO13kQIALa+juv24iNuIdr/PdHlRjee > 0nGeSq/xIk5WZsV+tYWk8mMUSWqxoh3FTUd2flpj4vjQ7iZvraQmJwV+4jcRsZOY > UM3JyL5cBvAnOtNXtwga5N7Y+2G1vWvjJGURo+9lNI+Kn3Ut7mAG+u6q8kob72Wv > g0U1lJmjtkslDeFXnNJQSI5AliKPc1Gvo/sbzR0QH5oZeIdwsoqBdYwFSU0a4g7f > 1MEtgf0ASE2ShhNBDpgPnQg0OOrptARSkndvhirtyhoBgm473WWW0fr+pj0A6V7n > vsuzLNSFishXPNfIERfME+qacL0IYl6ZjVt2GumiMesi7epD/AMHucUHXGEN5X8= > =ijfD > -----END PGP SIGNATURE----- > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose
- [jose] Clean interop with "oth" Richard Barnes
- Re: [jose] Clean interop with "oth" Mike Jones
- Re: [jose] Clean interop with "oth" ⌘ Matt Miller
- Re: [jose] Clean interop with "oth" John Bradley