Re: [jose] Concat KDF

Mike Jones <Michael.Jones@microsoft.com> Fri, 12 July 2013 15:31 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA03921F938E for <jose@ietfa.amsl.com>; Fri, 12 Jul 2013 08:31:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.63
X-Spam-Level:
X-Spam-Status: No, score=-3.63 tagged_above=-999 required=5 tests=[AWL=-0.032, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ru+OMmRfNCCj for <jose@ietfa.amsl.com>; Fri, 12 Jul 2013 08:31:44 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0207.outbound.protection.outlook.com [207.46.163.207]) by ietfa.amsl.com (Postfix) with ESMTP id BE47711E814D for <jose@ietf.org>; Fri, 12 Jul 2013 08:31:43 -0700 (PDT)
Received: from BN1AFFO11FD010.protection.gbl (10.58.52.202) by BN1BFFO11HUB040.protection.gbl (10.58.53.150) with Microsoft SMTP Server (TLS) id 15.0.717.3; Fri, 12 Jul 2013 15:31:42 +0000
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.37) by BN1AFFO11FD010.mail.protection.outlook.com (10.58.52.70) with Microsoft SMTP Server (TLS) id 15.0.717.3 via Frontend Transport; Fri, 12 Jul 2013 15:31:42 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.146]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.03.0136.001; Fri, 12 Jul 2013 15:30:18 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "'Manger, James H'" <James.H.Manger@team.telstra.com>, 'Russ Housley' <housley@vigilsec.com>, Jim Schaad <ietf@augustcellars.com>, "'jose@ietf.org'" <jose@ietf.org>
Thread-Topic: Concat KDF
Thread-Index: Ac5/FK/Vyq1n2sGiQI+No7sacew/pg==
Date: Fri, 12 Jul 2013 15:30:17 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436B6B952E@TK5EX14MBXC283.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436B6B952ETK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(51914003)(13464003)(35774003)(199002)(189002)(377454003)(65816001)(19300405004)(81542001)(47976001)(76176001)(20776003)(33656001)(76482001)(77982001)(49866001)(44976005)(74876001)(15843345004)(16406001)(55846006)(56776001)(71186001)(59766001)(46102001)(47736001)(6806004)(31966008)(76786001)(56816003)(16236675002)(76796001)(50986001)(83072001)(80022001)(79102001)(51856001)(53806001)(221733001)(63696002)(74706001)(47446002)(74662001)(4396001)(77096001)(81342001)(74502001)(66066001)(74366001)(512954002)(54316002)(15202345003)(69226001)(54356001)(491001); DIR:OUT; SFP:; SCL:1; SRVR:BN1BFFO11HUB040; H:TK5EX14HUBC101.redmond.corp.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0905A6B2C7
Subject: Re: [jose] Concat KDF
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2013 15:31:49 -0000

These changes have been applied in the -12 specs.

                                             -- Mike

From: Mike Jones
Sent: Tuesday, June 18, 2013 11:10 AM
To: Manger, James H; Russ Housley; Jim Schaad; jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: Concat KDF


Thanks for the careful read, James.  Replies inline marked "Mike>"...



-----Original Message-----
From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org] On Behalf Of Manger, James H
Sent: Sunday, June 16, 2013 6:20 PM
To: jose@ietf.org<mailto:jose@ietf.org>
Subject: [jose] Concat KDF



The use of the Concat KDF still does not look right.



JWA [draft-ietf-jose-json-web-algorithms-11] section 4.7 says "ECDH-ES" uses Concat KDF from NIST 800-56A section 5.8.1. NIST defines 5 fields that go into the key derivation: AlgorithmID, PartyUInfo, PartyVInfo, SuppPubInfo, and SuppPrivInfo.



NIST says AlgorithmID indicates the algorithm that will use the derived key. JWA says to use the "alg" value (eg "ECDH-ES") as the AlgorithmID. AlgorithmID should actually be the "enc" value when the derived key is used directly as a CEK.



Mike> I can change the draft to use the "enc" value in the direct agreement case, unless people object.



When the derived key unwraps the CEK, AlgorithmID should be the name of the key wrap algorithm (eg "A128KW"). Perhaps the "alg" value can be used in this case as it identifies the key wrap algorithm along with the key establishment algorithm (eg "ECDH-ES+A128KW").



Mike> Agreed - so there is no change needed to the AlgorithmID for the agreement with key wrapping case.



NIST says PartyUInfo includes an identifier for party U. The first problem is that JWA does not indicate if the sender or receiver is party U (nor does JWE). The second problem is that JWA says PartyUInfo is random -- which seems to totally defeat the purpose of being an identifier for a party. JWA says PartyUInfo should vary for each recipient, which suggests PartyUInfo cannot be an id of the sender. Does that suggest the receiver is party U?



Mike> The sender is Party U.  I'll say so in the draft.  (This is parallel to RFC 2631's partyAInfo, which is also supplied by the sender.)



NIST says PartyVInfo is required and includes an identifier for party V. JWA says PartyVInfo is empty, which obviously cannot meet the NIST definition.



Mike> This was discussed at the in-person working group meeting in Denver and Jim Schaad stated that I should modify the Key Agreement parameters to mirror their use in RFC 2631, which I therefore did.  Jim, Russ, and James, can the three of you (and other interested working group members) please make a decision among the three of you about text to include about PartyUInfo and PartyVInfo?  If you don't reach an agreement, one option is for me to add a note to the spec that PartyUInfo is used in the same manner as PartyAInfo of RFC 2631 and that since RFC 2631 doesn't have an equivalent of PartyVInfo, none is used here either.  The other option is to go back to the "apu" and "apv" language of http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-10 - adding that the sender is Party U and the receiver is Party V.  Comments?



The JWA values for SuppPubInfo (length of derived key in bits) and SuppPrivInfo (empty) are in line with the NIST definitions.



It appears the Concat KDF text in JWA has been rewritten based on RFC2631 "Diffie-Hellman Key Agreement Method". RFC2631 is not referenced by JWA, but it is mentioned in the "document history" section (which will eventually be deleted). RFC2631 has items such as partyAInfo and suppPubInfo whose names are similar to NIST items. However, RFC2631 was published 7 years before NIST 800-56A (and 13 years before the current version of NIST 800-56A) so RFC2631 cannot be used as a example of how to use Concat KDF.



As I stated above, if we keep the current PartyUInfo/PartyVInfo usage, I will explicitly add text saying that the usage of these fields is taken from RFC 2631.



--

James Manger

_______________________________________________

jose mailing list

jose@ietf.org<mailto:jose@ietf.org>

https://www.ietf.org/mailman/listinfo/jose



                                                                -- Mike