Re: [jose] Platform Support for JWA Crypto Algorithms

"Matt Miller (mamille2)" <mamille2@cisco.com> Mon, 29 October 2012 22:16 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24D2C21F86EB for <jose@ietfa.amsl.com>; Mon, 29 Oct 2012 15:16:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eKASZrGTpCI1 for <jose@ietfa.amsl.com>; Mon, 29 Oct 2012 15:16:12 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id B338021F84FB for <jose@ietf.org>; Mon, 29 Oct 2012 15:16:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10147; q=dns/txt; s=iport; t=1351548971; x=1352758571; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=dKATCy+nt9tPghxqRaErfw6vEPqVuzd6nAtYLwFoWFc=; b=UNyQiv5ILQUFcLc3KVoErHApMVGj2i6/1LIOc355O8bQ/o5Zy3DcrmFw YEq1nyddbbPNXfNN8z1CjAEsrigDD24C4wTUYrZb5pp5FLw+8WPE/XHDu IywW+jfkWfBPt0UKTZDQHx/Swik98wKO+cqMiRCelSwV3DnzbOgcQcrte w=;
X-Files: smime.p7s : 2214
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAOv+jlCtJV2Z/2dsb2JhbABEwwmBCIIeAQEBAwEBAQEPAVsLBQsCAQgRBAEBCx0HAiULFAkIAQEEDgUIBhSHXgYLnAiff4t1hAOBeWEDjnSBIYZ5jT2Ba4JiDYIZ
X-IronPort-AV: E=Sophos; i="4.80,675,1344211200"; d="p7s'?scan'208"; a="136640493"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-7.cisco.com with ESMTP; 29 Oct 2012 22:16:11 +0000
Received: from xhc-rcd-x13.cisco.com (xhc-rcd-x13.cisco.com [173.37.183.87]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id q9TMGBP7021964 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 29 Oct 2012 22:16:11 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.240]) by xhc-rcd-x13.cisco.com ([173.37.183.87]) with mapi id 14.02.0318.001; Mon, 29 Oct 2012 17:16:10 -0500
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: "<Axel.Nennker@telekom.de> " <Axel.Nennker@telekom.de>
Thread-Topic: [jose] Platform Support for JWA Crypto Algorithms
Thread-Index: Ac21npPqwtcuERVxRaibRdRS35KObwANGVoQAAd5tsAACDLiIAAO0JKA
Date: Mon, 29 Oct 2012 22:16:10 +0000
Message-ID: <BF7E36B9C495A6468E8EC573603ED94115076832@xmb-aln-x11.cisco.com>
References: <4E1F6AAD24975D4BA5B168042967394366880D09@TK5EX14MBXC285.redmond.corp.microsoft.com> <CE8995AB5D178F44A2154F5C9A97CAF40252198DCF55@HE111541.emea1.cds.t-internal.com> <4E1F6AAD24975D4BA5B16804296739436688123A@TK5EX14MBXC285.redmond.corp.microsoft.com> <CE8995AB5D178F44A2154F5C9A97CAF40252199B9114@HE111541.emea1.cds.t-internal.com>
In-Reply-To: <CE8995AB5D178F44A2154F5C9A97CAF40252199B9114@HE111541.emea1.cds.t-internal.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [64.101.72.62]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19318.004
x-tm-as-result: No--37.865600-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/signed; boundary="Apple-Mail=_EC4A02AA-8B30-4776-9E1B-7BB60503AAAF"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Cc: "<Michael.Jones@microsoft.com>" <Michael.Jones@microsoft.com>, "<public-webcrypto@w3.org>" <public-webcrypto@w3.org>, "<jose@ietf.org>" <jose@ietf.org>
Subject: Re: [jose] Platform Support for JWA Crypto Algorithms
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Oct 2012 22:16:13 -0000

On Oct 29, 2012, at 2:46 PM, <Axel.Nennker@telekom.de>
 wrote:

> Ease of implementation is relative. Maybe tomorrow I will discover that the needed concat-KDF is supported "natively" by Mozilla's NSS library. Then it is very easy.
> Currently it looks difficult on that platform because the documentation says that the digest function "finish" resets the digest, which would probably lead to different results than in the examples in the appendices A4 and A5.
> " http://doxygen.db48x.net/mozilla/html/interfacensICryptoHMAC.html#afa7330d1ac9e69aafc30f71ba35da74e
> NOTE: This method may be called any time after |init| is called. This call resets the object to its pre-init state.
> "
> I still think that some thirty bytes is not much and that generating the CIK randomly is much easier. I implemented the concat-kdf in java
> https://code.google.com/p/jsoncrypto/source/browse/trunk/src/org/jsoncrypto/crypto/KDFConcatGenerator.java and I know that implementing my proposal below is easier.
> Anyway: One could ask why the concat-KDF is not implemented in Bouncycastle while three other KDFs are implemented there.
> Mozilla implements KDFs too:
> https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/pk11wrap/pk11skey.c#1437
> Although there is no indication in the code which KDF this implements. Maybe a Mozillian on these lists can clarify.
> If it is a KDF that is implemented in Bouncycastle too then I suggest to change the default KDF in JWE to that one.
> 
> The implementation of KDF can lead to buffer overflows is no secret:
> https://bugzilla.mozilla.org/show_bug.cgi?id=617565
> Which means that KeyDerivationFunction implementation is not as easy as it could be.
> 
> Why do you think that the list of NIST's crypto implementations lists all algs except KDF?
> http://csrc.nist.gov/groups/STM/cavp/documents/components/componentval.html
> 
> NIST defines other KDFs too. Why is JWE using one that is implemented nowhere? Any other choice that is implemented on two platforms is a better choice than concat-kdf I think.
> 

To add more fuel to the fire: I've seen PBKDF2 is implemented in a few places, and I think it's only slightly harder to implement as concatKDF.

However, I still think just requiring a larger key is the easiest, least error-prone approach.


- m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.

> Axel
> 
> http://doxygen.db48x.net/mozilla/html/interfacensICryptoHMAC.html#afa7330d1ac9e69aafc30f71ba35da74e
> NOTE: This method may be called any time after |init| is called. This call resets the object to its pre-init state.
> 
> From: Mike Jones [mailto:Michael.Jones@microsoft.com]
> Sent: Monday, October 29, 2012 5:25 PM
> To: Nennker, Axel; jose@ietf.org
> Cc: public-webcrypto@w3.org
> Subject: RE: Platform Support for JWA Crypto Algorithms
> 
> No, Concat often isn't natively supported, but it's very easy to implement given implementations of SHA-256 and SHA-512, as shown in http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-06#appendix-A.4 and http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-06#appendix-A.5.
> 
> When the table was discussed at the WebCrypto F2F, it was pointed out that a shortcoming of the current table is that it doesn't indicate which of the "NO" values are effectively show-stoppers and which are easy to build implementations of, and so not a problem in practice.  As shown in the appendices, I believe that Concat is in the latter category.  Given the ease of implementation, it's certainly not worth adding space to the JWEs to work around.
> 
>                                                            -- Mike
> 
> From: Axel.Nennker@telekom.de [mailto:Axel.Nennker@telekom.de]
> Sent: Monday, October 29, 2012 6:03 AM
> To: Mike Jones; jose@ietf.org
> Cc: public-webcrypto@w3.org
> Subject: RE: Platform Support for JWA Crypto Algorithms
> 
> As one can see from this table the KDF is unsupported on all platforms (except one).
> http://self-issued.info/presentations/Platform_Support_for_JWA-04_Crypto_Algorithms.xlsx
> 
> JWE
> 
> kdf
> 
> CS256
> 
> Concat Key Derivation Function (KDF)
> 
> NO
> 
> Win7
> 
> 
> 
> 
> 
> NO
> 
> NO
> 
> NO
> 
> NO
> 
> NO
> 
> NO
> 
> NO
> 
> NO
> 
> 
> 
> NO
> 
> NO
> 
> NO
> 
> JWE
> 
> kdf
> 
> CS384
> 
> Concat Key Derivation Function (KDF)
> 
> NO
> 
> Win7
> 
> 
> 
> 
> 
> NO
> 
> NO
> 
> NO
> 
> NO
> 
> NO
> 
> NO
> 
> NO
> 
> NO
> 
> 
> 
> NO
> 
> NO
> 
> NO
> 
> JWE
> 
> kdf
> 
> CS512
> 
> Concat Key Derivation Function (KDF)
> 
> NO
> 
> Win7
> 
> 
> 
> 
> 
> NO
> 
> NO
> 
> NO
> 
> NO
> 
> NO
> 
> NO
> 
> NO
> 
> NO
> 
> 
> 
> NO
> 
> NO
> 
> NO
> 
> 
> Isn't this an indication that we should look at alternatives?
> 
> e.g.: we could generate the integrity protection key randomly instead of deriving it from the content encryption key.
> This would add some more bytes (e.g. about 32) to the jwt but is very easy to implement on all platforms.
> 
> 
> One way to do it would be to generate enough bytes "Bytes" in "JWE Encrypted Key" for encryption and integrity.
> The CEK is then "Bytes[0 .. cekLength-1]" and the CIK "Bytes[cekLength .. cekLength+cikLength-1]"
> 
> 
> Axel
> 
> [On some platforms (Firefox/NSS) it might even be nearly impossible to implement (without extending the platform's functions) because the build-in digest function is always reset when finalize (doFinal) is called. The spec of the Concat-KDF says that bytes are generated in a loop but the digest is NOT reset in the loop.]
> 
> 
> From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
> Sent: Monday, October 29, 2012 7:28 AM
> To: jose@ietf.org<mailto:jose@ietf.org>
> Subject: [jose] Platform Support for JWA Crypto Algorithms
> 
> FYI, I posted the table describing support for the JWA algorithms in common Web development platforms that we discussed at IETF 84.  See http://self-issued.info/?p=884.
> 
>                                                            -- Mike
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose