Return-Path: <mamille2@cisco.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
 with ESMTP id 24D2C21F86EB for <jose@ietfa.amsl.com>;
 Mon, 29 Oct 2012 15:16:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level: 
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5
 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com
 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eKASZrGTpCI1 for
 <jose@ietfa.amsl.com>; Mon, 29 Oct 2012 15:16:12 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78])
 by ietfa.amsl.com (Postfix) with ESMTP id B338021F84FB for <jose@ietf.org>;
 Mon, 29 Oct 2012 15:16:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com;
 l=10147; q=dns/txt; s=iport; t=1351548971; x=1352758571;
 h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version;
 bh=dKATCy+nt9tPghxqRaErfw6vEPqVuzd6nAtYLwFoWFc=;
 b=UNyQiv5ILQUFcLc3KVoErHApMVGj2i6/1LIOc355O8bQ/o5Zy3DcrmFw
 YEq1nyddbbPNXfNN8z1CjAEsrigDD24C4wTUYrZb5pp5FLw+8WPE/XHDu
 IywW+jfkWfBPt0UKTZDQHx/Swik98wKO+cqMiRCelSwV3DnzbOgcQcrte w=; 
X-Files: smime.p7s : 2214
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAOv+jlCtJV2Z/2dsb2JhbABEwwmBCIIeAQEBAwEBAQEPAVsLBQsCAQgRBAEBCx0HAiULFAkIAQEEDgUIBhSHXgYLnAiff4t1hAOBeWEDjnSBIYZ5jT2Ba4JiDYIZ
X-IronPort-AV: E=Sophos; i="4.80,675,1344211200"; d="p7s'?scan'208";
 a="136640493"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by
 rcdn-iport-7.cisco.com with ESMTP; 29 Oct 2012 22:16:11 +0000
Received: from xhc-rcd-x13.cisco.com (xhc-rcd-x13.cisco.com [173.37.183.87])
 by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id q9TMGBP7021964
 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL);
 Mon, 29 Oct 2012 22:16:11 GMT
Received: from xmb-aln-x11.cisco.com ([169.254.6.240]) by
 xhc-rcd-x13.cisco.com ([173.37.183.87]) with mapi id 14.02.0318.001;
 Mon, 29 Oct 2012 17:16:10 -0500
From: "Matt Miller (mamille2)" <mamille2@cisco.com>
To: "<Axel.Nennker@telekom.de> " <Axel.Nennker@telekom.de>
Thread-Topic: [jose] Platform Support for JWA Crypto Algorithms
Thread-Index: Ac21npPqwtcuERVxRaibRdRS35KObwANGVoQAAd5tsAACDLiIAAO0JKA
Date: Mon, 29 Oct 2012 22:16:10 +0000
Message-ID: <BF7E36B9C495A6468E8EC573603ED94115076832@xmb-aln-x11.cisco.com>
References: <4E1F6AAD24975D4BA5B168042967394366880D09@TK5EX14MBXC285.redmond.corp.microsoft.com>
 <CE8995AB5D178F44A2154F5C9A97CAF40252198DCF55@HE111541.emea1.cds.t-internal.com>
 <4E1F6AAD24975D4BA5B16804296739436688123A@TK5EX14MBXC285.redmond.corp.microsoft.com>
 <CE8995AB5D178F44A2154F5C9A97CAF40252199B9114@HE111541.emea1.cds.t-internal.com>
In-Reply-To: <CE8995AB5D178F44A2154F5C9A97CAF40252199B9114@HE111541.emea1.cds.t-internal.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
x-originating-ip: [64.101.72.62]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19318.004
x-tm-as-result: No--37.865600-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/signed;
 boundary="Apple-Mail=_EC4A02AA-8B30-4776-9E1B-7BB60503AAAF";
 protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Cc: "<Michael.Jones@microsoft.com>" <Michael.Jones@microsoft.com>,
 "<public-webcrypto@w3.org>" <public-webcrypto@w3.org>,
 "<jose@ietf.org>" <jose@ietf.org>
Subject: Re: [jose] Platform Support for JWA Crypto Algorithms
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>,
 <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>,
 <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Oct 2012 22:16:13 -0000

--Apple-Mail=_EC4A02AA-8B30-4776-9E1B-7BB60503AAAF
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii


On Oct 29, 2012, at 2:46 PM, <Axel.Nennker@telekom.de>
 wrote:

> Ease of implementation is relative. Maybe tomorrow I will discover =
that the needed concat-KDF is supported "natively" by Mozilla's NSS =
library. Then it is very easy.
> Currently it looks difficult on that platform because the =
documentation says that the digest function "finish" resets the digest, =
which would probably lead to different results than in the examples in =
the appendices A4 and A5.
> " =
http://doxygen.db48x.net/mozilla/html/interfacensICryptoHMAC.html#afa7330d=
1ac9e69aafc30f71ba35da74e
> NOTE: This method may be called any time after |init| is called. This =
call resets the object to its pre-init state.
> "
> I still think that some thirty bytes is not much and that generating =
the CIK randomly is much easier. I implemented the concat-kdf in java
> =
https://code.google.com/p/jsoncrypto/source/browse/trunk/src/org/jsoncrypt=
o/crypto/KDFConcatGenerator.java and I know that implementing my =
proposal below is easier.
> Anyway: One could ask why the concat-KDF is not implemented in =
Bouncycastle while three other KDFs are implemented there.
> Mozilla implements KDFs too:
> =
https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/pk11wrap/p=
k11skey.c#1437
> Although there is no indication in the code which KDF this implements. =
Maybe a Mozillian on these lists can clarify.
> If it is a KDF that is implemented in Bouncycastle too then I suggest =
to change the default KDF in JWE to that one.
>=20
> The implementation of KDF can lead to buffer overflows is no secret:
> https://bugzilla.mozilla.org/show_bug.cgi?id=3D617565
> Which means that KeyDerivationFunction implementation is not as easy =
as it could be.
>=20
> Why do you think that the list of NIST's crypto implementations lists =
all algs except KDF?
> =
http://csrc.nist.gov/groups/STM/cavp/documents/components/componentval.htm=
l
>=20
> NIST defines other KDFs too. Why is JWE using one that is implemented =
nowhere? Any other choice that is implemented on two platforms is a =
better choice than concat-kdf I think.
>=20

To add more fuel to the fire: I've seen PBKDF2 is implemented in a few =
places, and I think it's only slightly harder to implement as concatKDF.

However, I still think just requiring a larger key is the easiest, least =
error-prone approach.


- m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.

> Axel
>=20
> =
http://doxygen.db48x.net/mozilla/html/interfacensICryptoHMAC.html#afa7330d=
1ac9e69aafc30f71ba35da74e
> NOTE: This method may be called any time after |init| is called. This =
call resets the object to its pre-init state.
>=20
> From: Mike Jones [mailto:Michael.Jones@microsoft.com]
> Sent: Monday, October 29, 2012 5:25 PM
> To: Nennker, Axel; jose@ietf.org
> Cc: public-webcrypto@w3.org
> Subject: RE: Platform Support for JWA Crypto Algorithms
>=20
> No, Concat often isn't natively supported, but it's very easy to =
implement given implementations of SHA-256 and SHA-512, as shown in =
http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-06#appendix=
-A.4 and =
http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-06#appendix=
-A.5.
>=20
> When the table was discussed at the WebCrypto F2F, it was pointed out =
that a shortcoming of the current table is that it doesn't indicate =
which of the "NO" values are effectively show-stoppers and which are =
easy to build implementations of, and so not a problem in practice.  As =
shown in the appendices, I believe that Concat is in the latter =
category.  Given the ease of implementation, it's certainly not worth =
adding space to the JWEs to work around.
>=20
>                                                            -- Mike
>=20
> From: Axel.Nennker@telekom.de [mailto:Axel.Nennker@telekom.de]
> Sent: Monday, October 29, 2012 6:03 AM
> To: Mike Jones; jose@ietf.org
> Cc: public-webcrypto@w3.org
> Subject: RE: Platform Support for JWA Crypto Algorithms
>=20
> As one can see from this table the KDF is unsupported on all platforms =
(except one).
> =
http://self-issued.info/presentations/Platform_Support_for_JWA-04_Crypto_A=
lgorithms.xlsx
>=20
> JWE
>=20
> kdf
>=20
> CS256
>=20
> Concat Key Derivation Function (KDF)
>=20
> NO
>=20
> Win7
>=20
>=20
>=20
>=20
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> NO
>=20
>=20
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> JWE
>=20
> kdf
>=20
> CS384
>=20
> Concat Key Derivation Function (KDF)
>=20
> NO
>=20
> Win7
>=20
>=20
>=20
>=20
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> NO
>=20
>=20
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> JWE
>=20
> kdf
>=20
> CS512
>=20
> Concat Key Derivation Function (KDF)
>=20
> NO
>=20
> Win7
>=20
>=20
>=20
>=20
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> NO
>=20
> NO
>=20
>=20
>=20
> NO
>=20
> NO
>=20
> NO
>=20
>=20
> Isn't this an indication that we should look at alternatives?
>=20
> e.g.: we could generate the integrity protection key randomly instead =
of deriving it from the content encryption key.
> This would add some more bytes (e.g. about 32) to the jwt but is very =
easy to implement on all platforms.
>=20
>=20
> One way to do it would be to generate enough bytes "Bytes" in "JWE =
Encrypted Key" for encryption and integrity.
> The CEK is then "Bytes[0 .. cekLength-1]" and the CIK "Bytes[cekLength =
.. cekLength+cikLength-1]"
>=20
>=20
> Axel
>=20
> [On some platforms (Firefox/NSS) it might even be nearly impossible to =
implement (without extending the platform's functions) because the =
build-in digest function is always reset when finalize (doFinal) is =
called. The spec of the Concat-KDF says that bytes are generated in a =
loop but the digest is NOT reset in the loop.]
>=20
>=20
> From: jose-bounces@ietf.org<mailto:jose-bounces@ietf.org> =
[mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
> Sent: Monday, October 29, 2012 7:28 AM
> To: jose@ietf.org<mailto:jose@ietf.org>
> Subject: [jose] Platform Support for JWA Crypto Algorithms
>=20
> FYI, I posted the table describing support for the JWA algorithms in =
common Web development platforms that we discussed at IETF 84.  See =
http://self-issued.info/?p=3D884.
>=20
>                                                            -- Mike
>=20
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose


--Apple-Mail=_EC4A02AA-8B30-4776-9E1B-7BB60503AAAF
Content-Disposition: attachment; filename="smime.p7s"
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFNTCCBTEw
ggMZoAMCAQICAwmYMjANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL
ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp
dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMDEyMTQxNzQ3MTlaFw0x
MjEyMTMxNzQ3MTlaMDwxFzAVBgNVBAMTDk1hdHRoZXcgTWlsbGVyMSEwHwYJKoZIhvcNAQkBFhJt
YW1pbGxlMkBjaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7Sh5cQYtd
/kfoG3KjXd8i2esxt+BtHCmuiSku2VECC6msLKzA08cGJ31GfyX7+996TV3D5omh51j5fznfFikk
cVGsuKe+omo70Aidw48ISGygQk8ZJrU8JVVfTjKVJRX39wgj8w8CI/BCz4kXLirIBWKTv1ARuqsO
7I1aqT7pWHAwlAKIbYYEwfz46OjyzmqknglOecy/1PR09nXwAAIepSo0Jk9edqsU8Pdqsbx8cPUV
jlFtVkk+58ORjefl+4BoGrzW24rGG2B04sNPrycNqZEaJLmdk5J9ie/FMV10H8wFW8syomuacPxv
NhoUgNnkYsJiO7zJEKUUmbmW1GPFAgMBAAGjgf4wgfswDAYDVR0TAQH/BAIwADBWBglghkgBhvhC
AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBo
dHRwOi8vd3d3LkNBY2VydC5vcmcwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEE
AYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB
hhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMB0GA1UdEQQWMBSBEm1hbWlsbGUyQGNpc2NvLmNvbTAN
BgkqhkiG9w0BAQUFAAOCAgEAoa/WVlTWG/rbVIFlG1tCdJrbVvIWNfUNSgojunKsoaVGCoIh7T1+
SgWe8sV+r7s5bVlq66iGxTm/qoKMHM9i4aNGlwWDkXqLHoCKbY4qKPGKnn7PaoA6DWQ5u7ZKBkn9
N2fY8iLxiAy/hLnjtRLlbSr2yBX0DbO1K0ORLDwfO2MUf1j2Cou+qVvEmyEe7cUq37iOOsNbtghT
xjn+RE7WJiHcR9deAkfI1xXi7UZcFME+k6nhdnX/qWFFLox0fJJCzX1H8DTzRIjA+ciNLWSG+TRx
s7fAn+YZisJdkGxMcWlHZxSu+ybPjc9T7zCyf4+yFHigdOMNxiQ2k/E9WTJ84xIis2TG3E9Nba9B
PMb6cgjiqGxiFpKKHj9/5A3wDIHZ8dof+M7YFGnHzwF9i72ZEoaO3hMEhAg9LhqGtQtEZohbTZL2
FOeT+8VjUHSOKhEYurQjWrHDj+ZyDjzhOE/KMwqSWokZhoy0s+VQ05BrVlbXd5DJaB/Hem0MdDUc
/6IjqtI6f8O/HLQFAVUQgtW50bfCjDOAB/SaEKzygblcAHxSKDbduRQaRst6cIHEy4eQxvxrHIhg
b2KWZ00jS+7NUnAMOyzIJTcZfV5mkCb8UjMHq9NSChwpBFuDzpXxjU20xJGDvbVWNDwfbITCczph
p4uuhLITzvhHKaUNwxoqx0oxggMzMIIDLwIBATCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYD
VQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRo
b3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwIDCZgyMAkGBSsOAwIaBQCg
ggGHMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEyMTAyOTIyMTYy
MFowIwYJKoZIhvcNAQkEMRYEFGX+drBEtUsRp21kgKJxrDF71PJlMIGRBgkrBgEEAYI3EAQxgYMw
gYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIw
IAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0
QGNhY2VydC5vcmcCAwmYMjCBkwYLKoZIhvcNAQkQAgsxgYOggYAweTEQMA4GA1UEChMHUm9vdCBD
QTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25p
bmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwmYMjANBgkq
hkiG9w0BAQEFAASCAQAjILm2DHVh2sda6JcBkMzmCaG5dbSbz4K+b6Pk+V9o3tEEBBCYLqgtjMIN
w6TCazBv1bDcVJ5MDvUZLDONW5kSK8Tnt9zg0JvrwGKAokMdLnH/KhM6UYeQ+YwwiHe7MmZISUw1
zL2JHW8UZkE43IO6IUnJv0qfdpaPL/lzlM9IIAS40ghvsqIwV4v16oAybLprJltWfBvBj6Y5lvYi
4R+gDwXawFwOvyHDm5y1BuxELKPgzBe/J7Yk1g8shNAEZQRL4j0CzmSAJeH8JokHsnfrmufzdos9
ur5TeSma84Df65LgfNMLHD9uvGpsaoA55NedJVVdB6s2lvwfJen0D2b7AAAAAAAA

--Apple-Mail=_EC4A02AA-8B30-4776-9E1B-7BB60503AAAF--