IETF Logo Mail Archive

Re: [jose] comments on draft-jones-json-web-signature and draft-jones-json-web-encryption

John Bradley <ve7jtb@ve7jtb.com> Mon, 13 February 2012 00:26 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BC9F21F871E for <jose@ietfa.amsl.com>; Sun, 12 Feb 2012 16:26:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.392
X-Spam-Level:
X-Spam-Status: No, score=-3.392 tagged_above=-999 required=5 tests=[AWL=0.207, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cXhe5a56qHl5 for <jose@ietfa.amsl.com>; Sun, 12 Feb 2012 16:26:24 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 2E5E021F8721 for <jose@ietf.org>; Sun, 12 Feb 2012 16:26:24 -0800 (PST)
Received: by yenm3 with SMTP id m3so2468848yen.31 for <jose@ietf.org>; Sun, 12 Feb 2012 16:26:23 -0800 (PST)
Received: by 10.236.136.99 with SMTP id v63mr17228393yhi.46.1329092783711; Sun, 12 Feb 2012 16:26:23 -0800 (PST)
Received: from [192.168.1.213] (186-107-148-253.baf.movistar.cl. [186.107.148.253]) by mx.google.com with ESMTPS id a14sm32237107ana.20.2012.02.12.16.26.21 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 12 Feb 2012 16:26:22 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_E7810CD4-77F1-457C-A105-F4FCE765E90B"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <01cd01cce9e4$9961f1d0$cc25d570$@augustcellars.com>
Date: Sun, 12 Feb 2012 21:26:18 -0300
Message-Id: <E37C290E-40DE-4258-A4EB-8254968CC7AD@ve7jtb.com>
References: <9509AB72-10CC-4BA6-A61C-AD9C4AC7944A@cisco.com> <B26C1EF377CB694EAB6BDDC8E624B6E73A8BEDC2@SN2PRD0304MB235.namprd03.prod.outlook.com> <4E1F6AAD24975D4BA5B16804296739435F7113A8@TK5EX14MBXC285.redmond.corp.microsoft.com> <109CDA9B-7427-4FB5-ADFD-4A72E82E4CAA@cisco.com> <045101cca4c3$87a77b60$96f67220$@augustcellars.com> <32DB7054-1E9F-4BFB-80EC-D5F863C1BB03@ve7jtb.com> <01c401cce9df$1d6db690$584923b0$@augustcellars.com> <2C03AE7C-C9E0-4373-AC95-B265C2F16646@ve7jtb.com> <01cd01cce9e4$9961f1d0$cc25d570$@augustcellars.com>
To: Jim Schaad <ietf@augustcellars.com>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQkuxowuXe+P6A5ytlv0Zu+OJGukGJTWjeTjIbWd9LkHu5WH/NikUAmchJfza7wFgkDLpFyM
Cc: 'Mike Jones' <Michael.Jones@microsoft.com>, jose@ietf.org
Subject: Re: [jose] comments on draft-jones-json-web-signature and draft-jones-json-web-encryption
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2012 00:26:25 -0000

I can see adding ECDH-SS for both signing and encryption.   It gets you both at the same time sort of.

Is there a problem with reusing the KDF from ECDH-ES?

I think I see what you are after now.

John B.
On 2012-02-12, at 9:15 PM, Jim Schaad wrote:

> 
> 
>> -----Original Message-----
>> From: John Bradley [mailto:ve7jtb@ve7jtb.com]
>> Sent: Sunday, February 12, 2012 4:05 PM
>> To: Jim Schaad
>> Cc: 'Mike Jones'; jose@ietf.org
>> Subject: Re: [jose] comments on draft-jones-json-web-signature and draft-
>> jones-json-web-encryption
>> 
>> 
>> On 2012-02-12, at 8:36 PM, Jim Schaad wrote:
>> 
>>> 
>>> 
>>>> -----Original Message-----
>>>> From: John Bradley [mailto:ve7jtb@ve7jtb.com]
>>>> Sent: Sunday, February 12, 2012 1:41 PM
>>>> To: Jim Schaad
>>>> Cc: 'David McGrew'; 'Mike Jones'; jose@ietf.org
>>>> Subject: Re: [jose] comments on draft-jones-json-web-signature and
>> draft-
>>>> jones-json-web-encryption
>>>> 
>>>> Jim,
>>>> 
>>>> I may be missing something.
>>>> 
>>>> The scenario below is using RFC6278 and pre shared EC keys to crate a
>>> master
>>>> symmetric key to wrap a per message symmetric key used for generating
>> a
>>>> HMAC, or to use the master symmetric key to wrap a MAC of the
>> message?
>>> 
>>> It is using static-ephemeral ECDH (or ECDH-ES) to generate a symmetric
> key
>>> which uses A128KW to wrap a symmetric key which is used to MAC the
>> message.
>> 
>> Ah OK you had static static that confused me.  We do have ECDSA-ES for
>> encryption, but hadn't thought about it for signing, because it is more
>> integrity, without knowing the identity of the originator.
> 
> Yeah - I forgot - it depends on if you want to know who sent it.  If you
> want to know who sent it then you need to use static-static.  But that is
> completely orthogonal to the rest of the argument.
> 
>> 
>>> 
>>>> 
>>>> For EC we only included ECDSA.
>>>> 
>>>> The main difference is that with EC-DH-SS only the intended recipient
> can
>>>> verify the message.  Slightly different from the ECDSA case.
>>> 
>>> But not any different from the case of using a pre-shared secret key and
> a
>>> MAC algorithm.  This is the current MUST implement.  ECDSA is only a
>> SHOULD
>>> implement.
>> 
>> I don't know that we are going to get more agreement on ECDH-ES being a
>> MUST than ECDSA.
> 
> I am not saying that it needs to be a MUST - but the current structure does
> not support it in any fashion.
> 
>> 
>>> 
>>>> 
>>>> Is the reason for this performance in a embedded environment?
>>> 
>>> In the case I outlined below, yes this is an embedded system.  The goal
>> was,
>>> in part, to use the fewest possible cryptographic primitives necessary.
>>> Since encryption was a requirement, there was already AES and EC
>>> shared-secret computation.  Using an AES based KDF meant that there are
>> no
>>> hash functions.  Adding integrity protection as well without adding new
>>> primitives was desired.  It could use EC + the AES KDF to get a key and
>>> AES-CBC (or AES-GMAC) to compute a MAC by adding only modes.
>> 
>> In your original post I missed that the body was encrypted, I thought you
>> were only encrypting the key.
> 
> In this case I am not encrypting the body.  I am only doing an
> authentication operation.  What I am looking at is the number of primitives
> that are required for the sender to be able to do both operations.
> 
>> 
>> Generating a unauthenticated integrity check.
>> 
>> If we are talking about Encryption then ECDH-ES with AES-GWC in the
>> existing spec works.
>> We do need to add the MAC integrity check to support CBC.
>> 
>> Again in ECDH-ES only the recipient is authenticated.
>> 
>>> 
>>>> 
>>>> I think there is a general question about key wrapping vs using the
> pre-
>>>> shared or key agreement value directly.
>>>> The current specs lean towards using the values directly rather than
> for
>>> key
>>>> wrapping.
>>>> 
>>>> I tend to prefer key wrapping for security,  but that depends on people
>>>> actually rotating keys, and it makes the minimum message size larger.
>>> 
>>> Actually it is the other way around.  Not using key wrapping is more
>>> dependent on people actually rotating keys.  If one uses a key agreement
>> or
>>> key transport to carry the key, then a fresh key is being used for the
> MAC
>>> every time and there is no problems with either forward security or
>>> gathering a large number of messages with the same MAC value and being
>> able
>>> to do things based on that.  So you most likely trading off message size
> for
>>> security depending on the source of the key you are using for the MAC
>>> operation.   For example if it came from the TLS session then the answer
>>> would be different.
>> 
>> My confidence in people using a fresh key for the MAC each time in
>> wrapping is less than yours.
>> I admit encouraging them to do the right thing is probably the best,
> rather
>> than optimizing for there potential mistakes.
>> 
> 
> There are a lot of things people can do that is bad.  That does not mean we
> should discourage those that want to do it correctly.
> 
>> 
>>> 
>>>> 
>>>> Is key agreement for integrity (signing) common?
>>> 
>>> How common is it to use MACs?  In those cases how many people are
>>> complaining because the shared keys never get rolled over?  No it is not
>>> common, what is common is to have no security at all.  The next is to
> have
>>> very long term shared keys for doing MACs.
>>> 
>>> One could possibly argue that the entire project is a waste of time
> since
>>> all of these items are sent over a TLS session (or should be) and
> therefore
>>> the integrity of the transfer is already protected.  This would mean
> that
>>> you are making for bigger messages by adding a second level of integrity
>>> protection.  The question is what is the second level of integrity
>>> protection trying to protect?  Is it trying to be long term or short
> term?
>>> Without knowing what the goals are, it is not possible to say that the
>>> answer is actually working correctly.
>>> 
>> In general with HMAC type integrity checks people infer the identity of
> the
>> originator through the possession of the long term secret.
>> 
>> The scenario you present seems to not care about the identity of the
>> originator.
> 
> See above note - It actually does use a static-static.  But as I can easily
> add to that to the list of "private" algorithms this is not a stumbling
> block.  Note that if you look at the above I needed to add a new ECDH
> algorithm in any event since I am not using the standard KDF function.
> 
> Jim
> 
>> 
>> Sorry if the questions are simple.
>> I am just trying to understand the use case.
>> 
>> John B.
>> 
>>>> 
>>>> John B.
>>>> On 2011-11-16, at 9:54 PM, Jim Schaad wrote:
>>>> 
>>>>> Mike,
>>>>> 
>>>>> I think that while the structures for JWS might need to undergo some
>>>> changes that will mean that while the MAC and Digital Signature
>>> structures.
>>>> As I mentioned at the F2F meeting, I know of someone is doing some
>> small
>>>> device work where they are sending messages from the devices to more
>>>> central locations.  In this case there is not a pre-existing shared
> secret
>>>> generally between the two entities and they are not using TLS so they
>>> could
>>>> not derive one from the session key.  Mapping what they do into the
>>> current
>>>> JWS work would require some changes. Specifically
>>>>> 
>>>>> Header Object
>>>>> - contains a MAC algorithm to be used - generally AES-GMAC
>>>>> - contains a key wrapping algorithm - generally AES key wrap
>>>>> - contains a key agreement algorithm - generally EC-DH
>>>>> Key Exchange Value - the CEK wrapped by the KEK where the KEK came
>>>> from the static-static EC-DH algorithm
>>>>> Body
>>>>> MAC value
>>>>> 
>>>>> In this case we have four not three items that need to be placed in
> the
>>>> sequence of items to be sent between the originator and the verifier.
> I
>>>> would still compute the MAC value in much the same way, only I would
>>>> compute the MAC over the first three elements instead of the two
>>>> elements.
>>>>> 
>>>>> This is the sort of thing that is used in a more store and forward
>>>> environment or one where the answer is going to be pre-computed or
>>>> where it needs to last longer than just the current session (i.e. later
>>>> validation).
>>>>> 
>>>>> The same type of thing can be used for a long term shared KEK value on
>>>> both the sender and recipient, where a unique CEK is generated for each
>>>> message and wrapped.  David would be a better person than I am to
>> address
>>>> the question of security.  -"Do you have more security by doing an
>>> indirection
>>>> and have a fresh key for doing the MAC on each operation rather than
>> using
>>>> the long term key for doing the MAC."
>>>>> 
>>>>> If we did the above change, then I would say that the "Key Exchange
>>>> Value" would become and empty string if you have a key derivied from
>> the
>>>> TLS session that you are using - but this would still lead to having
> four
>>> not
>>>> three elements in the MAC case.
>>>>> 
>>>>> Jim
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> jose mailing list
>>>>> jose@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/jose
>>> 
>>> 
> 
>

v2.23.0 | Report a Bug | By Email