Re: [jose] comments on draft-jones-json-web-signature and draft-jones-json-web-encryption
"Jim Schaad" <ietf@augustcellars.com> Sun, 12 February 2012 23:37 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A5C221F86D0 for <jose@ietfa.amsl.com>; Sun, 12 Feb 2012 15:37:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.834
X-Spam-Level:
X-Spam-Status: No, score=-2.834 tagged_above=-999 required=5 tests=[AWL=-0.475, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RqiQW9YYauNS for <jose@ietfa.amsl.com>; Sun, 12 Feb 2012 15:37:04 -0800 (PST)
Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) by ietfa.amsl.com (Postfix) with ESMTP id C77A521F8671 for <jose@ietf.org>; Sun, 12 Feb 2012 15:37:01 -0800 (PST)
Received: from Tobias (exodus.augustcellars.com [207.202.179.27]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id 3DD4B38F06; Sun, 12 Feb 2012 15:36:58 -0800 (PST)
From: Jim Schaad <ietf@augustcellars.com>
To: 'John Bradley' <ve7jtb@ve7jtb.com>
References: <9509AB72-10CC-4BA6-A61C-AD9C4AC7944A@cisco.com> <B26C1EF377CB694EAB6BDDC8E624B6E73A8BEDC2@SN2PRD0304MB235.namprd03.prod.outlook.com> <4E1F6AAD24975D4BA5B16804296739435F7113A8@TK5EX14MBXC285.redmond.corp.microsoft.com> <109CDA9B-7427-4FB5-ADFD-4A72E82E4CAA@cisco.com> <045101cca4c3$87a77b60$96f67220$@augustcellars.com> <32DB7054-1E9F-4BFB-80EC-D5F863C1BB03@ve7jtb.com>
In-Reply-To: <32DB7054-1E9F-4BFB-80EC-D5F863C1BB03@ve7jtb.com>
Date: Sun, 12 Feb 2012 15:36:10 -0800
Message-ID: <01c401cce9df$1d6db690$584923b0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Content-Language: en-us
Thread-index: AQIfXWiGz+BYDGrCkc9B4MZ2d8XmRgGqxNXOAcOgPqsBrEMyFgIUxGhfAb7pkuaVTYq8QA==
Cc: 'Mike Jones' <Michael.Jones@microsoft.com>, jose@ietf.org
Subject: Re: [jose] comments on draft-jones-json-web-signature and draft-jones-json-web-encryption
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Feb 2012 23:37:05 -0000
> -----Original Message----- > From: John Bradley [mailto:ve7jtb@ve7jtb.com] > Sent: Sunday, February 12, 2012 1:41 PM > To: Jim Schaad > Cc: 'David McGrew'; 'Mike Jones'; jose@ietf.org > Subject: Re: [jose] comments on draft-jones-json-web-signature and draft- > jones-json-web-encryption > > Jim, > > I may be missing something. > > The scenario below is using RFC6278 and pre shared EC keys to crate a master > symmetric key to wrap a per message symmetric key used for generating a > HMAC, or to use the master symmetric key to wrap a MAC of the message? It is using static-ephemeral ECDH (or ECDH-ES) to generate a symmetric key which uses A128KW to wrap a symmetric key which is used to MAC the message. > > For EC we only included ECDSA. > > The main difference is that with EC-DH-SS only the intended recipient can > verify the message. Slightly different from the ECDSA case. But not any different from the case of using a pre-shared secret key and a MAC algorithm. This is the current MUST implement. ECDSA is only a SHOULD implement. > > Is the reason for this performance in a embedded environment? In the case I outlined below, yes this is an embedded system. The goal was, in part, to use the fewest possible cryptographic primitives necessary. Since encryption was a requirement, there was already AES and EC shared-secret computation. Using an AES based KDF meant that there are no hash functions. Adding integrity protection as well without adding new primitives was desired. It could use EC + the AES KDF to get a key and AES-CBC (or AES-GMAC) to compute a MAC by adding only modes. > > I think there is a general question about key wrapping vs using the pre- > shared or key agreement value directly. > The current specs lean towards using the values directly rather than for key > wrapping. > > I tend to prefer key wrapping for security, but that depends on people > actually rotating keys, and it makes the minimum message size larger. Actually it is the other way around. Not using key wrapping is more dependent on people actually rotating keys. If one uses a key agreement or key transport to carry the key, then a fresh key is being used for the MAC every time and there is no problems with either forward security or gathering a large number of messages with the same MAC value and being able to do things based on that. So you most likely trading off message size for security depending on the source of the key you are using for the MAC operation. For example if it came from the TLS session then the answer would be different. > > Is key agreement for integrity (signing) common? How common is it to use MACs? In those cases how many people are complaining because the shared keys never get rolled over? No it is not common, what is common is to have no security at all. The next is to have very long term shared keys for doing MACs. One could possibly argue that the entire project is a waste of time since all of these items are sent over a TLS session (or should be) and therefore the integrity of the transfer is already protected. This would mean that you are making for bigger messages by adding a second level of integrity protection. The question is what is the second level of integrity protection trying to protect? Is it trying to be long term or short term? Without knowing what the goals are, it is not possible to say that the answer is actually working correctly. > > John B. > On 2011-11-16, at 9:54 PM, Jim Schaad wrote: > > > Mike, > > > > I think that while the structures for JWS might need to undergo some > changes that will mean that while the MAC and Digital Signature structures. > As I mentioned at the F2F meeting, I know of someone is doing some small > device work where they are sending messages from the devices to more > central locations. In this case there is not a pre-existing shared secret > generally between the two entities and they are not using TLS so they could > not derive one from the session key. Mapping what they do into the current > JWS work would require some changes. Specifically > > > > Header Object > > - contains a MAC algorithm to be used - generally AES-GMAC > > - contains a key wrapping algorithm - generally AES key wrap > > - contains a key agreement algorithm - generally EC-DH > > Key Exchange Value - the CEK wrapped by the KEK where the KEK came > from the static-static EC-DH algorithm > > Body > > MAC value > > > > In this case we have four not three items that need to be placed in the > sequence of items to be sent between the originator and the verifier. I > would still compute the MAC value in much the same way, only I would > compute the MAC over the first three elements instead of the two > elements. > > > > This is the sort of thing that is used in a more store and forward > environment or one where the answer is going to be pre-computed or > where it needs to last longer than just the current session (i.e. later > validation). > > > > The same type of thing can be used for a long term shared KEK value on > both the sender and recipient, where a unique CEK is generated for each > message and wrapped. David would be a better person than I am to address > the question of security. -"Do you have more security by doing an indirection > and have a fresh key for doing the MAC on each operation rather than using > the long term key for doing the MAC." > > > > If we did the above change, then I would say that the "Key Exchange > Value" would become and empty string if you have a key derivied from the > TLS session that you are using - but this would still lead to having four not > three elements in the MAC case. > > > > Jim > > > > > > _______________________________________________ > > jose mailing list > > jose@ietf.org > > https://www.ietf.org/mailman/listinfo/jose
- [jose] comments on draft-jones-json-web-signature… David McGrew
- Re: [jose] comments on draft-jones-json-web-signa… Anthony Nadalin
- Re: [jose] comments on draft-jones-json-web-signa… Mike Jones
- Re: [jose] comments on draft-jones-json-web-signa… Nat Sakimura
- Re: [jose] comments on draft-jones-json-web-signa… David McGrew
- Re: [jose] comments on draft-jones-json-web-signa… Nat Sakimura
- Re: [jose] comments on draft-jones-json-web-signa… John Bradley
- Re: [jose] comments on draft-jones-json-web-signa… Jeremy Laurenson (jlaurens)
- Re: [jose] comments on draft-jones-json-web-signa… Phillip Hallam-Baker
- Re: [jose] comments on draft-jones-json-web-signa… Jim Schaad
- Re: [jose] comments on draft-jones-json-web-signa… Mike Jones
- Re: [jose] comments on draft-jones-json-web-signa… Leif Johansson
- Re: [jose] comments on draft-jones-json-web-signa… Matthew Green
- Re: [jose] comments on draft-jones-json-web-signa… John Bradley
- Re: [jose] comments on draft-jones-json-web-signa… John Bradley
- Re: [jose] comments on draft-jones-json-web-signa… Jim Schaad
- Re: [jose] comments on draft-jones-json-web-signa… John Bradley
- Re: [jose] comments on draft-jones-json-web-signa… Jim Schaad
- Re: [jose] comments on draft-jones-json-web-signa… John Bradley
- Re: [jose] comments on draft-jones-json-web-signa… Jim Schaad
- Re: [jose] comments on draft-jones-json-web-signa… Matthew Green