Re: [OAUTH-WG] ECDH-1PU encryption algorithm

Neil Madden <> Tue, 11 August 2020 10:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 988F13A0F7A for <>; Tue, 11 Aug 2020 03:33:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id g005P7WW8x1G for <>; Tue, 11 Aug 2020 03:33:55 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 413E73A0D08 for <>; Tue, 11 Aug 2020 03:33:54 -0700 (PDT)
Received: by with SMTP id a15so10944254wrh.10 for <>; Tue, 11 Aug 2020 03:33:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=DuRkFJYYREwiGTFt/c4p12pxugDeDE0obAjcXppHDVw=; b=fcWmgs12Hz1uifvdgT+1ilrMgy2atwnQXQJJI4rn+hRWR3kvfXZBiqKG49N8RkT9HL OtC5WlTA3yncOVLDyetDnWFzlFpxGoTYmwe9Sqc9Q4Fj9kmeK2SMiMHBfThSAEF5h778 aqYug0clWRhcpU75VVx1ZYxSrxAAfUlpuaCQo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=DuRkFJYYREwiGTFt/c4p12pxugDeDE0obAjcXppHDVw=; b=Bj1MWM4kDRTx1ATr+iPVUQNwybliFFimlt8vDKnZzCrDbyLB4kMRs4mgWu9mKa7e8X cDLvdWLlmLW94+/OyCdQmPmq8Vf3CLku0a6HumA/0CSRwWwobPWRcfwjl4i0ue14S+8K 0htgFOF+/B3aJJm8OzveOgznoe9hgLltOxHDE95VTMkxH7uKMEruQE3qsRUFKNB3EGOm P1jw9Ci92jmwwqoL/jA7LDFUDD+gVwD9l0M6zQD70tNzRl2HeR2UBzoZ1ab1QMGvtlmt jA0JfOg+C7SuGXNm4KpKXXwM3tydZAZOdTgR1v/wFAXpkjIaaybmJ50KHZwM7xewkdS5 N+3g==
X-Gm-Message-State: AOAM530+IOiwtoilBEKv5nIINN6tISjX3zTJzYBqGFiI+Hdx82gEh1EP PYQEN2gCDSTr4gBwHfgFk+3iHFqk2UA=
X-Google-Smtp-Source: ABdhPJyeo9+27uhY2YORYZRjhDpnYAdldY6BFzBlollxamlXH1q8Wteh9/Fmaz2vVLMko1kymhYW0w==
X-Received: by 2002:a5d:46ce:: with SMTP id g14mr30382304wrs.188.1597142032599; Tue, 11 Aug 2020 03:33:52 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id h189sm4118015wme.17.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Aug 2020 03:33:52 -0700 (PDT)
From: Neil Madden <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F2AC836E-18C4-4512-92C3-A64BEE03FF3B"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Tue, 11 Aug 2020 11:33:51 +0100
In-Reply-To: <>
Cc: Vladimir Dzhuvinov <>,
To: "Matthew A. Miller" <>
References: <> <> <> <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [OAUTH-WG] ECDH-1PU encryption algorithm
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Aug 2020 10:33:59 -0000

I think the SIV draft is well suited to COSE - it shares many similar properties to CCM, which is widely used in embedded/IoT applications (and COSE). The misuse resistance is also particularly appealing in those environments (indeed, I created the draft to support some IoT activity at ForgeRock). For example, Teserakt ( <>) use SIV mode in their IoT platform [1].

The ECDH-1PU draft is also potentially interesting for constrained environments, given that it eliminates the need for a separate signature so would provide a reduction in code size. COSE already has an ECDH-SS mode which is also authenticated, so this would compliment that with some stronger security properties.

I think therefore that the COSE WG could be a natural home, so I will send a message there to see if there is interest and otherwise take them to secdispatch. The drafts can then register identifiers for COSE and JOSE at the same time.

[1]: <> 

— Neil

> On 10 Aug 2020, at 20:39, Matthew A. Miller <> wrote:
> Hi all,
> I have not read these drafts yet, so please forgive me if speaking out
> of turn.
> Speaking as co-chair of COSE WG, we're intermittently discussing a
> recharter, and accepting new algorithms without recharter has consensus
> so far.  Note, though, that the COSE WG is focused on COSE and not JOSE.
> Not to say the work couldn't be done there, but if there's little-to-no
> interest in COSE then it is not likely to make progress.
> Also, if there's not a clear place to progress work, I would strongly
> suggest bringing it up on <>, whose purpose is to find
> homes for new work.
> - m&m
> Matthew A. Miller
> On 20/08/10 11:38, Vladimir Dzhuvinov wrote:
>> On 10/08/2020 11:28, Neil Madden wrote:
>>> Thanks Vladimir,
>>> Responses below
>>>> On 8 Aug 2020, at 10:40, Vladimir Dzhuvinov <> wrote:
>>>> Hi Neil,
>>>> I definitely like the elegance of the proposed alg for JOSE, it provides
>>>> something that isn't currently available in the various classes of algs
>>>> made standard in JOSE.
>>>> I also wanted to ask what's happening with AES SIV for JOSE, if there's
>>>> traction / feedback / support there as well?
>>> Thanks for bringing this up. I’ve not received much feedback about this one, and I haven’t been very good at pushing it. If there is interest then I’d certainly be interested in bringing this forward too. 
>>> That draft might be a better fit for eg the COSE WG though, which could then also register identifiers for JOSE. What do you think?
>> If the COSE is the "proper" WG to get the spec completed and the algs
>> registered, then let it be COSE. We can continue the conversation there.
>> I support both drafts.
>>>> Vladimir
>>>>>> On 05/08/2020 13:01, Neil Madden wrote:
>>>>> Hi all,
>>>>> You may remember me from such I-Ds
>>>>> as, which
>>>>> proposes adding a new encryption algorithm to JOSE. I’d like to
>>>>> reserve a bit of time to discuss it at one of the upcoming interim
>>>>> meetings.
>>>>> The basic idea is that in many cases in OAuth and OIDC you want to
>>>>> ensure both confidentiality and authenticity of some token - for
>>>>> example when transferring an ID token containing PII to the client
>>>>> through the front channel, or for access tokens intended to be handled
>>>>> by a specific RS without online token introspection (such as the JWT
>>>>> access token draft). If you have a shared secret key between the AS
>>>>> and the client/RS then you can use symmetric authenticated encryption
>>>>> (alg=dir or alg=A128KW etc). But if you need to use public key
>>>>> cryptography then currently you are limited to a nested
>>>>> signed-then-encrypted JOSE structure, which produces much larger token
>>>>> sizes.
>>>>> The draft adds a new “public key authenticated encryption” mode based
>>>>> on ECDH in the NIST standard “one-pass unified” model. The primary
>>>>> advantage for OAuth usage is that the tokens produced are more compact
>>>>> compared to signing+encryption (~30% smaller for typical access/ID
>>>>> token sizes in compact serialization). Performance-wise, it’s roughly
>>>>> equivalent. I know that size concerns are often a limiting factor in
>>>>> choosing whether to encrypt tokens, so this should help.
>>>>> In terms of implementation, it’s essentially just a few extra lines of
>>>>> code compared to an ECDH-ES implementation. (Some JOSE library APIs
>>>>> might need an adjustment to accommodate the extra private key needed
>>>>> for encryption/public key for decryption).
>>>>> I’ve received a few emails off-list from people interested in using it
>>>>> for non-OAuth use-cases such as secure messaging applications. I think
>>>>> these use-cases can be accommodated without significant changes, so I
>>>>> think the OAuth WG would be a good venue for advancing this.
>>>>> I’d be interested to hear thoughts and discussion on the list prior to
>>>>> any discussion at an interim meeting.
>>>>> — Neil
>> _______________________________________________
>> OAuth mailing list
>> <>
>> <>
> _______________________________________________
> OAuth mailing list
> <>
> <>