Re: [OAUTH-WG] ECDH-1PU encryption algorithm
Neil Madden <neil.madden@forgerock.com> Tue, 11 August 2020 10:33 UTC
Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 988F13A0F7A for <oauth@ietfa.amsl.com>; Tue, 11 Aug 2020 03:33:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g005P7WW8x1G for <oauth@ietfa.amsl.com>; Tue, 11 Aug 2020 03:33:55 -0700 (PDT)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 413E73A0D08 for <oauth@ietf.org>; Tue, 11 Aug 2020 03:33:54 -0700 (PDT)
Received: by mail-wr1-x42c.google.com with SMTP id a15so10944254wrh.10 for <oauth@ietf.org>; Tue, 11 Aug 2020 03:33:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=DuRkFJYYREwiGTFt/c4p12pxugDeDE0obAjcXppHDVw=; b=fcWmgs12Hz1uifvdgT+1ilrMgy2atwnQXQJJI4rn+hRWR3kvfXZBiqKG49N8RkT9HL OtC5WlTA3yncOVLDyetDnWFzlFpxGoTYmwe9Sqc9Q4Fj9kmeK2SMiMHBfThSAEF5h778 aqYug0clWRhcpU75VVx1ZYxSrxAAfUlpuaCQo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=DuRkFJYYREwiGTFt/c4p12pxugDeDE0obAjcXppHDVw=; b=Bj1MWM4kDRTx1ATr+iPVUQNwybliFFimlt8vDKnZzCrDbyLB4kMRs4mgWu9mKa7e8X cDLvdWLlmLW94+/OyCdQmPmq8Vf3CLku0a6HumA/0CSRwWwobPWRcfwjl4i0ue14S+8K 0htgFOF+/B3aJJm8OzveOgznoe9hgLltOxHDE95VTMkxH7uKMEruQE3qsRUFKNB3EGOm P1jw9Ci92jmwwqoL/jA7LDFUDD+gVwD9l0M6zQD70tNzRl2HeR2UBzoZ1ab1QMGvtlmt jA0JfOg+C7SuGXNm4KpKXXwM3tydZAZOdTgR1v/wFAXpkjIaaybmJ50KHZwM7xewkdS5 N+3g==
X-Gm-Message-State: AOAM530+IOiwtoilBEKv5nIINN6tISjX3zTJzYBqGFiI+Hdx82gEh1EP PYQEN2gCDSTr4gBwHfgFk+3iHFqk2UA=
X-Google-Smtp-Source: ABdhPJyeo9+27uhY2YORYZRjhDpnYAdldY6BFzBlollxamlXH1q8Wteh9/Fmaz2vVLMko1kymhYW0w==
X-Received: by 2002:a5d:46ce:: with SMTP id g14mr30382304wrs.188.1597142032599; Tue, 11 Aug 2020 03:33:52 -0700 (PDT)
Received: from [10.0.0.6] (38.227.143.150.dyn.plus.net. [150.143.227.38]) by smtp.gmail.com with ESMTPSA id h189sm4118015wme.17.2020.08.11.03.33.51 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Aug 2020 03:33:52 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Message-Id: <61F896E3-896B-4741-844C-E9205A114948@forgerock.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F2AC836E-18C4-4512-92C3-A64BEE03FF3B"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 11 Aug 2020 11:33:51 +0100
In-Reply-To: <5ecf3c86-7bdb-2c64-0000-76f354a6beea@outer-planes.net>
Cc: Vladimir Dzhuvinov <vladimir@connect2id.com>, oauth@ietf.org
To: "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>
References: <51424c05-3199-0caf-65ea-6d7a4433c9b9@connect2id.com> <A3AC8EAF-97B3-4778-8F3D-206350E7DAD3@forgerock.com> <e8d68d47-54cc-fcb8-9bcf-c1904608b584@connect2id.com> <5ecf3c86-7bdb-2c64-0000-76f354a6beea@outer-planes.net>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/N7FlANW7BTCoXZ5FkE4IOYh6YPc>
Subject: Re: [OAUTH-WG] ECDH-1PU encryption algorithm
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 10:33:59 -0000
I think the SIV draft is well suited to COSE - it shares many similar properties to CCM, which is widely used in embedded/IoT applications (and COSE). The misuse resistance is also particularly appealing in those environments (indeed, I created the draft to support some IoT activity at ForgeRock). For example, Teserakt (https://teserakt.io <https://teserakt.io/>) use SIV mode in their IoT platform [1]. The ECDH-1PU draft is also potentially interesting for constrained environments, given that it eliminates the need for a separate signature so would provide a reduction in code size. COSE already has an ECDH-SS mode which is also authenticated, so this would compliment that with some stronger security properties. I think therefore that the COSE WG could be a natural home, so I will send a message there to see if there is interest and otherwise take them to secdispatch. The drafts can then register identifiers for COSE and JOSE at the same time. [1]: https://teserakt-io.github.io/e4-doc/specifications/cryptography-primitives/#authenticated-encryption <https://teserakt-io.github.io/e4-doc/specifications/cryptography-primitives/#authenticated-encryption> — Neil > On 10 Aug 2020, at 20:39, Matthew A. Miller <linuxwolf+ietf@outer-planes.net> wrote: > > Hi all, > > I have not read these drafts yet, so please forgive me if speaking out > of turn. > > Speaking as co-chair of COSE WG, we're intermittently discussing a > recharter, and accepting new algorithms without recharter has consensus > so far. Note, though, that the COSE WG is focused on COSE and not JOSE. > Not to say the work couldn't be done there, but if there's little-to-no > interest in COSE then it is not likely to make progress. > > Also, if there's not a clear place to progress work, I would strongly > suggest bringing it up on secdispatch@ietf.org <mailto:secdispatch@ietf.org>, whose purpose is to find > homes for new work. > > > - m&m > > Matthew A. Miller > On 20/08/10 11:38, Vladimir Dzhuvinov wrote: >> On 10/08/2020 11:28, Neil Madden wrote: >>> Thanks Vladimir, >>> >>> Responses below >>> >>>> On 8 Aug 2020, at 10:40, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote: >>>> >>>> Hi Neil, >>>> >>>> I definitely like the elegance of the proposed alg for JOSE, it provides >>>> something that isn't currently available in the various classes of algs >>>> made standard in JOSE. >>>> >>>> I also wanted to ask what's happening with AES SIV for JOSE, if there's >>>> traction / feedback / support there as well? >>>> >>>> https://tools.ietf.org/html/draft-madden-jose-siv-mode-02 >>> Thanks for bringing this up. I’ve not received much feedback about this one, and I haven’t been very good at pushing it. If there is interest then I’d certainly be interested in bringing this forward too. >>> >>> That draft might be a better fit for eg the COSE WG though, which could then also register identifiers for JOSE. What do you think? >> >> If the COSE is the "proper" WG to get the spec completed and the algs >> registered, then let it be COSE. We can continue the conversation there. >> I support both drafts. >> >>> >>>> Vladimir >>>> >>>> >>>>>> On 05/08/2020 13:01, Neil Madden wrote: >>>>> Hi all, >>>>> You may remember me from such I-Ds >>>>> as https://tools.ietf.org/html/draft-madden-jose-ecdh-1pu-03, which >>>>> proposes adding a new encryption algorithm to JOSE. I’d like to >>>>> reserve a bit of time to discuss it at one of the upcoming interim >>>>> meetings. >>>>> The basic idea is that in many cases in OAuth and OIDC you want to >>>>> ensure both confidentiality and authenticity of some token - for >>>>> example when transferring an ID token containing PII to the client >>>>> through the front channel, or for access tokens intended to be handled >>>>> by a specific RS without online token introspection (such as the JWT >>>>> access token draft). If you have a shared secret key between the AS >>>>> and the client/RS then you can use symmetric authenticated encryption >>>>> (alg=dir or alg=A128KW etc). But if you need to use public key >>>>> cryptography then currently you are limited to a nested >>>>> signed-then-encrypted JOSE structure, which produces much larger token >>>>> sizes. >>>>> The draft adds a new “public key authenticated encryption” mode based >>>>> on ECDH in the NIST standard “one-pass unified” model. The primary >>>>> advantage for OAuth usage is that the tokens produced are more compact >>>>> compared to signing+encryption (~30% smaller for typical access/ID >>>>> token sizes in compact serialization). Performance-wise, it’s roughly >>>>> equivalent. I know that size concerns are often a limiting factor in >>>>> choosing whether to encrypt tokens, so this should help. >>>>> In terms of implementation, it’s essentially just a few extra lines of >>>>> code compared to an ECDH-ES implementation. (Some JOSE library APIs >>>>> might need an adjustment to accommodate the extra private key needed >>>>> for encryption/public key for decryption). >>>>> I’ve received a few emails off-list from people interested in using it >>>>> for non-OAuth use-cases such as secure messaging applications. I think >>>>> these use-cases can be accommodated without significant changes, so I >>>>> think the OAuth WG would be a good venue for advancing this. >>>>> I’d be interested to hear thoughts and discussion on the list prior to >>>>> any discussion at an interim meeting. >>>>> — Neil >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
- [OAUTH-WG] ECDH-1PU encryption algorithm Neil Madden
- Re: [OAUTH-WG] ECDH-1PU encryption algorithm Vladimir Dzhuvinov
- Re: [OAUTH-WG] ECDH-1PU encryption algorithm Dave Tonge
- Re: [OAUTH-WG] ECDH-1PU encryption algorithm Neil Madden
- Re: [OAUTH-WG] ECDH-1PU encryption algorithm Filip Skokan
- Re: [OAUTH-WG] ECDH-1PU encryption algorithm Dick Hardt
- Re: [OAUTH-WG] ECDH-1PU encryption algorithm Mike Jones
- Re: [OAUTH-WG] ECDH-1PU encryption algorithm Vladimir Dzhuvinov
- Re: [OAUTH-WG] ECDH-1PU encryption algorithm Matthew A. Miller
- Re: [OAUTH-WG] ECDH-1PU encryption algorithm Neil Madden
- Re: [OAUTH-WG] ECDH-1PU encryption algorithm Thibault Normand