[OAUTH-WG] ECDH-1PU encryption algorithm

Neil Madden <neil.madden@forgerock.com> Wed, 05 August 2020 10:02 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A82B63A1410 for <oauth@ietfa.amsl.com>; Wed, 5 Aug 2020 03:02:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Vb7IwptK972A for <oauth@ietfa.amsl.com>; Wed, 5 Aug 2020 03:01:59 -0700 (PDT)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B39F3A13EC for <oauth@ietf.org>; Wed, 5 Aug 2020 03:01:58 -0700 (PDT)
Received: by mail-wr1-x434.google.com with SMTP id f7so40131801wrw.1 for <oauth@ietf.org>; Wed, 05 Aug 2020 03:01:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:mime-version:subject:message-id:date:to; bh=2SLqYBWWpu/U8p2lq/osB4IV9AP7Y4VPpki9+fFrUkk=; b=ipbTAGCo9Ffrz/mETXY0hjLNSZAeJqQSDn3Ec7O2WBBlxXEPrWM/tpv66jwkECbx1+ DB+XIeaNGDjYKWBkB1x40xf+vROd3M2UIfhwYs8tVP6rNWRAJmJVebYq8VP4d8FyRhSX hjDkTTxYJJo4kU0CSocpXQv7EzdVbMIdhzqUc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=2SLqYBWWpu/U8p2lq/osB4IV9AP7Y4VPpki9+fFrUkk=; b=tA27yQxsonF9uYbM5NnH7SBq+Rt38s8t7K3FBZSF88s57Fv1p0V6/IRKAAaDVkjQNp ZOvuC8f5rtBvRlO/ENsUqlZBkPQfxNNubnaCwe44ORPhvJfw6A0OpUjVFIOahFL1B+u/ CGgYrqJydenhdDFvWHmeg61jPDEvk90nipCh1pOOv1DxvbFd7QoJoHlUUlkUb1OEcQdA zH4sfRF3wm674SBLIE7OoVC5UWJrEz8t1wZfMLhzms8DrhAklsQrLPZXvgCIDoQjo9Ce W+Dd+YhmHzbeOf3WlQHjKBLPKyDJ8wR2AGNB+rXUJ6MhWSXFTZDKbvjnn+/4gLNbfrs+ sIpg==
X-Gm-Message-State: AOAM533qYDmq7BbQgEfo5r4eV5Sg9bTL1lsbqgVKaB7AI4HaqztXCE1x 1Vk3ACE3j8XlKJNX2MOD/9EU1AxIAEZkB4g7yn4GIl5NrnF7iV/X4JF/sZQOrw1Nx2OamYhXMh3 16StHSxwJEISgX1USx32OCgNGTaoYI8tp2x+CpHrY7Z0OklVF7KvyZ/kG+N/Tpuc=
X-Google-Smtp-Source: ABdhPJxqJSzia+xi0zd5NyzCGFX6C2LT7IGQYULEbxCdFzrGV8s1m1kFnGxcrEZ0VTx/CpAZJtzItg==
X-Received: by 2002:a5d:6910:: with SMTP id t16mr2229580wru.178.1596621716644; Wed, 05 Aug 2020 03:01:56 -0700 (PDT)
Received: from [] ( []) by smtp.gmail.com with ESMTPSA id y142sm2229301wmd.3.2020. for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 Aug 2020 03:01:56 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_655AD172-4341-42B1-8EE1-8D816722FF95"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Message-Id: <0DEE1AC7-2EA7-420F-B0B5-6F96A3D04D1C@forgerock.com>
Date: Wed, 05 Aug 2020 11:01:55 +0100
To: oauth <oauth@ietf.org>
X-Mailer: Apple Mail (2.3608.
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ddNkQjBo9EZ0mbyRuq6p66AGVlI>
Subject: [OAUTH-WG] ECDH-1PU encryption algorithm
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2020 10:02:02 -0000

Hi all,

You may remember me from such I-Ds as https://tools.ietf.org/html/draft-madden-jose-ecdh-1pu-03 <https://tools.ietf.org/html/draft-madden-jose-ecdh-1pu-03>, which proposes adding a new encryption algorithm to JOSE. I’d like to reserve a bit of time to discuss it at one of the upcoming interim meetings.

The basic idea is that in many cases in OAuth and OIDC you want to ensure both confidentiality and authenticity of some token - for example when transferring an ID token containing PII to the client through the front channel, or for access tokens intended to be handled by a specific RS without online token introspection (such as the JWT access token draft). If you have a shared secret key between the AS and the client/RS then you can use symmetric authenticated encryption (alg=dir or alg=A128KW etc). But if you need to use public key cryptography then currently you are limited to a nested signed-then-encrypted JOSE structure, which produces much larger token sizes.

The draft adds a new “public key authenticated encryption” mode based on ECDH in the NIST standard “one-pass unified” model. The primary advantage for OAuth usage is that the tokens produced are more compact compared to signing+encryption (~30% smaller for typical access/ID token sizes in compact serialization). Performance-wise, it’s roughly equivalent. I know that size concerns are often a limiting factor in choosing whether to encrypt tokens, so this should help.

In terms of implementation, it’s essentially just a few extra lines of code compared to an ECDH-ES implementation. (Some JOSE library APIs might need an adjustment to accommodate the extra private key needed for encryption/public key for decryption).

I’ve received a few emails off-list from people interested in using it for non-OAuth use-cases such as secure messaging applications. I think these use-cases can be accommodated without significant changes, so I think the OAuth WG would be a good venue for advancing this.

I’d be interested to hear thoughts and discussion on the list prior to any discussion at an interim meeting.

— Neil