[secdir] Secdir review of draft-ietf-jose-json-web-algorithms-31

Charlie Kaufman <charliekaufman@outlook.com> Sat, 30 August 2014 07:12 UTC

Return-Path: <charliekaufman@outlook.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 3F1BE1A8830; Sat, 30 Aug 2014 00:12:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.801
X-Spam-Level: *
X-Spam-Status: No, score=1.801 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FREEMAIL_FROM=0.001, GB_SUMOF=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id z5yJ_eKV4bZs; Sat, 30 Aug 2014 00:12:27 -0700 (PDT)
Received: from COL004-OMC3S12.hotmail.com (col004-omc3s12.hotmail.com []) (using TLSv1.2 with cipher AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D39E1A8846; Sat, 30 Aug 2014 00:12:27 -0700 (PDT)
Received: from COL401-EAS183 ([]) by COL004-OMC3S12.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22701); Sat, 30 Aug 2014 00:12:27 -0700
X-TMN: [4kdEvMFsMb+N4Nz6icRmaM0m4+rVph0t]
X-Originating-Email: [charliekaufman@outlook.com]
Message-ID: <COL401-EAS1838D8ED8A7323D3422439EDFD80@phx.gbl>
From: Charlie Kaufman <charliekaufman@outlook.com>
To: <secdir@ietf.org>
Date: Sat, 30 Aug 2014 00:12:25 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0042_01CFC3E7.13FAA9D0"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: Ac/EILVlvaO6koWmSBq1KV+ptV1KBQ==
Content-Language: en-us
X-OriginalArrivalTime: 30 Aug 2014 07:12:27.0291 (UTC) FILETIME=[C14AE6B0:01CFC421]
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/Z6SxK5P2zR1JfEcjQlhgMONCJn0
Cc: draft-ietf-jose-json-web-algorithms.all@tools.ietf.org, iesg@ietf.org
Subject: [secdir] Secdir review of draft-ietf-jose-json-web-algorithms-31
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Aug 2014 07:12:30 -0000

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.


This document sets the initial IANA registry values for the labels to be
used to specify choices of cryptographic algorithms in the context of the
JSON Web Encryption, JSON Web Signature, and JSON Web Key documents
(parallel I-Ds). Some aspects of how the algorithms are used are specified
here; others aspects reference other documents.


The issues I found with this document (all of which are minor):


Section 3.4 line 4 says Elliptic Curves are generally faster to execute (for
equivalent security) than RSA. While that is true for private key operations
(and even more dramatically so for key generation), it is generally not true
for public key operations. This is a nit in the text since these trade-offs
are well understood.


Section 4.5 Direct Encryption: It might be too late to change existing
implementations, but it generally a good idea when using pre-negotiated keys
to include some key identifier in the header to remove ambiguity in the case
where there are multiple pre-negotiated keys (perhaps because they are in
the process of being updated and they are not atomically updated on both
ends of the connection).


Section 5.1: I don't believe the pairings of AES128/HMAC-SHA256,
AES192/HMAC-SHA384, and AES256/HMAC-SHA512 are "natural" in the sense of
providing equivalent cryptographic strength. Without the HMAC, they would,
but I believe HMAC-SHA256 is generally believed to have 256 bits of
cryptographic strength, making it suitable for pairing with any of the three
AES key sizes. The choices of the longer SHA2 variants are conservative,
however, and so do no harm if these pairings are already in widespread use.


Section 5.2: Similarly, it is not appropriate to have the length of the
Message Authentication Code (MAC) reflect the key length, since it does not
affect cryptographic strength but rather the strength against on-line MAC
guessing attacks. For this purpose, 128 bits is generally considered
adequate for all key sizes and many implementations truncate this to 96 bits
or even 64. Again, the current specification is conservative (if slightly
wasteful of bandwidth), and so does not harm if this is already in
widespread use.


Section says "The number of octets in the input key K is the sum of
MAC_KEY_LEN and ENC_KEY_LEN." I believe it would be better to say something
like "MUST BE the sum". The text goes on to say that the two keys must not
overlap, but it is also important that an implementation not tolerate a gap
between the two keys is a too large key is provided.


Section says the authenticated decryption operation has four
inputs... . I believe it has a fifth: the IV. Alternately, the IV is
pre-pended to the ciphertext (and hence implicitly included in 'E').


Section 5.3 specifies AES/GCM in much less detail than the description of
AES/HMAC in Section 5.2. Is this because the referenced document
[NIST.800-38D] includes all the needed details (like use of PKCS7 padding)?


Section Because of the controversy over NSA allegedly planting
backdoors in the "NIST curves" listed, there is a growing demand that
additional curves be supported. You might want to specify how additional
curves can be specified in-line and/or how to get additional curves added to
the IANA registry.


Section 8.7: I believe the advice in this section is too strong. It is
generally considered secure to encrypt multiple data sets with the same key
so long as the IV is correctly chosen and it is also generally considered
secure to encrypt the same data set with multiple different keys. There are
many scenarios in which this is nearly impossible to avoid. It is important
that when encryption multiple data sets with the same key that the IV be
chosen appropriately - which is very challenging when using GCM as noted in
section 8.4.


Section 8.8: I believe the advice in this section is too weak. It is
generally bad practice to derive cryptographic keys from passwords as
passwords almost never have adequate entropy. Where possible, it would be
better to have a strong (i.e. randomly chosen) cryptographic key associated
with an entity and then use the password to acquire that cryptographic key.
There are a number of means for doing that, including having the strong key
encrypted with the password (or XORed with it) stored someplace the entity
can access it, by having a server that will return the key based on a
provided password, or with a strong password authentication protocol.
Deriving the key from a password using PBES should be a last resort and
demanding a longer password to derive a 256 bit key is only fooling
yourself... you are never likely to get more than 64 bits of entropy.