Re: [Webpush] Major change to encryption
Costin Manolache <costin@gmail.com> Wed, 02 November 2016 01:01 UTC
Return-Path: <costin@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C68AE129438 for <webpush@ietfa.amsl.com>; Tue, 1 Nov 2016 18:01:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wt2Es8cyeGRB for <webpush@ietfa.amsl.com>; Tue, 1 Nov 2016 18:01:06 -0700 (PDT)
Received: from mail-it0-x230.google.com (mail-it0-x230.google.com [IPv6:2607:f8b0:4001:c0b::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 371EE127078 for <webpush@ietf.org>; Tue, 1 Nov 2016 18:01:06 -0700 (PDT)
Received: by mail-it0-x230.google.com with SMTP id e187so13206645itc.0 for <webpush@ietf.org>; Tue, 01 Nov 2016 18:01:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Xe6O3nC+NqfW5qE/fDxGMJktGYSYxx6T5UFQbOucoKM=; b=ZugKe91eFN6EszjX5nQWeA6OOLGaly6fw6xuAhVTT6qA0gml76HuIA52cHlIgAA8C+ 2Mk9gn7B5nch/x1QZ4sEVrs1jMFoWTMzsZiZUPo3vm/0t+PwGfxfSdwM9ChfudWvojFt LDuaC1DtQRUeMIPg9hWCjGXmJnLRBenX6dB9n2ekzc7GQtvyiRSNfIfSlZaSy377nzQW 990M5rknqM7xPfOfrD0v3LI0fBzWWi3xWUm/tex4PG3i2pDOJ/EWnHEoipJAWCADBPr6 xz8V7uipMfB3h/Kc4WPbeNIop0ihz+7PGegP1pljWhnAF9rwjsCc2/vazvEJma0Wiz5I SIMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Xe6O3nC+NqfW5qE/fDxGMJktGYSYxx6T5UFQbOucoKM=; b=h3aH0BN6iYleteLEN1r6jZ+UvSbBOvPan8CwYKywMKkAtmFW4y3nOCDeWYP32ttpd2 q4FJ8wZmIgTmryblov+FSdLlsjcN+AejtRkcMrYAfGXWlN39K2tFjoMsA543h5Wkqzz5 pP4jhJaJxlgs6EGDqlLjkZ44AxWrFQQn9PsbpWILBWA2FUUcl3KZ43+lS5zKkZxleJHX RAAHwQue3S5ZQuf9foFea61wWSwlOZmRbBJYyxNcE4uHGZozi2ko7qXCwG7oxhSotxeu dZToMEKSNDZ8iUrNULCkLSO327TqybsPVV1i+Nqg3L4PyTx0kGosybm9EZxarmc6tqDb iz3g==
X-Gm-Message-State: ABUngvfULlccnvAdaXVY5j2xjGaLIQkF7aoxYelW9RfvKng5qtAOQczxajC3SPKsImnnDU7ldZ7aBRQgkpl7+Q==
X-Received: by 10.36.28.135 with SMTP id c129mr599189itc.66.1478048465551; Tue, 01 Nov 2016 18:01:05 -0700 (PDT)
MIME-Version: 1.0
References: <CABkgnnUiLBOGQ6fSTiLcxn_RKbEHFYHzCAv3OMg_btETfKjRGA@mail.gmail.com> <da15e3e3-9d20-7e2c-eceb-d369a3529226@mozilla.com> <CABkgnnVeGAtADwvf_FWKvNDpAtKNVvWpiFAr-LPf47hgHSqiag@mail.gmail.com> <f6bb7ff3-1d6c-3b8c-b956-aaa0c046fd3a@mozilla.com> <CABkgnnUzR747r3VC1DLTqnZJwPvkAoH-SbB+y7-UY0i1Z+fX3A@mail.gmail.com> <CALt3x6nS2+LG6aZPEZL5wPA_c00pCjZ5WswcFqty35weut2rOw@mail.gmail.com> <CABkgnnUSou5xroNP5dppHJOCydErzKm4c6_Z2tw1w2hLhqb6Bg@mail.gmail.com> <CAP8-Fqn7siP7JuguZHipHHsc6Hj7dfai3u3hS8MpjLJOCWqerA@mail.gmail.com> <84f3da33-a9a4-1bbc-f290-e283cec07c22@mozilla.com>
In-Reply-To: <84f3da33-a9a4-1bbc-f290-e283cec07c22@mozilla.com>
From: Costin Manolache <costin@gmail.com>
Date: Wed, 02 Nov 2016 01:00:54 +0000
Message-ID: <CAP8-Fqk+suz9YpFKbdTa42nUfknWfPH-M017UjRjV2oLxUZKjQ@mail.gmail.com>
To: jr conlin <jconlin@mozilla.com>, Martin Thomson <martin.thomson@gmail.com>, Peter Beverloo <beverloo@google.com>
Content-Type: multipart/alternative; boundary="001a11452876c006f4054046f9ab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/0dM_PIPgUi5T1q_zarf2t1naNH0>
Cc: "webpush@ietf.org" <webpush@ietf.org>
Subject: Re: [Webpush] Major change to encryption
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 01:01:09 -0000
Yes, when sending over GCM it's better to have the 65bytes of the key in the binary prefix of the "raw_data" byte[] instead of having to add another key/value pair, with the b64 encoding and proto overhead. But it's an optimization - not the main reason :-). A nice extra benefit is that browsers on android could dispatch the message based on the raw_data only, since the EC public key can identify the app/SW. Costin On Tue, Nov 1, 2016 at 12:46 PM jr conlin <jconlin@mozilla.com> wrote: > I'll agree that putting as much crypto in the message would be great. One > thing to note is that when messages are delivered over bridged connections > (like GCM/FCM or APNs) all that added content eats into the preciously > small available delivery content. Particularly when you have to encode to > base64 for JSON envelopes. > > We should strive to have as little required "prefix" content as possible, > else folks wind up only able to send a few hundred bytes across. > > > On 11/1/2016 10:58 AM, Costin Manolache wrote: > > Using the Crypto-Key for vapid is fine with me - I have no problem with > keeping it for this purpose, in vapid spec. Or to use Crypto-Key in > other specs that deal with key distribution or other things. > > However I still think that for consistency, the dh-public key used for > decrypting > the message should be in the binary header, next to salt - maybe even > using the 'key id' field ( renamed to 'symmetric key id or public key' ). > The binary blob should be sufficient to decode the message, if the > content-encoding is known, using secrets known to the receiver ( symmetric > key in http case, or EC private key for webpush ). > > I think it's important to recognize that client-to-pushservice > communication > may use different transports, in addition to http/2 push promises. In > particular > it may be layered over Webcoket, newly proposed WiSH, etc - and in many > cases the implementation will be greatly simplified if the binary blob can > be sent as-is (after any protocol-specific authentication ). > > Costin > > > > > On Mon, Oct 31, 2016 at 4:57 PM Martin Thomson <martin.thomson@gmail.com> > wrote: > > Hi Peter and JR, > > Thanks both for picking up on my stupid errors. Hasty is not always > careful enough, but I was working to a time limit. With 5 minutes > left, I think that I managed to get all your input integrated. > > And your reminder about vapid was timely. I think that we can > dispense with any attempt to remove Crypto-Key, since we have to have > it for vapid anyway. > > Now I need to think about getting the python implementation updated. > > --Martin > > On 1 November 2016 at 10:31, Peter Beverloo <beverloo@google.com> wrote: > > Hi Martin, > > > > Thanks for the update and the proposal! > > > > I've reviewed these today, and have minor some points of feedback. I'll > > deliberately avoid the topics of interoperability and upgrade cost here. > > > > First of all, this indeed vastly improves layering between the drafts. I > > very much like how webpush-encryption is now built on top of encryption- > > encoding as opposed to being some sort of fork. > > > >>> A push message MUST include a zero length keyid parameter in the > >>> content coding header. This allows implementations to ignore the first > >>> 21 octets of a push message. > > > > I don't think this is right. The `salt` and the `rs` must still be known, > > and those are included in the header. > > > >>> A push service is not required to support more than 4096 octets of > >>> payload body (see Section 7.2 of [I-D.ietf-webpush-protocol]), which > >>> equates to at most 4059 octets of cleartext. > > > > I think this forgot about the padding -- > > > > 4096 - 16 (auth) - 2 (padding length) - 21 (header w/o keyid) = 4,057 > > > > May also want to s/cleartext/plaintext/ for consistency with encryption- > > encoding. > > > >>> An Application Server MUST include exactly one aes128gcm content > >>> coding, and at most one entry in the Crypto-Key field. This allows the > >>> keyid parameter to be omitted. > > > > This means the draft is incompatible with VAPID again. It must have at > > most one Crypto-Key entry that has a `dh` value. > > > > I haven't yet been able to validate the examples in the draft, but it > > sounds like you're changing these anyway per jr's feedback (+1 to that). > > > > Thanks, > > Peter > > > > > > On Mon, Oct 31, 2016 at 11:19 PM, Martin Thomson < > martin.thomson@gmail.com> > > wrote: > >> > >> On 1 November 2016 at 10:07, jr conlin <jconlin@mozilla.com> wrote: > >> > One small comment, then? Can we change the transmitted > Content-Encoding > >> > type to match the new Content-type of "aes128gcm" instead of the long > >> > abandoned "aesgcm128"? (See point #4) > >> > >> Ouch, that's going to hurt. I'll have to redo the examples :*( 40 > >> minutes until the deadline, go! > >> > >> _______________________________________________ > >> Webpush mailing list > >> Webpush@ietf.org > >> https://www.ietf.org/mailman/listinfo/webpush > > > > > > _______________________________________________ > Webpush mailing list > Webpush@ietf.org > https://www.ietf.org/mailman/listinfo/webpush > > >
- [Webpush] Major change to encryption Martin Thomson
- Re: [Webpush] Major change to encryption Costin Manolache
- Re: [Webpush] Major change to encryption jr conlin
- Re: [Webpush] Major change to encryption Martin Thomson
- Re: [Webpush] Major change to encryption jr conlin
- Re: [Webpush] Major change to encryption Martin Thomson
- Re: [Webpush] Major change to encryption Peter Beverloo
- Re: [Webpush] Major change to encryption Peter Beverloo
- Re: [Webpush] Major change to encryption Martin Thomson
- Re: [Webpush] Major change to encryption Costin Manolache
- Re: [Webpush] Major change to encryption Costin Manolache
- Re: [Webpush] Major change to encryption jr conlin
- Re: [Webpush] Major change to encryption Costin Manolache
- Re: [Webpush] Major change to encryption Martin Thomson
- Re: [Webpush] Major change to encryption JR Conlin
- Re: [Webpush] Major change to encryption Martin Thomson
- Re: [Webpush] Major change to encryption Costin Manolache
- Re: [Webpush] Major change to encryption Costin Manolache
- Re: [Webpush] Major change to encryption Martin Thomson