IETF Logo Mail Archive

Re: [Webpush] Major change to encryption

jr conlin <jconlin@mozilla.com> Tue, 01 November 2016 19:46 UTC

Return-Path: <jconlin@mozilla.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AB3B129585 for <webpush@ietfa.amsl.com>; Tue, 1 Nov 2016 12:46:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mozilla.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kn3rXH5cB7ZT for <webpush@ietfa.amsl.com>; Tue, 1 Nov 2016 12:46:23 -0700 (PDT)
Received: from mail-pf0-x22a.google.com (mail-pf0-x22a.google.com [IPv6:2607:f8b0:400e:c00::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EE9D1299AC for <webpush@ietf.org>; Tue, 1 Nov 2016 12:46:23 -0700 (PDT)
Received: by mail-pf0-x22a.google.com with SMTP id i88so6607865pfk.2 for <webpush@ietf.org>; Tue, 01 Nov 2016 12:46:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla.com; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=OEnJY4IxmBwrgpL4VX23OZNkGSdm8khPS8UdnSghrJI=; b=AqcGQWrVREYCASSrPof0Uw/03XeBOVmW4mpa6eKjsCZHocRlhyMJ221RqvT3ovbQpt BsedmUp0lRpJ3e0ZzD3zYYVYWdUFMjWgIHNnJ89zn9GS/SuES3kKuk9OBR5NH/Q1T6C/ TUu6eDN6zjnpnHZ2S0Y/GsRTmdLrIULrUYfYQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=OEnJY4IxmBwrgpL4VX23OZNkGSdm8khPS8UdnSghrJI=; b=NWjUAZLXZotqDyw8Gv2e9gnoL95rFxWg1j56JgFyC7jYyUXH/z/E51qcnEWi3qyhDs AnH6Y8jD8VTPVV5DbqBo4iJStG4tiX0Vi0s78sbklJhVxBaH3aP9a2fDZJT/GlEO4S0+ S6xnzDW2wf6nhImFr5JefD+77MDOuULcHVT1nBER9b+f2NhZ6cPv6wejDABv2sWx7Frc J535k4a8YeQEmo4ZWuynbHyUGLHICNxzL25dMWJw8YWBCZbLI79XhZgsleKVzGT53m5Q LYR5nrI6wI2cmE27m04A5b/RF/Gc2zd4GiUgnZ/tJNYToiOUqhzKOjGQQPTqzl3mtkN8 ZY6g==
X-Gm-Message-State: ABUngvcOGz0zdGkWJQ3xJbPxHQKTNvne3kcvkb4rEJ0JHDlBWDYTGIpe6K6yOwrkiSPJwxkI
X-Received: by 10.99.178.6 with SMTP id x6mr6821783pge.63.1478029582594; Tue, 01 Nov 2016 12:46:22 -0700 (PDT)
Received: from ?IPv6:2620:101:80fc:224:c1ce:f3d9:2ed1:18a1? ([2620:101:80fc:224:c1ce:f3d9:2ed1:18a1]) by smtp.gmail.com with ESMTPSA id k89sm44045777pfg.6.2016.11.01.12.46.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 01 Nov 2016 12:46:21 -0700 (PDT)
To: Costin Manolache <costin@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, Peter Beverloo <beverloo@google.com>
References: <CABkgnnUiLBOGQ6fSTiLcxn_RKbEHFYHzCAv3OMg_btETfKjRGA@mail.gmail.com> <da15e3e3-9d20-7e2c-eceb-d369a3529226@mozilla.com> <CABkgnnVeGAtADwvf_FWKvNDpAtKNVvWpiFAr-LPf47hgHSqiag@mail.gmail.com> <f6bb7ff3-1d6c-3b8c-b956-aaa0c046fd3a@mozilla.com> <CABkgnnUzR747r3VC1DLTqnZJwPvkAoH-SbB+y7-UY0i1Z+fX3A@mail.gmail.com> <CALt3x6nS2+LG6aZPEZL5wPA_c00pCjZ5WswcFqty35weut2rOw@mail.gmail.com> <CABkgnnUSou5xroNP5dppHJOCydErzKm4c6_Z2tw1w2hLhqb6Bg@mail.gmail.com> <CAP8-Fqn7siP7JuguZHipHHsc6Hj7dfai3u3hS8MpjLJOCWqerA@mail.gmail.com>
From: jr conlin <jconlin@mozilla.com>
Message-ID: <84f3da33-a9a4-1bbc-f290-e283cec07c22@mozilla.com>
Date: Tue, 1 Nov 2016 12:46:21 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Thunderbird/51.0a2
MIME-Version: 1.0
In-Reply-To: <CAP8-Fqn7siP7JuguZHipHHsc6Hj7dfai3u3hS8MpjLJOCWqerA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------D9FE41FECCA9B1A9F943684F"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/BlPvhJFty3PVnIUbV7kLRCCsN4c>
Cc: "webpush@ietf.org" <webpush@ietf.org>
Subject: Re: [Webpush] Major change to encryption
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2016 19:46:25 -0000

I'll agree that putting as much crypto in the message would be great.
One thing to note is that when messages are delivered over bridged
connections (like GCM/FCM or APNs) all that added content eats into the
preciously small available delivery content. Particularly when you have
to encode to base64 for JSON envelopes.

We should strive to have as little required "prefix" content as
possible, else folks wind up only able to send a few hundred bytes across.

On 11/1/2016 10:58 AM, Costin Manolache wrote:
> Using the Crypto-Key for vapid is fine with me - I have no problem with 
> keeping it for this purpose, in vapid spec. Or to use Crypto-Key in 
> other specs that deal with key distribution or other things. 
>
> However I still think that for consistency, the dh-public key used for
> decrypting
> the message should be in the binary header, next to salt - maybe even
>  using the 'key id' field ( renamed to 'symmetric key id or public
> key' ). 
> The binary blob should be sufficient to decode the message, if the 
> content-encoding is known, using secrets known to the receiver (
> symmetric 
> key in http case, or EC private key for webpush ).
>
> I think it's important to recognize that client-to-pushservice
> communication
> may use different transports, in addition to http/2 push promises. In
> particular
> it may be layered over Webcoket, newly proposed WiSH, etc - and in many
> cases the implementation will be greatly simplified if the binary blob can
> be sent as-is (after any protocol-specific authentication ).
>
> Costin
>
>
>  
>
> On Mon, Oct 31, 2016 at 4:57 PM Martin Thomson
> <martin.thomson@gmail.com <mailto:martin.thomson@gmail.com>> wrote:
>
>     Hi Peter and JR,
>
>     Thanks both for picking up on my stupid errors.  Hasty is not always
>     careful enough, but I was working to a time limit.  With 5 minutes
>     left, I think that I managed to get all your input integrated.
>
>     And your reminder about vapid was timely.  I think that we can
>     dispense with any attempt to remove Crypto-Key, since we have to have
>     it for vapid anyway.
>
>     Now I need to think about getting the python implementation updated.
>
>     --Martin
>
>     On 1 November 2016 at 10:31, Peter Beverloo <beverloo@google.com
>     <mailto:beverloo@google.com>> wrote:
>     > Hi Martin,
>     >
>     > Thanks for the update and the proposal!
>     >
>     > I've reviewed these today, and have minor some points of
>     feedback. I'll
>     > deliberately avoid the topics of interoperability and upgrade
>     cost here.
>     >
>     > First of all, this indeed vastly improves layering between the
>     drafts. I
>     > very much like how webpush-encryption is now built on top of
>     encryption-
>     > encoding as opposed to being some sort of fork.
>     >
>     >>> A push message MUST include a zero length keyid parameter in the
>     >>> content coding header. This allows implementations to ignore
>     the first
>     >>> 21 octets of a push message.
>     >
>     > I don't think this is right. The `salt` and the `rs` must still
>     be known,
>     > and those are included in the header.
>     >
>     >>> A push service is not required to support more than 4096 octets of
>     >>> payload body (see Section 7.2 of [I-D.ietf-webpush-protocol]),
>     which
>     >>> equates to at most 4059 octets of cleartext.
>     >
>     > I think this forgot about the padding --
>     >
>     >   4096 - 16 (auth) - 2 (padding length) - 21 (header w/o keyid)
>     = 4,057
>     >
>     > May also want to s/cleartext/plaintext/ for consistency with
>     encryption-
>     > encoding.
>     >
>     >>> An Application Server MUST include exactly one aes128gcm content
>     >>> coding, and at most one entry in the Crypto-Key field. This
>     allows the
>     >>> keyid parameter to be omitted.
>     >
>     > This means the draft is incompatible with VAPID again. It must
>     have at
>     > most one Crypto-Key entry that has a `dh` value.
>     >
>     > I haven't yet been able to validate the examples in the draft,
>     but it
>     > sounds like you're changing these anyway per jr's feedback (+1
>     to that).
>     >
>     > Thanks,
>     > Peter
>     >
>     >
>     > On Mon, Oct 31, 2016 at 11:19 PM, Martin Thomson
>     <martin.thomson@gmail.com <mailto:martin.thomson@gmail.com>>
>     > wrote:
>     >>
>     >> On 1 November 2016 at 10:07, jr conlin <jconlin@mozilla.com
>     <mailto:jconlin@mozilla.com>> wrote:
>     >> > One small comment, then? Can we change the transmitted
>     Content-Encoding
>     >> > type to match the new Content-type of "aes128gcm" instead of
>     the long
>     >> > abandoned "aesgcm128"? (See point #4)
>     >>
>     >> Ouch, that's going to hurt.  I'll have to redo the examples :*(  40
>     >> minutes until the deadline, go!
>     >>
>     >> _______________________________________________
>     >> Webpush mailing list
>     >> Webpush@ietf.org <mailto:Webpush@ietf.org>
>     >> https://www.ietf.org/mailman/listinfo/webpush
>     >
>     >
>
>     _______________________________________________
>     Webpush mailing list
>     Webpush@ietf.org <mailto:Webpush@ietf.org>
>     https://www.ietf.org/mailman/listinfo/webpush
>

v2.8.7 | Report a Bug | By Email