IETF Logo Mail Archive

Re: [Webpush] Major change to encryption

jr conlin <jconlin@mozilla.com> Mon, 31 October 2016 22:47 UTC

Return-Path: <jconlin@mozilla.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29351127735 for <webpush@ietfa.amsl.com>; Mon, 31 Oct 2016 15:47:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mozilla.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rQwqQP4whtWW for <webpush@ietfa.amsl.com>; Mon, 31 Oct 2016 15:47:45 -0700 (PDT)
Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74BD3127078 for <webpush@ietf.org>; Mon, 31 Oct 2016 15:47:45 -0700 (PDT)
Received: by mail-pf0-x235.google.com with SMTP id 189so30187754pfz.3 for <webpush@ietf.org>; Mon, 31 Oct 2016 15:47:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla.com; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=PGRvBvqbVpfCUd822eu3clOdAkzg8suO/5WIfmoNURA=; b=gGhVuxKF+aekc1JhtcI+eqRICvg7d54l0e+eQmF1ZFf6dpxusUtzvZ7G0e5Kbyqy5Z ofGPxdv2HymmwU182XuILWc7sF9uCzCi1u8qJIQsm/iRERJcqavD0Lek3UmLQ+qDa5n0 jv7+FpcTkaBQ9gUGm26+RqSKNj/pXf9CXGhd4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=PGRvBvqbVpfCUd822eu3clOdAkzg8suO/5WIfmoNURA=; b=OILuzvmE0QEe7JxHCGqKF64EL7M4evanKTluhF8sKwqX1mZ3e+ySKtJEAv8xxjQ19F Ytx3JMIZjVn6tqgGmZ2xfG9yoMJfMPTBkK8va1VRaws+mhCGbIgXmE0/fvQSUknUNC5Y bgGVLXLs9SFlPNp5QzDHZWTWedS++dtbf3NBtEHUZQXh49YogL+eb0qPvEzr5nhjfZy/ xL5z7dzSm9DEDPXznikd8H6x28wm8kSGxN/aAHph1j0Y0yQJPF1PXqLa0v7sW/tmDAr4 KlNvjfdrt/I/ELSvVtG2UQjKysT4P7fNmelJ2bAqGCvrL0tuD3uGnIErliE1BBjBgoeP j+sQ==
X-Gm-Message-State: ABUngvfOGh076UC6KV3Wm+Eml0XHevMJgRz+kom6kYKeRvEd6UziJzX0Oy9G4jr4Uu2uADIx
X-Received: by 10.98.88.5 with SMTP id m5mr54178286pfb.9.1477954064549; Mon, 31 Oct 2016 15:47:44 -0700 (PDT)
Received: from ?IPv6:2620:101:80fc:224:e061:e86a:d62e:d3a4? ([2620:101:80fc:224:e061:e86a:d62e:d3a4]) by smtp.gmail.com with ESMTPSA id r74sm24011941pfj.11.2016.10.31.15.47.43 for <webpush@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 31 Oct 2016 15:47:43 -0700 (PDT)
To: webpush@ietf.org
References: <CABkgnnUiLBOGQ6fSTiLcxn_RKbEHFYHzCAv3OMg_btETfKjRGA@mail.gmail.com>
From: jr conlin <jconlin@mozilla.com>
Message-ID: <da15e3e3-9d20-7e2c-eceb-d369a3529226@mozilla.com>
Date: Mon, 31 Oct 2016 15:47:43 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Thunderbird/51.0a2
MIME-Version: 1.0
In-Reply-To: <CABkgnnUiLBOGQ6fSTiLcxn_RKbEHFYHzCAv3OMg_btETfKjRGA@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/DQIiB841DthSbKYaIiZ9gwoh4vg>
Subject: Re: [Webpush] Major change to encryption
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2016 22:47:47 -0000

Perhaps I'm just confused by the various PRs and comments, but if I may,
i'd like to make sure I'm very clear on what the change is:

The crux of the change is:
1) Encrypted content would be identified as "aes128gcm", which should
not be confused with the now, long obsolete "aesgcm128".

2) salt, rs, and key_id are now prefixed to the encrypted content as:
`salt(16)|rs(4)|id_len(1)|key_id(id_len)|encrypted_content`

3) The content encoding key (CEK) is set to
```
HMAC-SHA-256(
    HMAC-SHA-256(salt, key[key_id].secret),
    "Content-Encoding: aes128gcm\x00\x01")  # from 2.2 of
http://httpwg.org/http-extensions/encryption-preview.html
```
The majority case will be that `key_id` is not defined (or is ''), in
which case, we'd use the locally derived key.

4) There's no longer a need for "context" to be appended to the key info
and nonce info, although the Content-Encoding for the new content type
will use the now obsolete "aesgcm128"
https://github.com/martinthomson/encrypted-content-encoding/pull/28/files#diff-6ee19a23c153fa68b2910aeb69bde1ddR213

5) The DH secret is now derived from running an HMAC-SHA-256 over
```'WebPush: info\x00' + receiverPublicKey + senderPublicKey```

Is that correct? Am I missing something?

On 10/31/2016 3:38 AM, Martin Thomson wrote:
> Discussion in the HTTP working group has lead to some fairly
> substantial changes to the spec that we rely on.  These are breaking
> changes.  See the changes here:
> https://github.com/httpwg/http-extensions/pull/252
>
> In short, several of the parameters that were in header fields are now
> in the body of the message and the Encryption header field is now
> gone.
>
> This completely messes with the use of that spec in Webpush.  It's
> easy to detect which version is in use because the identifier has
> changed, and there are small gains to be had.  The overall message
> size is now slightly smaller, and the key derivation is now slightly
> simpler.  The specs also have fewer interdependencies as a result.
>
> I've put together a revision of the webpush-encryption draft.  I've
> taken this opportunity to simplify things a little.  You can see a
> preview in the editor's draft:
>
>   https://webpush-wg.github.io/webpush-encryption/
>
> I realize that this is a fairly big (and late) change.  I remain
> optimistic that it will be the last. Feedback on the changes are
> positive so far [1].
>
> I plan to submit this doc very soon, ahead of the draft submission
> deadline.  I realize that's short notice, but I'm fully prepared to
> back out this change if necessary.
>
> --Martin
>
> [1] Costin suggested that we might also remove Crypto-Key.  That is
> technically possible, though it's probably excessively kludgy, the DH
> key could be moved to the keyid field.  I'm leery of that sort of
> optimization, but I'm willing to be convinced that this is a special
> enough case (I don't think that it is that special, but have at it).
>
> _______________________________________________
> Webpush mailing list
> Webpush@ietf.org
> https://www.ietf.org/mailman/listinfo/webpush

v2.8.7 | Report a Bug | By Email