Re: [Webpush] Major change to encryption

One small comment, then? Can we change the transmitted Content-Encoding
type to match the new Content-type of "aes128gcm" instead of the long
abandoned "aesgcm128"? (See point #4)

I'm betting that's going to be a pain point for a number of folks.

On 10/31/2016 4:04 PM, Martin Thomson wrote:
> That is (to the best of my limited ability to check) 100% correct.
>
> On 1 November 2016 at 09:47, jr conlin <jconlin@mozilla.com> wrote:
>> Perhaps I'm just confused by the various PRs and comments, but if I may,
>> i'd like to make sure I'm very clear on what the change is:
>>
>> The crux of the change is:
>> 1) Encrypted content would be identified as "aes128gcm", which should
>> not be confused with the now, long obsolete "aesgcm128".
>>
>> 2) salt, rs, and key_id are now prefixed to the encrypted content as:
>> `salt(16)|rs(4)|id_len(1)|key_id(id_len)|encrypted_content`
>>
>> 3) The content encoding key (CEK) is set to
>> ```
>> HMAC-SHA-256(
>>     HMAC-SHA-256(salt, key[key_id].secret),
>>     "Content-Encoding: aes128gcm\x00\x01")  # from 2.2 of
>> http://httpwg.org/http-extensions/encryption-preview.html
>> ```
>> The majority case will be that `key_id` is not defined (or is ''), in
>> which case, we'd use the locally derived key.
>>
>> 4) There's no longer a need for "context" to be appended to the key info
>> and nonce info, although the Content-Encoding for the new content type
>> will use the now obsolete "aesgcm128"
>> https://github.com/martinthomson/encrypted-content-encoding/pull/28/files#diff-6ee19a23c153fa68b2910aeb69bde1ddR213
>>
>> 5) The DH secret is now derived from running an HMAC-SHA-256 over
>> ```'WebPush: info\x00' + receiverPublicKey + senderPublicKey```
>>
>> Is that correct? Am I missing something?
>>
>> On 10/31/2016 3:38 AM, Martin Thomson wrote:
>>> Discussion in the HTTP working group has lead to some fairly
>>> substantial changes to the spec that we rely on.  These are breaking
>>> changes.  See the changes here:
>>> https://github.com/httpwg/http-extensions/pull/252
>>>
>>> In short, several of the parameters that were in header fields are now
>>> in the body of the message and the Encryption header field is now
>>> gone.
>>>
>>> This completely messes with the use of that spec in Webpush.  It's
>>> easy to detect which version is in use because the identifier has
>>> changed, and there are small gains to be had.  The overall message
>>> size is now slightly smaller, and the key derivation is now slightly
>>> simpler.  The specs also have fewer interdependencies as a result.
>>>
>>> I've put together a revision of the webpush-encryption draft.  I've
>>> taken this opportunity to simplify things a little.  You can see a
>>> preview in the editor's draft:
>>>
>>>   https://webpush-wg.github.io/webpush-encryption/
>>>
>>> I realize that this is a fairly big (and late) change.  I remain
>>> optimistic that it will be the last. Feedback on the changes are
>>> positive so far [1].
>>>
>>> I plan to submit this doc very soon, ahead of the draft submission
>>> deadline.  I realize that's short notice, but I'm fully prepared to
>>> back out this change if necessary.
>>>
>>> --Martin
>>>
>>> [1] Costin suggested that we might also remove Crypto-Key.  That is
>>> technically possible, though it's probably excessively kludgy, the DH
>>> key could be moved to the keyid field.  I'm leery of that sort of
>>> optimization, but I'm willing to be convinced that this is a special
>>> enough case (I don't think that it is that special, but have at it).
>>>
>>> _______________________________________________
>>> Webpush mailing list
>>> Webpush@ietf.org
>>> https://www.ietf.org/mailman/listinfo/webpush
>>
>> _______________________________________________
>> Webpush mailing list
>> Webpush@ietf.org
>> https://www.ietf.org/mailman/listinfo/webpush