Re: [Webpush] Major change to encryption

Hi jr,

Your understanding matches mine too.

On Mon, Oct 31, 2016 at 10:47 PM, jr conlin <jconlin@mozilla.com> wrote:

> Perhaps I'm just confused by the various PRs and comments, but if I may,
> i'd like to make sure I'm very clear on what the change is:
>
> The crux of the change is:
> 1) Encrypted content would be identified as "aes128gcm", which should
> not be confused with the now, long obsolete "aesgcm128".
>
> 2) salt, rs, and key_id are now prefixed to the encrypted content as:
> `salt(16)|rs(4)|id_len(1)|key_id(id_len)|encrypted_content`
>
> 3) The content encoding key (CEK) is set to
> ```
> HMAC-SHA-256(
>     HMAC-SHA-256(salt, key[key_id].secret),
>     "Content-Encoding: aes128gcm\x00\x01")  # from 2.2 of
> http://httpwg.org/http-extensions/encryption-preview.html
> ```
>

Yes, if key[key_id].secret contains the IKM that has already seen the
HMAC with the "WebPush: info" info (the context replacement).

   PRK_key = HMAC-SHA-256(auth_secret, ecdh_secret)
   key_info = "WebPush: info" || 0x00 || ua_public || as_public
   IKM = HMAC-SHA-256(PRK_cek, key_info || 0x01)

(So it's not just the shared ECDH secret.)

The majority case will be that `key_id` is not defined (or is ''), in
> which case, we'd use the locally derived key.
>

To be clear, section 4 of webpush-encryption mandates that the `id` field
in the header is the empty string.

Thanks,
Peter

>
> 4) There's no longer a need for "context" to be appended to the key info
> and nonce info, although the Content-Encoding for the new content type
> will use the now obsolete "aesgcm128"
> https://github.com/martinthomson/encrypted-content-encoding/pull/28/
> files#diff-6ee19a23c153fa68b2910aeb69bde1ddR213
>
> 5) The DH secret is now derived from running an HMAC-SHA-256 over
> ```'WebPush: info\x00' + receiverPublicKey + senderPublicKey```
>
> Is that correct? Am I missing something?
>
> On 10/31/2016 3:38 AM, Martin Thomson wrote:
> > Discussion in the HTTP working group has lead to some fairly
> > substantial changes to the spec that we rely on.  These are breaking
> > changes.  See the changes here:
> > https://github.com/httpwg/http-extensions/pull/252
> >
> > In short, several of the parameters that were in header fields are now
> > in the body of the message and the Encryption header field is now
> > gone.
> >
> > This completely messes with the use of that spec in Webpush.  It's
> > easy to detect which version is in use because the identifier has
> > changed, and there are small gains to be had.  The overall message
> > size is now slightly smaller, and the key derivation is now slightly
> > simpler.  The specs also have fewer interdependencies as a result.
> >
> > I've put together a revision of the webpush-encryption draft.  I've
> > taken this opportunity to simplify things a little.  You can see a
> > preview in the editor's draft:
> >
> >   https://webpush-wg.github.io/webpush-encryption/
> >
> > I realize that this is a fairly big (and late) change.  I remain
> > optimistic that it will be the last. Feedback on the changes are
> > positive so far [1].
> >
> > I plan to submit this doc very soon, ahead of the draft submission
> > deadline.  I realize that's short notice, but I'm fully prepared to
> > back out this change if necessary.
> >
> > --Martin
> >
> > [1] Costin suggested that we might also remove Crypto-Key.  That is
> > technically possible, though it's probably excessively kludgy, the DH
> > key could be moved to the keyid field.  I'm leery of that sort of
> > optimization, but I'm willing to be convinced that this is a special
> > enough case (I don't think that it is that special, but have at it).
> >
> > _______________________________________________
> > Webpush mailing list
> > Webpush@ietf.org
> > https://www.ietf.org/mailman/listinfo/webpush
>
>
> _______________________________________________
> Webpush mailing list
> Webpush@ietf.org
> https://www.ietf.org/mailman/listinfo/webpush
>