IETF Logo Mail Archive

Re: [Webpush] Major change to encryption

Costin Manolache <costin@gmail.com> Tue, 01 November 2016 18:03 UTC

Return-Path: <costin@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB62F129721 for <webpush@ietfa.amsl.com>; Tue, 1 Nov 2016 11:03:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pp1C30D5G3mT for <webpush@ietfa.amsl.com>; Tue, 1 Nov 2016 11:03:04 -0700 (PDT)
Received: from mail-yb0-x22a.google.com (mail-yb0-x22a.google.com [IPv6:2607:f8b0:4002:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E743F12979D for <webpush@ietf.org>; Tue, 1 Nov 2016 11:03:03 -0700 (PDT)
Received: by mail-yb0-x22a.google.com with SMTP id d128so73313550ybh.2 for <webpush@ietf.org>; Tue, 01 Nov 2016 11:03:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jObHx1jzkyLk1Wp7hLVpyyHpjXepRGHVz0Z8pFNB8QE=; b=02rrZOdds06ZQS5OWQlkSeISFI5rpdcXdVCWPR0SYnzVd/aOt1t6JHjTy8SlpzOm2g rrMRiFVvnrymoFsTbdizCujdWyV7b+IKiXlmrdYDpqbjp0n55teD1AfozIYfPVqQEbv1 +/fkxTt6BPuogpKKBFm6Z6lW4bBJXvRBUXALfrQHNf0a7QQbaDxDYVKDhgIPeFdCfI03 Ja65FagZY17ahjqfbnKYfzHtmn+rypkzZzV/eF5ds7NTb2qMnbLasrcC9RTDPcA0wnMR Tu2MRy/sDiGkqp+8vtFSjuzNqFg5QLG9KQ4EGo8CNv4MynSF5bhvJF/N2suh7j+uDwvu q1Iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jObHx1jzkyLk1Wp7hLVpyyHpjXepRGHVz0Z8pFNB8QE=; b=EDWYisBPp3jj+38q5Ih0RaQQ5EutRFw4+My3zXw/WLoQiphDxrX+2pmXkQ59R2JZ3a 0vS1d5VBkDsp6UzEc3Qktet4amRdgquHBfJadvJdL2MtN9MQif2XqJEZAa6TyTakIL31 JdK253fb94ppyCHhvFoEMht+ON+Ikk8jKKjETJJJcsLwm5VbScUFkbt837kzzUYzBgtn 8R6FA9CnIXOpS5ZYyMHcCCgCff0nk4jDpYbk1kMx6lr9AGx24JHXK8eLLIH+c87oA+0R NRMlOU3eaRb0KEZaiNfEpYrzLg7s5mTXB3wb9oYVpHQo6Xh1cGYL36nIoFyjjjimI+Le B90w==
X-Gm-Message-State: ABUngvfg/zvFxqPhpUY7FIMNuxB7CWcvL8EfQVZA4bmbsNMIVoZQxCwHDyDbm/zjD18Q4+bl86qslnBeb/KzRQ==
X-Received: by 10.36.28.135 with SMTP id c129mr2088587itc.66.1478023382947; Tue, 01 Nov 2016 11:03:02 -0700 (PDT)
MIME-Version: 1.0
References: <CABkgnnUiLBOGQ6fSTiLcxn_RKbEHFYHzCAv3OMg_btETfKjRGA@mail.gmail.com> <da15e3e3-9d20-7e2c-eceb-d369a3529226@mozilla.com> <CABkgnnVeGAtADwvf_FWKvNDpAtKNVvWpiFAr-LPf47hgHSqiag@mail.gmail.com> <f6bb7ff3-1d6c-3b8c-b956-aaa0c046fd3a@mozilla.com> <CABkgnnUzR747r3VC1DLTqnZJwPvkAoH-SbB+y7-UY0i1Z+fX3A@mail.gmail.com> <CALt3x6nS2+LG6aZPEZL5wPA_c00pCjZ5WswcFqty35weut2rOw@mail.gmail.com> <CABkgnnUSou5xroNP5dppHJOCydErzKm4c6_Z2tw1w2hLhqb6Bg@mail.gmail.com> <CAP8-Fqn7siP7JuguZHipHHsc6Hj7dfai3u3hS8MpjLJOCWqerA@mail.gmail.com>
In-Reply-To: <CAP8-Fqn7siP7JuguZHipHHsc6Hj7dfai3u3hS8MpjLJOCWqerA@mail.gmail.com>
From: Costin Manolache <costin@gmail.com>
Date: Tue, 01 Nov 2016 18:02:52 +0000
Message-ID: <CAP8-FqnzYekO+p_M=LQA2+sZsy_U=b=q7uf_Ke+0ynCMOkHOsQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>, Peter Beverloo <beverloo@google.com>
Content-Type: multipart/alternative; boundary=001a11452876b5e14805404122a6
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/hkDEJjsKmrIXDlEUOy4gev2KlnQ>
Cc: jr conlin <jconlin@mozilla.com>, "webpush@ietf.org" <webpush@ietf.org>
Subject: Re: [Webpush] Major change to encryption
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2016 18:03:08 -0000

I would also add that some of the bugs we've seen in our implementation
were related to parsing and passing along the crypto key. Even for
VAPID I would love to see the sender public key appended to the
Authorization header somehow instead of in a separate Crypto-Key header.

Costin

On Tue, Nov 1, 2016 at 10:58 AM Costin Manolache <costin@gmail.com> wrote:

> Using the Crypto-Key for vapid is fine with me - I have no problem with
> keeping it for this purpose, in vapid spec. Or to use Crypto-Key in
> other specs that deal with key distribution or other things.
>
> However I still think that for consistency, the dh-public key used for
> decrypting
> the message should be in the binary header, next to salt - maybe even
>  using the 'key id' field ( renamed to 'symmetric key id or public key' ).
> The binary blob should be sufficient to decode the message, if the
> content-encoding is known, using secrets known to the receiver ( symmetric
> key in http case, or EC private key for webpush ).
>
> I think it's important to recognize that client-to-pushservice
> communication
> may use different transports, in addition to http/2 push promises. In
> particular
> it may be layered over Webcoket, newly proposed WiSH, etc - and in many
> cases the implementation will be greatly simplified if the binary blob can
> be sent as-is (after any protocol-specific authentication ).
>
> Costin
>
>
>
>
> On Mon, Oct 31, 2016 at 4:57 PM Martin Thomson <martin.thomson@gmail.com>
> wrote:
>
> Hi Peter and JR,
>
> Thanks both for picking up on my stupid errors.  Hasty is not always
> careful enough, but I was working to a time limit.  With 5 minutes
> left, I think that I managed to get all your input integrated.
>
> And your reminder about vapid was timely.  I think that we can
> dispense with any attempt to remove Crypto-Key, since we have to have
> it for vapid anyway.
>
> Now I need to think about getting the python implementation updated.
>
> --Martin
>
> On 1 November 2016 at 10:31, Peter Beverloo <beverloo@google.com> wrote:
> > Hi Martin,
> >
> > Thanks for the update and the proposal!
> >
> > I've reviewed these today, and have minor some points of feedback. I'll
> > deliberately avoid the topics of interoperability and upgrade cost here.
> >
> > First of all, this indeed vastly improves layering between the drafts. I
> > very much like how webpush-encryption is now built on top of encryption-
> > encoding as opposed to being some sort of fork.
> >
> >>> A push message MUST include a zero length keyid parameter in the
> >>> content coding header. This allows implementations to ignore the first
> >>> 21 octets of a push message.
> >
> > I don't think this is right. The `salt` and the `rs` must still be known,
> > and those are included in the header.
> >
> >>> A push service is not required to support more than 4096 octets of
> >>> payload body (see Section 7.2 of [I-D.ietf-webpush-protocol]), which
> >>> equates to at most 4059 octets of cleartext.
> >
> > I think this forgot about the padding --
> >
> >   4096 - 16 (auth) - 2 (padding length) - 21 (header w/o keyid) = 4,057
> >
> > May also want to s/cleartext/plaintext/ for consistency with encryption-
> > encoding.
> >
> >>> An Application Server MUST include exactly one aes128gcm content
> >>> coding, and at most one entry in the Crypto-Key field. This allows the
> >>> keyid parameter to be omitted.
> >
> > This means the draft is incompatible with VAPID again. It must have at
> > most one Crypto-Key entry that has a `dh` value.
> >
> > I haven't yet been able to validate the examples in the draft, but it
> > sounds like you're changing these anyway per jr's feedback (+1 to that).
> >
> > Thanks,
> > Peter
> >
> >
> > On Mon, Oct 31, 2016 at 11:19 PM, Martin Thomson <
> martin.thomson@gmail.com>
> > wrote:
> >>
> >> On 1 November 2016 at 10:07, jr conlin <jconlin@mozilla.com> wrote:
> >> > One small comment, then? Can we change the transmitted
> Content-Encoding
> >> > type to match the new Content-type of "aes128gcm" instead of the long
> >> > abandoned "aesgcm128"? (See point #4)
> >>
> >> Ouch, that's going to hurt.  I'll have to redo the examples :*(  40
> >> minutes until the deadline, go!
> >>
> >> _______________________________________________
> >> Webpush mailing list
> >> Webpush@ietf.org
> >> https://www.ietf.org/mailman/listinfo/webpush
> >
> >
>
> _______________________________________________
> Webpush mailing list
> Webpush@ietf.org
> https://www.ietf.org/mailman/listinfo/webpush
>
>

v2.8.7 | Report a Bug | By Email