IETF Logo Mail Archive

Re: [Webpush] Major change to encryption

Martin Thomson <martin.thomson@gmail.com> Mon, 31 October 2016 23:05 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0E741296C0 for <webpush@ietfa.amsl.com>; Mon, 31 Oct 2016 16:05:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GX1QfWmYZ7Rp for <webpush@ietfa.amsl.com>; Mon, 31 Oct 2016 16:04:58 -0700 (PDT)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AD9212948C for <webpush@ietf.org>; Mon, 31 Oct 2016 16:04:58 -0700 (PDT)
Received: by mail-qk0-x229.google.com with SMTP id v138so90009509qka.0 for <webpush@ietf.org>; Mon, 31 Oct 2016 16:04:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1hVEKeqGfRwKWN1FMxRvPpoKr71Sr6x4buK4UfL1wpA=; b=KsF+CQszYDPVhLAfBUe7Efy4h+uWVjaW49149qe2LunwsuMJR/JRtit1/i+ye3UNCM 7jrksiHeLSCTHAxbwpPBl4L794WcXc1JQqh7y4FqqUZHet3/hcsP3xv2RHVRkH57PhDg H6GjQhdxfnk/f8UwiFBdLCchvfEyCywcXbikW/lXTnvgWG02Z5hm9ZDvLVhaOSZ83xWv z8RzUMgdCJCYUnGGneVgvNXFo6pKYL8oD5hS+fz+xn84vfcLhT6DfbEpX2dbt8XsHNGw T4Kbd0ISdeiA6LqM1pflhO7VyE+2zT7VpeGaNhM99jmIjS0ksq109J6AhvG2OOtHt5rM TAEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1hVEKeqGfRwKWN1FMxRvPpoKr71Sr6x4buK4UfL1wpA=; b=JdRcs6NU4QoXeIANIutK0UHIaYVuZtLs+gz7uzBDRXGeTdiGMhNSZDDi97yGosWRb9 0QshFjPcSn2IUF6wSE83NTx0dd4046PWW87dIK+zLZqcpGF0jOG4+Xn+pQx2fXGhQgl6 4V2iG+IQ5kxuGHw8GBwpXRnBG4jd/+bOVpwE87RxC19A+Cp8mE3MRdqsHa9Z1T+GjIqm mgeY3rA+37GqplNzY60R3w82015miC9IBOPlTYJmtrL1dWoHsMh+hmLfNM+6tno2yyPP rggpdQnsSK+YP8rJOZuRcxVFG0ywm3yc4q1/FYPc94hfAbj9UJeWvEEfC8BN8YRDD9ro wRRg==
X-Gm-Message-State: ABUngvfT2APjRklJhQrP/uClD6v63IzrGvG5s+OE7h1skTN7yX0UE9H/eUUbCT6za906BIAZVhxwKk4slHt9xg==
X-Received: by 10.233.235.72 with SMTP id b69mr725612qkg.144.1477955097659; Mon, 31 Oct 2016 16:04:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.7 with HTTP; Mon, 31 Oct 2016 16:04:57 -0700 (PDT)
In-Reply-To: <da15e3e3-9d20-7e2c-eceb-d369a3529226@mozilla.com>
References: <CABkgnnUiLBOGQ6fSTiLcxn_RKbEHFYHzCAv3OMg_btETfKjRGA@mail.gmail.com> <da15e3e3-9d20-7e2c-eceb-d369a3529226@mozilla.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 1 Nov 2016 10:04:57 +1100
Message-ID: <CABkgnnVeGAtADwvf_FWKvNDpAtKNVvWpiFAr-LPf47hgHSqiag@mail.gmail.com>
To: jr conlin <jconlin@mozilla.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/scN8EKMRMWdBpsz3uxYEdkW2P7U>
Cc: "webpush@ietf.org" <webpush@ietf.org>
Subject: Re: [Webpush] Major change to encryption
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2016 23:05:01 -0000

That is (to the best of my limited ability to check) 100% correct.

On 1 November 2016 at 09:47, jr conlin <jconlin@mozilla.com> wrote:
> Perhaps I'm just confused by the various PRs and comments, but if I may,
> i'd like to make sure I'm very clear on what the change is:
>
> The crux of the change is:
> 1) Encrypted content would be identified as "aes128gcm", which should
> not be confused with the now, long obsolete "aesgcm128".
>
> 2) salt, rs, and key_id are now prefixed to the encrypted content as:
> `salt(16)|rs(4)|id_len(1)|key_id(id_len)|encrypted_content`
>
> 3) The content encoding key (CEK) is set to
> ```
> HMAC-SHA-256(
>     HMAC-SHA-256(salt, key[key_id].secret),
>     "Content-Encoding: aes128gcm\x00\x01")  # from 2.2 of
> http://httpwg.org/http-extensions/encryption-preview.html
> ```
> The majority case will be that `key_id` is not defined (or is ''), in
> which case, we'd use the locally derived key.
>
> 4) There's no longer a need for "context" to be appended to the key info
> and nonce info, although the Content-Encoding for the new content type
> will use the now obsolete "aesgcm128"
> https://github.com/martinthomson/encrypted-content-encoding/pull/28/files#diff-6ee19a23c153fa68b2910aeb69bde1ddR213
>
> 5) The DH secret is now derived from running an HMAC-SHA-256 over
> ```'WebPush: info\x00' + receiverPublicKey + senderPublicKey```
>
> Is that correct? Am I missing something?
>
> On 10/31/2016 3:38 AM, Martin Thomson wrote:
>> Discussion in the HTTP working group has lead to some fairly
>> substantial changes to the spec that we rely on.  These are breaking
>> changes.  See the changes here:
>> https://github.com/httpwg/http-extensions/pull/252
>>
>> In short, several of the parameters that were in header fields are now
>> in the body of the message and the Encryption header field is now
>> gone.
>>
>> This completely messes with the use of that spec in Webpush.  It's
>> easy to detect which version is in use because the identifier has
>> changed, and there are small gains to be had.  The overall message
>> size is now slightly smaller, and the key derivation is now slightly
>> simpler.  The specs also have fewer interdependencies as a result.
>>
>> I've put together a revision of the webpush-encryption draft.  I've
>> taken this opportunity to simplify things a little.  You can see a
>> preview in the editor's draft:
>>
>>   https://webpush-wg.github.io/webpush-encryption/
>>
>> I realize that this is a fairly big (and late) change.  I remain
>> optimistic that it will be the last. Feedback on the changes are
>> positive so far [1].
>>
>> I plan to submit this doc very soon, ahead of the draft submission
>> deadline.  I realize that's short notice, but I'm fully prepared to
>> back out this change if necessary.
>>
>> --Martin
>>
>> [1] Costin suggested that we might also remove Crypto-Key.  That is
>> technically possible, though it's probably excessively kludgy, the DH
>> key could be moved to the keyid field.  I'm leery of that sort of
>> optimization, but I'm willing to be convinced that this is a special
>> enough case (I don't think that it is that special, but have at it).
>>
>> _______________________________________________
>> Webpush mailing list
>> Webpush@ietf.org
>> https://www.ietf.org/mailman/listinfo/webpush
>
>
> _______________________________________________
> Webpush mailing list
> Webpush@ietf.org
> https://www.ietf.org/mailman/listinfo/webpush

v2.8.7 | Report a Bug | By Email