Re: [xmpp] key+data object encryption (regarding draft-miller-3923bis-01)
Matthew Miller <mamille2@cisco.com> Tue, 16 March 2010 18:43 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: xmpp@core3.amsl.com
Delivered-To: xmpp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 90FA23A6A9D for <xmpp@core3.amsl.com>; Tue, 16 Mar 2010 11:43:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.649
X-Spam-Level:
X-Spam-Status: No, score=-5.649 tagged_above=-999 required=5 tests=[AWL=-0.849, BAYES_00=-2.599, J_CHICKENPOX_34=0.6, J_CHICKENPOX_41=0.6, J_CHICKENPOX_71=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SAMFk1Npbjy8 for <xmpp@core3.amsl.com>; Tue, 16 Mar 2010 11:43:24 -0700 (PDT)
Received: from gw1.webex.com (gw1.webex.com [64.68.122.208]) by core3.amsl.com (Postfix) with SMTP id 6D9443A6AA9 for <xmpp@ietf.org>; Tue, 16 Mar 2010 11:42:53 -0700 (PDT)
Received: from SRV-EXSC03.webex.local ([192.168.252.197]) by gw1.webex.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 16 Mar 2010 11:43:02 -0700
Received: from dhcp-64-101-72-214.cisco.com ([64.101.72.214]) by SRV-EXSC03.webex.local with Microsoft SMTPSVC(6.0.3790.3959); Tue, 16 Mar 2010 11:42:52 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Apple Message framework v1077)
From: Matthew Miller <mamille2@cisco.com>
In-Reply-To: <952A4B1F81123B479292D4B5FDC00D8503BA5F61@SRV-EXSC03.webex.local>
Date: Tue, 16 Mar 2010 12:42:51 -0600
Content-Transfer-Encoding: quoted-printable
Message-Id: <678467D6-0F2B-4C2F-B8EA-4677728B90D1@cisco.com>
References: <734EAEEA-B1DD-4899-80CC-CE9C90DB9776@cisco.com> <952A4B1F81123B479292D4B5FDC00D8503BA5F61@SRV-EXSC03.webex.local>
To: XMPP <xmpp@ietf.org>
X-Mailer: Apple Mail (2.1077)
X-OriginalArrivalTime: 16 Mar 2010 18:42:52.0545 (UTC) FILETIME=[7C2A0710:01CAC538]
Subject: Re: [xmpp] key+data object encryption (regarding draft-miller-3923bis-01)
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Mar 2010 18:43:25 -0000
On Mar 16, 2010, at 10:57, Ben Schumacher wrote: > On 3/16/10 10:15 AM, Matthew Miller wrote: > This makes sense, but can you provide more detail on the contents of the > <data/> element? Would there be some guidelines on how to generate a > strong key in the specification? I note that it has a 'hash' attribute, > can I assume that this is a hash of the encrypted (or decrypted?) > message contents? Is this really a hash, or rather an HMAC that can be > used to provide message authentication? Preferably we could provide a > mechanism to ensure that the encrypted data hasn't been tampered with in > transit, which would allow us to make a decision up front as to whether > we should go forward with the decryption of the message -- this would > help protect from a potential attack against bugs in our decryption > engine that could be a vecotr for a DoS. When we started on this, there was no secret appropriate to salt the HMAC. With the above approach, we could use the session key data as that salt and use HMAC SHA256. That would mean the contents to data would now be: N = current timestamp R = session cipher inputs (e.g. key + IV) S = stanza T = encrypt(R, hmac(R, N + UTF8-Encode(S)) + UTF8-Encode(S)) Which would result in something like the following: <message xmlns="jabber:client" type="chat" to="romeo@montegue.net" from="juliet@capulet.net/balcony"> <e2e xmlns="urn:ietf:params:xml:ns:xmpp-objec" stamp="2010-03-09T16:29:43.012Z"> <key cipher="RSAES-OAEP-SHA-256-MFG1"> PrGA6extyYdY6sFWk7/+YAvTglZe4GSglWeTshada6+GOKqVViK17FIvR9TQcSTB Ak1YcKr5Oa8ok0bf9gQzscwastKho72NaJ9NplTuDOZ4I3e3ZXhcN5iXoJYkVMHf scz20vYK170b5FYKorlQ/cgXw62slxb51t6jgCKZ+bUDpcalUmepU56y7Wwy+OwE buP2B1tr5XFVX1r0+epObTfdunCr/N1GphuVP70108lCavZhRLO1gNAC+6FEA75E pelvYstXaCHbXkkWT03AY02p//L4pdoyGQK+ZbJJjOfRndFTGMx1DJApkySRaQhW P2+5HpJMJ6jeWCyPAawK8A== </key> <data cipher="AES-256-CBC-PKCS5-WITH-IV" mac="HMACSHA256"> lM06rZtX5YXi+jrlNOKdsydMjAcVkAcJCZ8lncIgIF1CatVVTtIoachMHFm3XV7a SyEjrVO1P8Sdd3MTdOn1o+ktJvI66zAVWFL/aCoJbcwO1BUKtIn4AOG76V7kSYBj CDzWD7Hus620TEah/h1K/9Au6RHjWB78qpVLPLiROlZSH9Pw5sg4eDOKeusffSyb gcHDGXlDEVduWViaNWfIl6fboHiZXVfsU4ZPlxMXW41WjXVB1wwlfIUnsjL8e0Xc 106EkLR5XM9E6vT3MNY0UeOJO89W3t3RzKkZfFhWKn3ALPjoikRyEvdvw7baRD3O </data> </e2e> </message> > > I haven't followed the entire discussion on this specification, but is > there a rational for using PKCS1 v1.5 (which has known weaknesses in > some implementations) instead of using the stronger RSAES-OEAP[1] > specification? The only reason is that when we started, we did not have access to RSAES-OAEP implementations. I have no problem upgrading, assuming there's no general dissent. > > These are all (mostly) off-the-cuff remarks, but I will spend more time > with the specification to make sure I'm not missing anything. > > Cheers, > Ben Thanks for even this initial look. The draft itself is still pretty immature, so I'm sure there's plenty we'll need to hash out still - m&m
- [xmpp] key+data object encryption (regarding draf… Matthew Miller
- Re: [xmpp] key+data object encryption (regarding … Ben Schumacher
- Re: [xmpp] key+data object encryption (regarding … Matthew Miller
- Re: [xmpp] key+data object encryption (regarding … Ben Schumacher
- Re: [xmpp] key+data object encryption (regarding … Matt Miller
- Re: [xmpp] key+data object encryption (regarding … Ben Schumacher