[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cfrg
Subject:    Re: [Cfrg] [jose] Use of authenticated encryption for key wrapping
From:       John Bradley <ve7jtb () ve7jtb ! com>
Date:       2013-03-17 22:40:21
Message-ID: 0A3D2079-279F-4D6C-AEE9-2B4BBF97B609 () ve7jtb ! com
[Download RAW message or body]

That is true.

However the main reason AES-GWC would be used is to allow transport of keys (RSA, EC \
and Symmetric)  that are intended for use outside the crypto module.

Where I agree, is that it is probably not such a good idea to start using AESKW on \
the message body just because that body contains a JWK with a private key.

I think that is where this particular question started.  Some people thought that \
only AES-KW was appropriate for encrypting keys.

My preference is to keep AES-KW for wrapping session keys,and not change to the newer \
version that would allow us to encrypt arbitrary length messages.

That at least still provides some additional protection for session keys in that the \
KW alg remains internal, so can not be used to expose session keys accidentally if \
that is what you are getting at.

Regards,
John B.

On 2013-03-15, at 2:42 PM, Russ Housley <housley@vigilsec.com> wrote:

> There are some system design issues to be considered.  The use of different modes \
> for encryption of user data and keying material makes it easier to prevent the \
> decryption of keying material outside of the crypto module. 
> Russ
> 
> 
> On Mar 15, 2013, at 11:42 AM, Brian Weis wrote:
> 
> > Jim Schaad gave a presentation on JOSE to CFRG today \
> > (<http://www.ietf.org/proceedings/86/slides/slides-86-cfrg-5.pdf>). The question \
> > came up as to whether AES key wrap was necessarily the only method that was safe \
> > for key wrapping in JOSE. The other algorithm under consideration is AES-GCM.  
> > Section 3.1 of NIST 800-38F (Methods for Key Wrapping) says:
> > 
> > "Previously approved authenticated-encryption modesas well as combinations of an \
> > approved encryption mode with an approved authentication methodare approved for \
> > the protection of cryptographic keys, in addition to general data." 
> > So if one considers that to be good enough advice, AES-GCM would indeed be an \
> > acceptable method of key wrapping. The chairs asked me to cross-post this for \
> > discussion. 
> > Brian
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg


["smime.p7s" (smime.p7s)]

0	*H
 010	+0	*H
 
040  0
	*H
0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom \
Certification Authority0 071024210255Z
171024210255Z010	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 \
Primary Intermediate Client CA0"0 	*H
0
(E,3* 
U]"gFSݤ>}m
w鞆FA7~
|-ql"/Q?Vp`G&viĜ73{B'87ds	Nfz1%TII|2o/mD \
\t	:0 8VGqǴ3Rp}JTzF;& X}rD \
Q600U00U0UUo1ʹk1㬻 \
0U#0N@[i04hCA0f+Z0X0'+0http://ocsp.startssl.com/ca0-+0!http://www.startssl.com/sfsca.crt0[UT0R0' \
% #!http://www.startssl.com/sfsca.crl0' % \
#!http://crl.startssl.com/sfsca.crl0U \
y0w0u+70f0.+"http://www.startssl.com/policy.pdf04+(http://www.startssl.com/intermediate.pdf0
 	*H
:'
ӴiiL\};JBG
Ƚ1FagR~9P1 \
Rvg}ȜsWr<];sY/Msߟq'ɽNpʧ`&pPz/ў-Eׁ1 \
KeET5ꥊ@v錈{8@t	e=ރt92Ow[%[kd+YO!_uyGYqE\pCbM~
 @ 3xn M+RH? \
o'V=INjWbᑶYOuZk*9Jz)w󫦒jNnZqwZV=t+΄BMkd"ܧfVSąmzLu8 \
ņVcoiQ^7|#Bl@/D;+@8	~brA+}TLVŜ2J(Hn}Rt]fiZ
 U	]+nŚܓqEF$^fsȕP)*6\q)900 \0
	*H
010	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 \
Primary Intermediate Client CA0 120318043248Z
140319110732Z010U
GrTM6LS7X35778s910	UCL1"0 UMetropolitana de Santiago10U
Isla de Maipo10UJohn Bradley10	*H
	jbradley@me.com0"0
	*H
0
Jw9r3Eyz]s
'Exz48RR ,+8Oox(se{V,YU&ү{`T^z;snNx \
GcxE뙌n`_5z&MNcί#q~PKWWӲTpۧ/z#y-UB>#Fݢ>-!1 \
P؎Uu.]d\X)ޛ/jlQ|D熕0 \
0	U00U0U%0++0U? \
ġ'ΚfR&3-y0U#0Uo1ʹk1㬻0~Uw0ujbradley@me.comjbradle \
y@me.comjbradley@mac.comve7jtb@ve7jtb.comjbradley@wingaa.comjohn.bradley@wingaa.com0!U \
00+700.+"http://www.startssl.com/policy.pdf04+(http://www.startssl.com/intermediate.pdf0+00' \
StartCom Certification Authority0This certificate was issued according to the \
Class 2 Validation requirements of the StartCom CA policy, reliance only for the \
intended purpose in compliance of the relying party obligations.0+00' \
StartCom Certification Authority0dLiability and warranties are limited! See \
section "Legal and Limitations" of the StartCom CA policy.06U/0-0+ ) \
'%http://crl.startssl.com/crtu2-crl.crl0+009+0-http://ocsp.st \
artssl.com/sub/class2/client/ca0B+06http://aia.startssl.com/certs/sub.class2.client.ca.crt0#U0http://www.startssl.com/0
 	*H
6M3ׄ]oCm5'y/nn
jx؁\N`Brw]HɯSj)<Z-!-}SrR=ؒOFwGW'$_4hT}C]A5U)-7?!iuY	鍢%ՔuyŲ'R$U,['es{[a \
1"KjxԥFMy$ɪVo|ԊSRESa/?l*#nd:jT1l0h0010	UIL10U
 
StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 \
Primary Intermediate Client CA\0	+ 0	*H 	1	*H
0	*H
	1
130317224022Z0#	*H
	11Bv oHC0	+710010	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 \
Primary Intermediate Client CA\0*H 	1 010	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 \
Primary Intermediate Client CA\0 	*H
K+7`R5rτ|Mb_صChTMK&_1O3#G<.ȝgW
}\IFD"wj
)4,l?_"Y
	A=<O1 }ʼnaZJև%uLX54ȫQrG QvV7N V
ɾ  ܿVKβ,I݅n
7:ZGsxb




[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic