[prev in list] [next in list] [prev in thread] [next in thread]
List: cfrg
Subject: Re: [Cfrg] [jose] Use of authenticated encryption for key wrapping
From: John Bradley <ve7jtb () ve7jtb ! com>
Date: 2013-03-17 22:40:21
Message-ID: 0A3D2079-279F-4D6C-AEE9-2B4BBF97B609 () ve7jtb ! com
[Download RAW message or body]
That is true.
However the main reason AES-GWC would be used is to allow transport of keys (RSA, EC \
and Symmetric) that are intended for use outside the crypto module.
Where I agree, is that it is probably not such a good idea to start using AESKW on \
the message body just because that body contains a JWK with a private key.
I think that is where this particular question started. Some people thought that \
only AES-KW was appropriate for encrypting keys.
My preference is to keep AES-KW for wrapping session keys,and not change to the newer \
version that would allow us to encrypt arbitrary length messages.
That at least still provides some additional protection for session keys in that the \
KW alg remains internal, so can not be used to expose session keys accidentally if \
that is what you are getting at.
Regards,
John B.
On 2013-03-15, at 2:42 PM, Russ Housley <housley@vigilsec.com> wrote:
> There are some system design issues to be considered. The use of different modes \
> for encryption of user data and keying material makes it easier to prevent the \
> decryption of keying material outside of the crypto module.
> Russ
>
>
> On Mar 15, 2013, at 11:42 AM, Brian Weis wrote:
>
> > Jim Schaad gave a presentation on JOSE to CFRG today \
> > (<http://www.ietf.org/proceedings/86/slides/slides-86-cfrg-5.pdf>). The question \
> > came up as to whether AES key wrap was necessarily the only method that was safe \
> > for key wrapping in JOSE. The other algorithm under consideration is AES-GCM.
> > Section 3.1 of NIST 800-38F (Methods for Key Wrapping) says:
> >
> > "Previously approved authenticated-encryption modesas well as combinations of an \
> > approved encryption mode with an approved authentication methodare approved for \
> > the protection of cryptographic keys, in addition to general data."
> > So if one considers that to be good enough advice, AES-GCM would indeed be an \
> > acceptable method of key wrapping. The chairs asked me to cross-post this for \
> > discussion.
> > Brian
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
["smime.p7s" (smime.p7s)]
0 *H
010 + 0 *H
040 0
*H
0}10 UIL10U
StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom \
Certification Authority0 071024210255Z
171024210255Z010 UIL10U
StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 \
Primary Intermediate Client CA0"0 *H
0
(E,3*
U]"gFSݤ>}m
w鞆FA7~
|-ql"/Q?Vp`G&viĜ73{B'87ds Nfz1%TII|2o/mD \
\t :0 8VGqǴ3Rp}JTzF;& X}rD \
Q6 00U00U0UUo1ʹk1㬻 \
0U#0N@[i04hCA0f+Z0X0'+0http://ocsp.startssl.com/ca0-+0!http://www.startssl.com/sfsca.crt0[UT0R0' \
% #!http://www.startssl.com/sfsca.crl0' % \
#!http://crl.startssl.com/sfsca.crl0U \
y0w0u+70f0.+"http://www.startssl.com/policy.pdf04+(http://www.startssl.com/intermediate.pdf0
*H
:'
ӴiiL\};JBG
Ƚ1FagR~9P1 \
Rvg}ȜsWr<];sY/Msߟq'ɽNpʧ`&pPz/ў-Eׁ1 \
KeET5ꥊ@v錈{8@t e=ރt92Ow[%[kd+YO!_uyGYqE\pCbM~
@ 3xn M+RH? \
o'V=INjWbᑶYOuZk*9Jz)wjNnZqwZV=t+΄BMkd"ܧfVSąmzLu8 \
ņVcoiQ^7|#Bl@/D;+@8 ~brA+}TLVŜ2J (Hn}Rt] fiZ
U ]+nŚܓqEF$^fsȕP)*6\q)900 \0
*H
010 UIL10U
StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 \
Primary Intermediate Client CA0 120318043248Z
140319110732Z010U
GrTM6LS7X35778s910 UCL1"0 UMetropolitana de Santiago10U
Isla de Maipo10UJohn Bradley10 *H
jbradley@me.com0"0
*H
0
Jw9r3Eyz]s
'Exz48RR ,+8Oox(se{V,YU&ү{`T^z;snNx \
G cxE뙌n`_5z&MNcί#q~PKWWӲTpۧ/z#y-UB>#Fݢ>-!1 \
P؎Uu.]d\X)ޛ/jlQ|D熕 0 \
0 U0 0U0U%0++0U? \
ġ'ΚfR&3-y0U#0Uo1ʹk1㬻0~Uw0ujbradley@me.comjbradle \
y@me.comjbradley@mac.comve7jtb@ve7jtb.comjbradley@wingaa.comjohn.bradley@wingaa.com0!U \
00+700.+"http://www.startssl.com/policy.pdf04+(http://www.startssl.com/intermediate.pdf0+00' \
StartCom Certification Authority0This certificate was issued according to the \
Class 2 Validation requirements of the StartCom CA policy, reliance only for the \
intended purpose in compliance of the relying party obligations.0+00' \
StartCom Certification Authority0dLiability and warranties are limited! See \
section "Legal and Limitations" of the StartCom CA policy.06U/0-0+ ) \
'%http://crl.startssl.com/crtu2-crl.crl0+009+0-http://ocsp.st \
artssl.com/sub/class2/client/ca0B+06http://aia.startssl.com/certs/sub.class2.client.ca.crt0#U0http://www.startssl.com/0
*H
6 M3ׄ]oCm5'y/nn
jx\N`Brw]HɯSj)<Z-!-}SrR=ؒOFwGW'$_4hT}C]A5U)-7?!iuY 鍢%ՔuyŲ'R$U,['es{[a \
1"KjxԥFMy$ɪVo|ԊSRESa/?l*#nd:jT1l0h0010 UIL10U
StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 \
Primary Intermediate Client CA\0 + 0 *H 1 *H
0 *H
1
130317224022Z0# *H
11Bv oHC0 +710010 UIL10U
StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 \
Primary Intermediate Client CA\0*H 1 010 UIL10U
StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 2 \
Primary Intermediate Client CA\0 *H
K+7`R5rτ|Mb_صChTMK&_1O3#G<.ȝgW
}\IFD"wj
)4,l?_"Y
A=<O1 }ʼnaZJև%uLX54ȫQrG QvV7N V
ɾ ܿVKβ,I݅n
7:ZGsxb
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic