Re: [jose] Symmetric encryption and key agreement with and without a separate CMK

Thu, 19 Jul 2012 13:57:28 -0700 

The proposal is fine as long as it's made clear that cases 2 and 4 are not 
useable for multiple recipient scenarios.

-- Edmund




________________________________
From: Mike Jones <[email protected]>
To: "[email protected]" <[email protected]>
Sent: Wed, July 18, 2012 6:04:14 PM
Subject: [jose] Symmetric encryption and key agreement with and without a 
separate CMK

 
Hi all,
 
I’ve been thinking about two of our open issues, which are closely related, and 
am writing to make a proposal to resolve both of them.  The issues are:
 
(1) Currently we specify methods for using symmetric keys to key wrap a 
separate 
Content Master Key (CMK), but no means of using the symmetric key as the CMK 
directly.  Some applications need this functionality, both for size and for 
efficiency  reasons.
 
(2) Currently we specify methods for performing key agreement and directly 
using 
the resulting key as the CMK to perform block encryption, but no means of using 
the agreed-upon key to wrap a separate CMK.  When doing key agreement for 
multiple  recipients, a separate CMK is needed.
 
Thus, I propose that we define methods for filling in both of the holes above, 
as follows:
 
(a) Define “alg”:”dir” (direct) to mean that the symmetric key is directly used 
as the CMK for the block encryption and integrity calculations, rather than as 
a 
key to wrap the CMK value.
 
(b) Define “alg”:”ECDH-ES+A128KW” and “alg”:”ECDH-ES+A256KW” to mean that the 
result of the key agreement is respectively used as the 128 bit or 256 bit AES 
Key Wrap key to wrap the CMK.
 
Doing this will enable all four flavors, whereas we’re currently missing 2 and 
3 
below:
1.  The symmetric key used to wrap a separate CMK
2.  The symmetric key used as the CMK
3.  The key agreement result used to wrap a separate CMK
4.  The key agreement result used as the CMK
 
I recognize that flavors 2 and 4 are not usable with multiple recipients when 
methods such as JWE JSON Serialization are used (which counts on a common CMK 
value to enable a common ciphertext value).  A note to that effect would be 
added  to the JWA definitions of “alg”:“ECDH-ES” and “alg”:”dir” and it would 
be 
pointed out in the JWE-JS spec that “alg” values that utilize a separate CMK 
MUST be used when the plaintext is encrypted to multiple recipients.
 
Comments?
 
                                                                -- Mike
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to