No, Concat often isn't natively supported, but it's very easy to implement
given implementations of SHA-256 and SHA-512, as shown in
http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-06#appendix-A.4
and
http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-06#appendix-A.5.
When the table was discussed at the WebCrypto F2F, it was pointed out that a
shortcoming of the current table is that it doesn't indicate which of the "NO"
values are effectively show-stoppers and which are easy to build
implementations of, and so not a problem in practice. As shown in the
appendices, I believe that Concat is in the latter category. Given the ease of
implementation, it's certainly not worth adding space to the JWEs to work
around.
-- Mike
From: [email protected] [mailto:[email protected]]
Sent: Monday, October 29, 2012 6:03 AM
To: Mike Jones; [email protected]
Cc: [email protected]
Subject: RE: Platform Support for JWA Crypto Algorithms
As one can see from this table the KDF is unsupported on all platforms (except
one).
http://self-issued.info/presentations/Platform_Support_for_JWA-04_Crypto_Algorithms.xlsx
JWE
kdf
CS256
Concat Key Derivation Function (KDF)
NO
Win7
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
JWE
kdf
CS384
Concat Key Derivation Function (KDF)
NO
Win7
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
JWE
kdf
CS512
Concat Key Derivation Function (KDF)
NO
Win7
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
Isn't this an indication that we should look at alternatives?
e.g.: we could generate the integrity protection key randomly instead of
deriving it from the content encryption key.
This would add some more bytes (e.g. about 32) to the jwt but is very easy to
implement on all platforms.
One way to do it would be to generate enough bytes "Bytes" in "JWE Encrypted
Key" for encryption and integrity.
The CEK is then "Bytes[0 .. cekLength-1]" and the CIK "Bytes[cekLength ..
cekLength+cikLength-1]"
Axel
[On some platforms (Firefox/NSS) it might even be nearly impossible to
implement (without extending the platform's functions) because the build-in
digest function is always reset when finalize (doFinal) is called. The spec of
the Concat-KDF says that bytes are generated in a loop but the digest is NOT
reset in the loop.]
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Mike Jones
Sent: Monday, October 29, 2012 7:28 AM
To: [email protected]<mailto:[email protected]>
Subject: [jose] Platform Support for JWA Crypto Algorithms
FYI, I posted the table describing support for the JWA algorithms in common Web
development platforms that we discussed at IETF 84. See
http://self-issued.info/?p=884.
-- Mike
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
