John, do you have any comments on the original post? Telling me I can do what I already described is not useful.
-- Dick On 2012-11-06, at 8:58 AM, John Bradley <[email protected]> wrote: > I take your point, but there are a number of cases where people are creating > security tokens using a pre-shared key. > > Given that a JWE using KeyWrap & Encryption with integrity and a JWS using > HS256 provide the same level of verification of the sender. > They are equivalent , though nether of them are signatures. > > If HS256 is good for you then perhaps A256KW + A128CBC+HS256 might be good if > you need to add encryption based on the same key. > > John > On 2012-11-06, at 10:54 AM, "Jim Schaad" <[email protected]> wrote: > >> <personal> >> >> Only if you have a really loose definition of signing - it gives you an >> integrity check but not origination which is usually implied by the term >> signing >> >> Jim >> >> >>> -----Original Message----- >>> From: John Bradley [mailto:[email protected]] >>> Sent: Tuesday, November 06, 2012 10:50 AM >>> To: Dick Hardt >>> Cc: Jim Schaad; 'Mike Jones'; [email protected] >>> Subject: Re: [jose] encrypting AND signing a token >>> >>> I should also note that with symmetric keys, the alg option of A128KW with >>> an enc of A128CBC+HS256 effectively gives you signing and encryption in a >>> single JWE. >>> >>> That doesn't solve the asymmetric signing case, but may work for some >>> people . >>> >>> John B. >>> On 2012-11-06, at 10:37 AM, John Bradley <[email protected]> wrote: >>> >>>> SAML performs this as separate operations. >>>> >>>> Now in some cases the assertion is signed then encrypted and then the >>> message signed to deal with the AESCBC padding oracle attack. >>>> >>>> There is non technical issue around the use of qualified signatures in >> cases >>> where non repudiation is required. >>>> Signing a encrypted object has different connotations than signing a >>> unencrypted one. >>>> >>>> I don't know what the status of a combined operation would be. It is >>> probably not relevant to your use case. >>>> >>>> At IETF #83 I presented including ECDH-SS as an encryption option as it >>> provides sender verification. >>>> I think that would answer your use case, depending on how you feel about >>> EC. >>>> >>>> The work group rejected adding that algorithm at the time on the grounds >>> that it is not used in places where it is supported. >>>> ECDH-ES is defined and is considered more secure than ECDH-SS mostly >>> because it is harder to get wrong. >>>> >>>> I am not recommending revisiting the issue, but it would be a way to >>> address the composite use case. >>>> >>>> Despite being a Canadian I am not shilling for certicom. Just saying. >>>> >>>> John B. >>>> On 2012-11-04, at 2:55 PM, Dick Hardt <[email protected]> wrote: >>>> >>>>> Thanks Jim. An interesting historical reference. >>>>> >>>>> In my use case, who signed or who the token is for is not a secret. The >>> payload needs to be kept a secret. >>>>> >>>>> Does no one sign and encrypt SAML tokens? >>>>> Is this not a common use case? >>>>> >>>>> If it does need to be solved, it would seem to me that a standards body >>> would be the place to have lots of eyes look at how to sign and encrypt a >>> token so that people do not do naive sign and encrypt. >>>>> >>>>> Q: does anyone else need to sign and encrypt? >>>>> >>>>> -- Dick >>>>> >>>>> On Nov 4, 2012, at 10:24 AM, "Jim Schaad" <[email protected]> >>> wrote: >>>>> >>>>>> <personal> >>>>>> >>>>>> I would note that the original PKCS#7 specifications had a mode that >>>>>> provided a similar sign and encrypt as a single operation mode. >>>>>> When the >>>>>> PKCS#7 specifications where adopted by the IETF as part of the CMS >>>>>> work, this mode was discussed and very deliberately dropped because >>>>>> of numerous security problems that had been found. These included >>>>>> (but are not limited >>>>>> to) the fact that it was signed or who signed it was sometimes a >>>>>> security leak. Also there were attacks where the signed and >>>>>> encrypted mode could be converted to just an encrypted mode. >>>>>> >>>>>> I would think that there would be a need for a very detailed >>>>>> security analysis that we are not prepared to do in order to support >>>>>> a signed and encrypted mode. >>>>>> >>>>>> Jim >>>>>> >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: [email protected] [mailto:[email protected]] On >>>>>>> Behalf Of Dick Hardt >>>>>>> Sent: Friday, November 02, 2012 12:30 PM >>>>>>> To: Mike Jones >>>>>>> Cc: [email protected] >>>>>>> Subject: Re: [jose] encrypting AND signing a token >>>>>>> >>>>>>> Not only is my original token increasing in size by 4/3, I am also >>>>>>> adding another header, payload and signature. >>>>>>> >>>>>>> One of the objectives of JWT was to enabled compact tokens. It >>>>>>> would seem that we should be able to support both signing and >>>>>>> encryption of the same token. >>>>>>> >>>>>>> All the encryption use cases I can think of involving asymmetric >>>>>>> keys >>>>>> would >>>>>>> also require signing with the senders private key. >>>>>>> >>>>>>> My suggestion is to be explicit in what the algorithm etc. is used >> for: >>>>>>> >>>>>>> Rather than "alg" and "enc", we have: >>>>>>> >>>>>>> "algs" - algorithm for token signing "algk" - algorithm for content >>>>>>> management key encryption "alge" - >>>>>> algorithm >>>>>>> for payload encryption >>>>>>> >>>>>>> Similiarly, >>>>>>> >>>>>>> "kids" - key id for signing >>>>>>> "kidk" - key id for content managment key encryption >>>>>>> >>>>>>> We could probably make these three or even two letter codes if you >>>>>>> want to save a couple bytes. >>>>>>> >>>>>>> -- Dick >>>>>>> >>>>>>> On Nov 2, 2012, at 8:46 AM, Mike Jones >>>>>>> <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> The way you put it brings one straightforward solution to mind. >>>>>>>> Solve >>>>>> 1-3 >>>>>>> with a JWE. Solve 4-5 by signing the JWE as a JWS payload. Done. >>>>>>>> >>>>>>>> I do understand that the 4/3 space blowup-of double base64url >>>>>>>> encoding >>>>>>> the JWE motivates your earlier proposal about nested signing. (See >>>>>>> Dick's >>>>>>> 10/29/12 message "[jose] signing an existing JWT".) I also >>>>>>> understand >>>>>> that if >>>>>>> you could do integrity with the asymmetric signature then the >>>>>>> integrity provided by the JWE itself may be redundant. I don't >>>>>>> have a specific >>>>>> proposal >>>>>>> on how to do that. >>>>>>>> >>>>>>>> -- Mike >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: [email protected] [mailto:[email protected]] On >>>>>>>> Behalf Of Dick Hardt >>>>>>>> Sent: Friday, November 02, 2012 8:22 AM >>>>>>>> To: [email protected] >>>>>>>> Subject: [jose] encrypting AND signing a token >>>>>>>> >>>>>>>> I am trying to figure out how to implement JWT/JWS/JWE to solve a >>>>>>>> real >>>>>>> world problem. >>>>>>>> >>>>>>>> 1) Bob sends a token to Charlie via Alice. (Alice gets token from >>>>>>>> Bob and then Alice gives token to Charlie) >>>>>>>> 2) Alice must be prevented from reading the token. (token needs to >>>>>>>> be >>>>>>>> encrypted) >>>>>>>> 3) Bob and Charlie can share a symmetric key. >>>>>>>> >>>>>>>> I can solve this with JWE. >>>>>>>> >>>>>>>> Now let's add another condition. >>>>>>>> >>>>>>>> 4) Charlie wants non-repuditation that Bob created the token. >>>>>>>> 5) Bob has a private key and a public key >>>>>>>> >>>>>>>> I don't see how to do this using JWE. It seems I have to sign the >>>>>>>> same >>>>>> token >>>>>>> I had previously with JWS. This seems inefficient since I should be >>>>>>> able >>>>>> to >>>>>>> replace the JWE integrity computation done with the symmetric key >>>>>>> with the private key -- but the "alg" parameter is the same in both >>>>>>> encrypting and signing. >>>>>>>> >>>>>>>> Now let's expand this to replacing the symmetric key with a >>>>>> public/private >>>>>>> key pair for encryption. Bob encrypts with Charlies public key and >>>>>>> signs >>>>>> with >>>>>>> Bob's private key (we also need to make sure we are not doing naive >>>>>>> encryption and signing here, would be a really useful to specify >>>>>>> what >>>>>> needs >>>>>>> to be done there). Now we need to have parameters for both >>>>>>> public/private key pairs in the header. >>>>>>>> >>>>>>>> Am I missing something here? >>>>>>>> >>>>>>>> Seems like we can do this if we change the header parameters to >>>>>>>> specify >>>>>> if >>>>>>> they ("alg", "kid", et.c) are for token signing, payload encryption >>>>>>> or >>>>>> content >>>>>>> key encryption. >>>>>>>> >>>>>>>> -- Dick >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> jose mailing list >>>>>>>> [email protected] >>>>>>>> https://www.ietf.org/mailman/listinfo/jose >>>>>>> >>>>>>> _______________________________________________ >>>>>>> jose mailing list >>>>>>> [email protected] >>>>>>> https://www.ietf.org/mailman/listinfo/jose >>>>>> >>>>> >>>>> _______________________________________________ >>>>> jose mailing list >>>>> [email protected] >>>>> https://www.ietf.org/mailman/listinfo/jose >>>> >> > _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
