Unless you’re implementing both halves with parallel wrongness, in which case you’re completely screwed and have no idea.
— Justin > On Jul 17, 2015, at 12:38 PM, Mike Jones <michael.jo...@microsoft.com> wrote: > > As for “ECDH-SS rfc6278 (being) easier for implementers to get wrong than > ECDH-ES” the good news about crypto is that if you get it even a little bit > wrong, it doesn’t work with other’s implementations at all, so this situation > tends to be self-correcting. > > Cheers, > -- Mike > > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley > Sent: Friday, July 17, 2015 7:02 AM > To: Brian Campbell > Cc: oauth > Subject: Re: [OAUTH-WG] Nesting Signatures and Encryption JWT Tokens > > They provide integrity protection for the encryption, that is very important > for preventing padding oracle attacks. > > AES GCM > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2frfc7518%23section-5.3&data=01%7c01%7cMichael.Jones%40microsoft.com%7c5bc9eda0e8da494e11bb08d28eb0519f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=Km4lrYHuFSmIvYONtiusFoZEtSRoAj4Ri8udIoiA5Nk%3d> > and AES_CBC_HMAC_SHA2 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2frfc7518%23section-5.2&data=01%7c01%7cMichael.Jones%40microsoft.com%7c5bc9eda0e8da494e11bb08d28eb0519f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=IaQ9hYN4Lw5bVTXRcSwNi4RzKnojIKAAIdtf53JDBvE%3d> > are both examples of Authenticated Encryption > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fen.wikipedia.org%2fwiki%2fAuthenticated_encryption&data=01%7c01%7cMichael.Jones%40microsoft.com%7c5bc9eda0e8da494e11bb08d28eb0519f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=eRV5xgf17IWyz0j5QwgDmubDw5rqJneMaYtCHu1CLVs%3d> > in the sense that the received encryption is true and not that the sender is > identified. > > English speakers have a hard time with the subtle difference between > identification and authentication , so I wanted to be clear. > > That being said there is a special case where if the JWT ie encrypted with a > symmetric key known only to two parties and it is “authenticated” and you > didn’t create it, then by a process of elimination it cold have only come > from one party. This is NOT a signature, however it is a useful trick that > some people use to only encrypt and while still knowing with relative > certainty who encrypted it. > > I should note that ECDH-SS rfc6278 a key agreement algorithm we didn’t put in > the base JWA spec also has the property of providing encryption and > authenticity based on the public keys of both sender and receiver. > (note this is easier for implementers to get wrong than ECDH-ES but that is > another debate:) > > Probably more than you wanted to know, but Nat started it:) > > John B. > > > On Jul 17, 2015, at 2:09 PM, Brian Campbell <bcampb...@pingidentity.com > <mailto:bcampb...@pingidentity.com>> wrote: > > Though you want to be careful with that as the asymmetric algs in JWE don't > provide authentication of the sender. > > On Thu, Jul 16, 2015 at 11:26 PM, Nat Sakimura <n-sakim...@nri.co.jp > <mailto:n-sakim...@nri.co.jp>> wrote: > Hi Malla, <> > > Just to add one more thing: > If you just want to “sign” for the sake of integrity protection, you really > do not need to do it as all the algs in JWE are integrity protected. > > -- > Nat Sakimura <n-sakim...@nri.co.jp <mailto:n-sakim...@nri.co.jp>> > Nomura Research Institute, Ltd. > > PLEASE READ: > The information contained in this e-mail is confidential and intended for the > named recipient(s) only. > If you are not an intended recipient of this e-mail, you are hereby notified > that any review, dissemination, distribution or duplication of this message > is strictly prohibited. If you have received this message in error, please > notify the sender immediately and delete your copy from your system. > > From: OAuth [mailto:oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org>] > On Behalf Of John Bradley > Sent: Friday, July 17, 2015 7:45 AM > To: Malla Simhachalam <mallasimhacha...@gmail.com > <mailto:mallasimhacha...@gmail.com>> > Cc: oauth@ietf.org <mailto:oauth@ietf.org> > Subject: Re: [OAUTH-WG] Nesting Signatures and Encryption JWT Tokens > > https://tools.ietf.org/html/rfc7519#section-11.2 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2frfc7519%23section-11.2&data=01%7c01%7cMichael.Jones%40microsoft.com%7c5bc9eda0e8da494e11bb08d28eb0519f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=bJjUa9H%2fhsoQGfjmZEBQIyYxwZNc5Hlt%2bDzrEj%2bHG70%3d> > > It is in the JWT spec. You can do it both ways however you really need a > good reason not to sign then encrypt, and then after you have a good reason > you should still sign then encrypt because you probably have not considered > everything, > > There are probably some edge cases that are exceptions to the rule, but they > are rare. > > John B. > > > On Jul 16, 2015, at 11:33 PM, Malla Simhachalam <mallasimhacha...@gmail.com > <mailto:mallasimhacha...@gmail.com>> wrote: > > Hi, > > I am looking at the > spechttps://datatracker.ietf.org/doc/rfc7520/?include_text=1 > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fdatatracker.ietf.org%2fdoc%2frfc7520%2f%3finclude_text%3d1&data=01%7c01%7cMichael.Jones%40microsoft.com%7c5bc9eda0e8da494e11bb08d28eb0519f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=9X3auySnL4XlT%2fRW%2bAOaBG5wX8jrNc82AZ0Go%2bZIruM%3d> > for combining JWS and JWE use case, I could not find it obvious that a JSON > document should be signed first and then encrypt or other way around.Are > there any recommendations one over the other? > > Thanks for help. > Malla > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7cMichael.Jones%40microsoft.com%7c5bc9eda0e8da494e11bb08d28eb0519f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=ldOnSanQEP6YOoHdd36Ur6bWEnQga%2fINlTLAx4BOEes%3d> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7cMichael.Jones%40microsoft.com%7c5bc9eda0e8da494e11bb08d28eb0519f%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=ldOnSanQEP6YOoHdd36Ur6bWEnQga%2fINlTLAx4BOEes%3d> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth