Re: [jose] some more comments on the jose drafts ...
Eric Rescorla <ekr@rtfm.com> Sun, 18 December 2011 12:51 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73B0C21F84C9 for <jose@ietfa.amsl.com>; Sun, 18 Dec 2011 04:51:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.377
X-Spam-Level:
X-Spam-Status: No, score=-100.377 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B5Drzhg2L2G8 for <jose@ietfa.amsl.com>; Sun, 18 Dec 2011 04:51:18 -0800 (PST)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id E1A6221F84C3 for <jose@ietf.org>; Sun, 18 Dec 2011 04:51:17 -0800 (PST)
Received: by vbbfo1 with SMTP id fo1so2645729vbb.31 for <jose@ietf.org>; Sun, 18 Dec 2011 04:51:16 -0800 (PST)
Received: by 10.52.69.51 with SMTP id b19mr2606432vdu.9.1324212676234; Sun, 18 Dec 2011 04:51:16 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.157.3 with HTTP; Sun, 18 Dec 2011 04:50:35 -0800 (PST)
X-Originating-IP: [74.95.2.173]
In-Reply-To: <4EEA3BB1.7040904@rub.de>
References: <4EE52166.30701@rub.de> <CABzCy2ABzX0AFTx8epR6SWkPtHt4ith4YHgOqtgHgZUwUpD0Sg@mail.gmail.com> <4EEA3BB1.7040904@rub.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 18 Dec 2011 04:50:35 -0800
Message-ID: <CABcZeBMdYvVe46M9WQGqZ0VRVo_6jE4e90WtYS1bcvF1em4GLA@mail.gmail.com>
To: Juraj Somorovsky <juraj.somorovsky@rub.de>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: sakimura@gmail.com, jose@ietf.org
Subject: Re: [jose] some more comments on the jose drafts ...
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Dec 2011 12:51:18 -0000
On Thu, Dec 15, 2011 at 10:25 AM, Juraj Somorovsky <juraj.somorovsky@rub.de> wrote: > On 12/12/2011 05:05 PM, Nat Sakimura wrote: >> On Mon, Dec 12, 2011 at 6:32 AM, Juraj Somorovsky >> <juraj.somorovsky@rub.de>wrote: >> I fully agree that encryption should be used only with integrity checking. >> In the ideal world, we would only have to use some mode like GCM, but >> unfortunately the support is yet to become wide spread. In most platforms, >> it is likely that the develop has to rely on something like CBC whose >> support is much more wide spread. Under this cercumstances, we would have >> to support CBC with integrity checks. So, doing encryption and integrity >> check (optional for GCM etc., and MUST for CBC) is the way to go, IMHO. To >> do so, instead of just using CEK, include the CMK in the header and use it >> to create CEK and CIK. > CBC is OK if cryptographic integrity checks (MACs) are mandatory (and if > the data is not processed before the MAC is verfied). Please do not > allow CBC without MAC. I concur with this. >> As to the support of PKCS 1.5 is concerned, again, it is the same problem >> as the support of GCM. The platform that only supports PKCS 1.5 is still >> wide spread. Of course we may use this spec to whip the providers and >> software vendors to build the support for a more decent algorithms but that >> will severely limit the adoption of the spec in the initial phase. I think >> we should support PKCS 1.5 as a base line which is a MUST, and strongly >> recommend more decent ones and put some comment in the security >> consideration as well. > Ok, I just wanted to warn you. PKCS #1 v1.5 will affect the security of > the specification and many developers will have problems to apply valid > countermeasures, which will completely mitigate the attacks. Hmm... Can you explain what you think the issue is that makes it hard to deploy countermeasures? -Ekr
- [jose] some more comments on the jose drafts ... Juraj Somorovsky
- Re: [jose] some more comments on the jose drafts … Nat Sakimura
- Re: [jose] some more comments on the jose drafts … Juraj Somorovsky
- Re: [jose] some more comments on the jose drafts … Anthony Nadalin
- Re: [jose] some more comments on the jose drafts … Eric Rescorla
- Re: [jose] some more comments on the jose drafts … Juraj Somorovsky