Re: crypto-ISSUE-29 (block modes): Handling of block encryption modes and padding [Web Cryptography API] from Ryan Sleevi on 2012-08-25 (public-webcrypto@w3.org from August 2012)

From: Ryan Sleevi <sleevi@google.com>
Date: Fri, 24 Aug 2012 18:14:19 -0700
To: Wan-Teh Chang <wtc@google.com>
Cc: "David McGrew (mcgrew)" <mcgrew@cisco.com>, Web Cryptography Working Group <public-webcrypto@w3.org>
Message-ID: <CACvaWvZyt+7cCdXedQAxqYvH4GftR1rSCpdips_o95xhx8aQEw@mail.gmail.com>

On Fri, Aug 24, 2012 at 6:04 PM, Wan-Teh Chang <wtc@google.com> wrote:
> Ryan,
>
> Thank you for the info. I found the guidance you quoted in RFC 3447
> for RSAES-OAEP and EMSA-PSS. The recommendation is repeated in RFC
> 4055 Section 3.1 for RSASSA-PSS keys:
>
>    When signing, it is RECOMMENDED that the parameters, except for
>    possibly saltLength, remain fixed for all usages of a given RSA key
>    pair.
>
> I did not find similar language that recommends using a fixed hash
> algorithm for a given signing key in X9.62-2005 and FIPS 186-3. Also,
> RFC 5480 still uses the completely unrestricted id-ecPublicKey
> algorithm identifier for ECDSA keys.
>
> So it seems that these standards and RFCs, especially for ECDSA keys,
> still allow key algorithms to be less restrictive/specific than crypto
> operation algorithms. In PKCS #11, key algorithms and crypto operation
> algorithms come from two namespaces -- CKK_xxx for key types and
> CKM_xxx for mechanisms.
>
> The implication is that this kind of "tainting" will need to be
> maintained by the user agents, and it would be difficult to migrate
> key  tainting from one computer to another for keys in smart cards
> unless the smart cards themselves carry key tainting information.
>
> Wan-Teh

Correct. The concept of restricting a key (which may be a generic
type, such as RSA), to a particular subset of both algorithm (PSS) and
algorithm parameters (eg: hash), is one that is not widely supported
within generic APIs.

Thus, when granting access to a particular key to multiple
applications - whether they be native applications or web applications
- the key "should" be used consistently. This is part of why I'm
extremely hesitant to support exposing OS keys to arbitrary web
applications, since there is, I believe, even less of a chance that
they will preserve the invariants.

Currently, the security considerations section lists tainting as a
non-normative recommendation of one possible way for dealing with the
security issues that may arise. However, as you point out, by
normatively making key generation take the more specific algorithm,
this presumes that key tainting MUST be implemented. If we make the
Key.algorithm contain a 'generic' set of parameters, then it will be
up to every web application to manage the 'state' of the key
themselves (in addition to any user agents also maintaining that
state), as well as be prepared for 'retry until you find the right
combo' for keys that have been tainted.

I'm not thrilled with such a proposal, since I'm convinced it will
lead to poor implementations/undermine the security, but I can
understand the appeal for implementation simplicity. If we do go that
route, I think it further argues for the importance of keeping keys
single origin.

Received on Saturday, 25 August 2012 01:14:46 UTC