W3C home > Mailing lists > Public > public-webcrypto@w3.org > October 2012

Re: [jose] Platform Support for JWA Crypto Algorithms

From: Ryan Sleevi <sleevi@google.com>
Date: Wed, 31 Oct 2012 14:25:05 -0700
Message-ID: <CACvaWvbn-a=_Njz2QrMA6F3X0rdJuL=Pqy0sd6JT2amwo7qE3g@mail.gmail.com>
To: Axel Nennker <ignisvulpis@gmail.com>
Cc: Wan-Teh Chang <wtc@google.com>, Michael.Jones@microsoft.com, Axel.Nennker@telekom.de, public-webcrypto@w3.org
I don't think it's a fair contrast. Historically, KDFs have generally been
about the combination of low-level primitives in "acceptable" forms, rather
than being considered a low-level primitive themselves. That is, they are,
at best, high-level syntactic sugar.

The blessing by NIST (finally!) actually provides incentive and benefit for
cryptographic libraries, particularly those concerned with FIPS
140-2/defined security boundaries, to treat the KDFs as low-level
primitives. The ones most likely to be implemented are thus the ones
recommended by NIST (since NIST cares about such things), and so the best
hope for *future* implementations (which will eventually exist) is to use
HKDF/Concat.

If you're talking about "how easy is it for an application developer to
implement", PBKDF2/HKDF/Concat are more or less the same. But they have
different security properties, and like Mike said, the latter algorithms
make more sense (albiet with the need to address the various oddities with
how JOSE currently incorrectly uses Concat)

On Wed, Oct 31, 2012 at 2:15 PM, Axel Nennker <ignisvulpis@gmail.com> wrote:

> I think we need a table with the same platform as in Mike's table that
> started this discussion with KDFs that actually have implementations.
> Specification in RFCs or blessing by NIST does not count. Implementations
> rule.
>
>  Usage Param Name Param Val Description .NET Windows native OS X iOS Java
> JCA BouncyCastle Android PHP PHPSecLib Python M2Crypto PyCrypto Ruby
> OpenSSL node.js NSS
>            JWE kdf CS256 Concat Key Derivation Function (KDF) NO Win7
> NO NO NO NO NO NO NO NO   NO NO NO  JWE kdf CS384 Concat Key Derivation
> Function (KDF) NO Win7     NO NO NO NO NO NO NO NO   NO NO NO  JWE kdf
> CS512 Concat Key Derivation Function (KDF) NO Win7     NO NO NO NO NO NO
> NO NO   NO NO NO
>
> Axel
>
>
> 2012/10/31 Wan-Teh Chang <wtc@google.com>
>
>> On Mon, Oct 29, 2012 at 4:23 PM, Ryan Sleevi <sleevi@google.com> wrote:
>> >
>> > However, as an NSS developer, I do not see your presented argument as a
>> > reason not to use Concat-KDF, and Concat-KDF would be more preferable,
>> as a
>> > NIST-blessed KDF, since NSS cares especially for NIST-blessed
>> algorithms.
>>
>> I think HKDF (hash-based key derivation function) is also worth
>> considering.
>> It is specified in RFC 5869 and is also blessed by NIST in SP 800-56C.
>>
>> Wan-Teh
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>
>
>
Received on Wednesday, 31 October 2012 21:25:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 31 October 2012 21:25:34 GMT