Re: What happended to SecretAgreee? from Ryan Sleevi on 2014-02-27 (public-webcrypto@w3.org from February 2014)

From: Ryan Sleevi <sleevi@google.com>
Date: Thu, 27 Feb 2014 14:07:01 -0800
To: Jim Schaad <ietf@augustcellars.com>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <CACvaWvagUJTSy9TxYX4bM+esZne+rw0REN=_CzxcbXEqT8+XJA@mail.gmail.com>
On Thu, Feb 27, 2014 at 1:14 PM, Jim Schaad <ietf@augustcellars.com> wrote:

> I do not believe that one can ever go directly from the ZZ value to  a
> symmetric key for AES-CBC.  This is just really bad security behavior for
> any number of reasons.  However this seems to be what is being proposed on
> some level by the current discussion.
>

Ok, let's unpack what you said here. One certainly can. Your argument is
whether you SHOULD. That's entirely different discussion.


>
> This means that no, I do not believe that DH is ever a key derivation
> algorithm under any circumstances.   It is a method com computing a shared
> secret.  From that shared secret one can then apply a key derivation
> algorithm (identity is not one) to get a key for some other purpose.  There
> is no reason to believe that any sub-portion of ZZ is not biased.  That is
> the reason for doing the PRF on it.


> The entire concept of doing a deriveBits direction from the algorithm DH
> therefore makes absolutely no sense to me.  There is no KDF function that
> is being applied to ZZ to get the bits you want as output.
>

It's quite simple (and has been made clear since the very first time we
talked about DH). How "ZZ" is used can vary depending on what protocol
you're using - some use it with protocol-specific KDFs.

Or you're polyfilling your own KDF that requires ZZ.


>
> I would also expect that in terms of extractability, if the private key is
> marked as not extractable, then ZZ and any portion of ZZ is also marked as
> being not extractible.  This would be passed on to the KDF function.  It
> would also mean that deriveBits could never work on such a function since
> it would export part of the computed shared secret.
>
> The reason that I put the "and maybe a new key derivation algorithm" in
> parentheticals is because I am not sure that I believe that it needs to be
> supported t the current time by the WebCrypto specification.  This is not
> uncommon practice that one generates a Master Secret key from a shared
> secret, and then uses that key value to generate other shared secret keys
> that are used for specific purposes.  One example would be to have a
> different MAC key for I send to you from you send to me.
>
>
If you don't want to allow that, don't support the deriveBits operation. I
don't see where the angst is.

On a technical level, there are use cases for it. On a technical level, the
API supports it.

It seems your entire argument is that you don't like it? I'm not trying to
be dismissive, I'm trying to make a clear distinction between "can" and
"should", so that we can make sure the "can" is correct BEFORE discussing
the "should".



>
>
>
> From: Ryan Sleevi [mailto:sleevi@google.com]
> Sent: Thursday, February 27, 2014 12:26 PM
> To: Jim Schaad
> Cc: public-webcrypto@w3.org
> Subject: Re: What happended to SecretAgreee?
>
> Yes, Key agreement algorithms (which DH Phase 2 is - agreement of the
> secret Z based on the exchanged parameters) is treated as a key derivation
> algorithm.
>
> Can you provide any examples of algorithms or parameters you do not
> believe fits into the deriveKey mechanism?
>
> I wasn't sure if your "and maybe a new key derivation algorithm" indicated
> a degree of uncertainty. If so, yes, that is exactly the workflow - for
> example, if you wanted to feed Z into HDKF to extract/expand.
>
> On Thu, Feb 27, 2014 at 12:21 PM, Jim Schaad <ietf@augustcellars.com>
> wrote:
> No, that is not true.
>
> secretAgreement when from a key agree algorithm to a key derivation
> algorithm
>
> deriveBits and deriveKey go from a key derivation algoritm to  either a
> byte array or a symmetric keying algorithm (or maybe a new key derivation
> algorithm)
>
> jim
>
>
> From: Ryan Sleevi [mailto:sleevi@google.com]
> Sent: Thursday, February 27, 2014 12:05 PM
> To: Jim Schaad
> Cc: public-webcrypto@w3.org
> Subject: Re: What happended to SecretAgreee?
>
> The names were changed, but the behaviours the same.
>
> deriveBits and deriveKey.
>
> On Thu, Feb 27, 2014 at 12:00 PM, Jim Schaad <ietf@augustcellars.com>
> wrote:
> At one point, I thought there was an agreement to add a new function to
> the SubtleCrypto interface called secretAgreement.  This never happened.
>
> Was there a decision that I missed where this either was either not
> actually decided or was reversed?
>
> Jim
>
>
>
>
>
Received on Thursday, 27 February 2014 22:07:29 UTC