W3C home > Mailing lists > Public > public-webcrypto@w3.org > March 2014

Re: Propigation of non exportability in DH

From: Ryan Sleevi <sleevi@google.com>
Date: Sat, 1 Mar 2014 13:27:00 -0800
Message-ID: <CACvaWvZk62NXRG9-cyqKj_9V0EEX+24ASxR7tPpLLOSjkYTRSw@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Cc: public-webcrypto@w3.org
-1
On Mar 1, 2014 1:10 PM, "Jim Schaad" <ietf@augustcellars.com> wrote:

> Since Ryan and I have not been able to come to agreement on the topic of
> how to do secret agreement and key/bits derivation in the API, I thought
> that I would toss in a new topic that we can probably fail to come to
> agreement on as well.
>
>
>
> What are the requirements of propagation of non-exportability on the
> deriveKey, deriveBits functions?
>
>
>
> If I assume that I start with a JWK encrypted by an RSA key that is tagged
> as non-exportable. I can get from a non-exportable RSA key to a
> non-exportable AES key in one step without any requirements on the function
> implementations that the non-exportability bit be propagated from the RSA
> key to the AES key.  One might wish to do this if one wishes to support the
> same functionality for a raw AES key wrapped in RSA however.  This may or
> may not be sufficient for the Netflix use case.
>
>
>
> There is a problem however if I want to do the same thing using a DH key
> that is tagged as non-exportable.  Specifically if the non-exportability is
> not propagated forward into the shared secret and then into the key
> agreement key, there is nothing to stop the final AES key (wrapped in JWK
> and tagged as non-exportable) from being unwrapped by the application using
> one of the two intermediate values and performing its own decryption of the
> JWK object.
>
>
>
> Therefore I would like to see non-exportability be propagated forward by
> the secretAgreemnt and KDF functionality   The same issues will exist for
> the ECDH and RSA-KEM functionality.
>
>
>
> The flip side of the argument is that this would basically totally destroy
> the usability of the deriveBits function if one starts from a
> non-exportable key.  It might be possible to loosen the requirements on,
> for example, the second KDF function that was created.  However, since it
> would be impossible to prevent the first KDF function to not generate the
> key from the deriveBits function, I don’t know how one goes about
> protecting this except to be extremely draconian.
>
>
>
> One argument in my favor would be how TLS approaches the problem.  They do
> keep the pre-master-secret a secret, as is the master-secret.  If one
> wishes to get bits (such as channel binding data) this is all derived from
> the master-secret not the pre-master-secret.  Thus the ability to do a
> deriveBits is two steps removed from the ZZ value.
>
>
>
> Jim
>
>
>
Received on Saturday, 1 March 2014 21:27:27 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:21 UTC