W3C home > Mailing lists > Public > public-webcrypto@w3.org > March 2014

Re: Propigation of non exportability in DH

From: Richard Barnes <rlb@ipv.sx>
Date: Sun, 2 Mar 2014 12:48:03 +0000
Message-ID: <CAL02cgR+UzmXvF82GzoXdsR8fjS4HMi5BvEO5KX-zVytkiqzeA@mail.gmail.com>
To: Ryan Sleevi <sleevi@google.com>
Cc: Jim Schaad <ietf@augustcellars.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
I think I'm with Ryan on this.  KDFs are designed such that it's hard to go
from the derived product to the input key, so you're not violating the
non-extractability of the original key by creating an extractable key from
it.  And with the current API, the JS can specify that the derived key be
non-extractable anyway.

--Richard


On Sat, Mar 1, 2014 at 9:27 PM, Ryan Sleevi <sleevi@google.com> wrote:

> -1
> On Mar 1, 2014 1:10 PM, "Jim Schaad" <ietf@augustcellars.com> wrote:
>
>> Since Ryan and I have not been able to come to agreement on the topic of
>> how to do secret agreement and key/bits derivation in the API, I thought
>> that I would toss in a new topic that we can probably fail to come to
>> agreement on as well.
>>
>>
>>
>> What are the requirements of propagation of non-exportability on the
>> deriveKey, deriveBits functions?
>>
>>
>>
>> If I assume that I start with a JWK encrypted by an RSA key that is
>> tagged as non-exportable. I can get from a non-exportable RSA key to a
>> non-exportable AES key in one step without any requirements on the function
>> implementations that the non-exportability bit be propagated from the RSA
>> key to the AES key.  One might wish to do this if one wishes to support the
>> same functionality for a raw AES key wrapped in RSA however.  This may or
>> may not be sufficient for the Netflix use case.
>>
>>
>>
>> There is a problem however if I want to do the same thing using a DH key
>> that is tagged as non-exportable.  Specifically if the non-exportability is
>> not propagated forward into the shared secret and then into the key
>> agreement key, there is nothing to stop the final AES key (wrapped in JWK
>> and tagged as non-exportable) from being unwrapped by the application using
>> one of the two intermediate values and performing its own decryption of the
>> JWK object.
>>
>>
>>
>> Therefore I would like to see non-exportability be propagated forward by
>> the secretAgreemnt and KDF functionality   The same issues will exist for
>> the ECDH and RSA-KEM functionality.
>>
>>
>>
>> The flip side of the argument is that this would basically totally
>> destroy the usability of the deriveBits function if one starts from a
>> non-exportable key.  It might be possible to loosen the requirements on,
>> for example, the second KDF function that was created.  However, since it
>> would be impossible to prevent the first KDF function to not generate the
>> key from the deriveBits function, I don't know how one goes about
>> protecting this except to be extremely draconian.
>>
>>
>>
>> One argument in my favor would be how TLS approaches the problem.  They
>> do keep the pre-master-secret a secret, as is the master-secret.  If one
>> wishes to get bits (such as channel binding data) this is all derived from
>> the master-secret not the pre-master-secret.  Thus the ability to do a
>> deriveBits is two steps removed from the ZZ value.
>>
>>
>>
>> Jim
>>
>>
>>
>
Received on Sunday, 2 March 2014 12:48:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:21 UTC