- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 22 Jun 2016 13:47:41 +1000
- To: Magnus Westerlund <magnus.westerlund@ericsson.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Thanks Magnus, I've created a PR that I hope addresses your comments: https://github.com/httpwg/http-extensions/pull/202 More detail inline. On 22 June 2016 at 00:41, Magnus Westerlund <magnus.westerlund@ericsson.com> wrote: > 1. Section 2: > The record size defaults to 4096 octets, but > can be changed using the "rs" parameter on the Encryption header > field. > > I think this default value is quite small. If one want to do random access > the record boundaries becomes a question of the need for random access into > the resource and the need for streaming data that can be released from the > decryption and integrity verification at record boundaries. I think the text > could be more clear on the motivation and trade-offs here. > > I also think there need to be discussion of the case where a single record > with actual data is all that is needed. Yes, the discussion on the trade-off needs to be had. I added a couple of paragraphs on it. Obviously, there are lots of tradeoffs here. > > 2. Section 2: > > > +------+ input of between rs-65537 > | data | and rs-2 octets > +------+ (one fewer for the last record) > | > > First I interpreted this figure part as a limitation in RS sizes. I didn't > graso that it was RS minus number of padding bytes (2-65537) of data in this > particular record that was the intention. I think it could benefit from a > clarification of that it is "rs minus padding size (2-65537) number of > bytes". I've taken your input and tweaked the diagram and ensuing text in light of that. I think that it's clearer now. Let me know if you think it could be improved further. > > 3. Section 2: > > A sequence of full-sized records can be truncated to produce a > shorter sequence of records with valid authentication tags. To > prevent an attacker from truncating a stream, an encoder MUST append > a record that contains only padding and is smaller than the full > record size if the final record ends on a record boundary. A > receiver MUST treat the stream as failed due to truncation if the > final record is the full record size. > > This is clear on truncation at the end of the resource. However, it fails to > describe how one detect and handle reordering or truncation from front. To > my understanding it is the nonce derivation and the need for correctly > knowing the sequence number of a record that prevents that attack. So that > failure in decrypting and verifying a record may depend on reordering or > truncation from front. Then that it may also depend on data corruption or > other reasons is another matter. I have added a comment explaining that the nonce construction prevents removal and reordering of records. Not sure if that is what you were looking for. > 4. Section 3.1: > > rs: The "rs" parameter contains a positive decimal integer that > describes the record size in octets. This value MUST be greater > than 1. If the "rs" parameter is absent, the record size defaults > to 4096 octets. > > This specifies no upper limit for the value of RS. Can I use a value larger > than a 32-bit integer? I see there is a point of providing the implementors > a guidance on what values may occur here. It is also clearly dependent on > the algorithms security properties, which may introduce limitations. To my > knowledge the limit for AES-GCM is 2^39-256 bytes to maintain the security > properties. Ahh yes, a good point. I will add a note on limits. Note that RFC 5116 says 2^36-31 per record. The IND-CPA limits are block-based, which makes this harder, but I now have a citation that I can use. > 5. Section 3.2: > > Several of the abbreviations such as PRK and CEK are not explained. > > > 6. Section 3.2: > > CEK = HMAC-SHA-256(PRK, cek_info || 0x01) > > What is the 0x01 concatenated to the cek_info before the hashing? I would > guess some sequence number for avoiding key reuse, but it is not clear that > it is needed due to different inputs in the first and second step. This is a reduction of what HKDF does. The complete HKDF is: T(0) = empty string (zero length) T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) T = T(1) | T(2) | T(3) | ... | T(N) OKM = first L octets of T I've just included what this reduces to. > 7. Section 4 and 4.1: > > aesgcm: The "aesgcm" parameter contains the base64url-encoded octets > [RFC7515] of the input keying material. > > I don't understand why this parameter is called "aesgcm". To me the only > requirements on the IKM is that is is at least 16 bytes and have been > bas64URL encoded when put into the header. So what is the relation to > AESGCM? This just marks the IKM as being used for this content-encoding scheme. That way, there's less chance that the key is used for some other purpose. Of course, with the info parameter on key expansion, it's not strictly necessary, but I didn't think that a new name would be that much of an improvement (I guess we could call it "ikm", but it's not much clearer then). > 8. Section 5.3: > > Section 3 says: > > Encryption header field values with multiple instances of the same > parameter name are invalid. > > The example in 5.3 is: > > PUT /thing HTTP/1.1 > Host: storage.example.com > Content-Type: application/http > Content-Encoding: aesgcm, aesgcm > Content-Length: 1235 > Encryption: keyid="mailto:me@example.com"; > salt="NfzOeuV5USPRA-n_9s1Lag", > keyid="http://example.org/bob/keys/123"; > salt="bDMSGoc2uobK_IhavSHsHA"; rs=1200 > > Isn't this example violating the rules in Section 3 for the Encryption > header? You will observe that there are two "values" here, separate by the comma. Parameters are separated by the semi-colon. Happy to take suggestions on how to make this clearer, HTTP header fields are sometimes confusing. > 9. Section 5.4 and 2: > > I find nothing in Section 2 that indicates that there are requirement of > supporting a mode of a single record of encryption. My reading indicates > that the minimal usage is possibly first a single record followed by a > padded stop record. It is also not clear that the "rs" parameter is > optional. The minimal usage is a single record, with rs=<longer than the input + padding>. The doc has: "If the "rs" parameter is absent, the record size defaults to 4096 octets." Added "The "rs" parameter is optional." to this. Is that enough? > 10. Section 3: > > The Encryption header MAY be omitted if the sender does not intend > for the immediate recipient to be able to decrypt the payload body. > Alternatively, the Encryption header field MAY be omitted if the > sender intends for the recipient to acquire the header field by other > means. > > I wonder about this. If the Encryption header is omitted how is the > receiving agent knowing how to later match the resource with the correct > key-management data. URI and etag? I mean if one include the key-id for the > received resource then one know that one has the right key in relation to > the resource version one have stored. It might even be the case that a later > version of the resource is protected using the same key but with a different > salt. What motivated this was the out-of-band encoding, where the Encryption header field is sent separately. However, over time, I think that we've concluded that the content-encoding is signaled at the same place as the Encryption header field (see below). I think that we can remove this paragraph. Originally: 200 OK Content-Encoding: out-of-band { ... URLs and decryption keys ... } More recent thinking: 200 OK Content-Encoding: out-of-band, aesgcm Encryption: salt=..., rs=... { ... URLs ... }
Received on Wednesday, 22 June 2016 03:48:10 UTC