W3C

XML Security Working Group Teleconference

08 Nov 2011

Agenda

See also: IRC log

Attendees

Present
Frederick_Hirsch, Gerald_Edgar, Pratik_Datta, Scott_Cantor, Hal_Lockhart, Ed_Simon, Brian_LaMacchia
Regrets
Chair
Frederick_Hirsch
Scribe
fjh

Contents


<trackbot> Date: 08 November 2011

ISSUE: CBC attack on XML Encryption, http://www.nds.rub.de/research/publications/breaking-xml-encryption/

<trackbot> Created ISSUE-230 - CBC attack on XML Encryption, http://www.nds.rub.de/research/publications/breaking-xml-encryption/ ; please complete additional details at http://www.w3.org/2008/xmlsec/track/issues/230/edit .

<scribe> ScribeNick: fjh

Administrative

added the 1.1 and 2.0 test case editors drafts to the XML Security WG publications wiki, see http://www.w3.org/2008/xmlsec/wiki/PublicationStatus#Publications

No call 22 November.

proposed RESOLUTION: Cancel teleconference on 15 November 2011.

RESOLUTION: Cancel teleconference on 15 November 2011

next call will be 29 November

Minutes Approval

Approve minutes, 18 October 2011

http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/att-0002/minutes-2011-10-18.html

RESOLUTION: Minutes from 18 October 2011 are approved.

CBC Attack

paper describing the CBC attack on XML Encryption is available at http://www.nds.rub.de/research/publications/breaking-xml-encryption/

blog post, http://www.w3.org/QA/2011/10/some_notes_on_the_recent_xml_e.html

Potential means to mitigate attack, http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0000.html

Make GCM mandatory in 1.1? proposal: http://lists.w3.org/Archives/Member/member-xmlsec/2011Oct/0000.html

ACTION-850?

<trackbot> ACTION-850 -- Hal Lockhart to review XML Encryption 1.1 security considerations and propose changes in light of today's discussion -- due 2011-10-25 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/850

fjh: any reason not to make GCM mandatory?

hal: lack of implementation

brich: open source bouncy castle might include it
... got feedback that it would be improper to use in streaming mode, need to verify tag before returning any cleartext data
... could impact large xml document - need to buffer clear text until end

hal: what if you only want encryption property
... what is the actual security use case

scantor: difference between returning data while computing integrity versus waiting to return it until end

hal: dangerous if application starts using data before integrity is clear
... if we make GCM mandatory also need something else to allow streaming

bal: gcm for all plaintext not sections
... can expect gcm first, then streaming will be an issue

fjh: so we can use gcm for small items, then have issue for streaming of large message
... need to make AES-GCM mandatory then have another alg for streaming

scantor: AES-GCM is not in the mainline openssl now, might be in future release
... might need to discuss with vendors adding AES-GCM reports to existing implementations before making mandatory

<scribe> ACTION: fjh to talk with thomas about encouraging implementation support for AES-GCM in existing algorithms [recorded in http://www.w3.org/2011/11/08-xmlsec-minutes.html#action01]

<trackbot> Created ACTION-854 - Talk with thomas about encouraging implementation support for AES-GCM in existing algorithms [on Frederick Hirsch - due 2011-11-15].

<brich> +1 for GCM as MTI in Enc1.1

fjh: what should we do here with regard to making GCM mandatory
... what is situation for WS*

bal: spoke at conference when presentation of attack was made, giving update on WG effort, and noting changes
... could have made GCM mandatory months ago

fjh: we decided not do so to implementation concerns

scantor: not all implmentations are worried about compiance
... have other mitigations in mind, not critical issue for SAML

fjh: is there any objection to making AES-GCM mandatory in 1.1

bal: not an interop problem; if CBC no longer mandatory that would be an issue

fjh: need warning about CBC in spec, even if mandatory

scantor: bigger concern is streaming, especially for 2.0

<Hal> + 1 for GCM MTI

RESOLUTION: change XML Encryption 1.1 to make AES-GCM mandatory to implement, add note regarding risk with CBC

bal also +1 GCM MTI

<scribe> ACTION: fjh to update XML Encryption 1.1 draft for AES-GCM mandatory to implement [recorded in http://www.w3.org/2011/11/08-xmlsec-minutes.html#action02]

<trackbot> Created ACTION-855 - Update XML Encryption 1.1 draft for AES-GCM mandatory to implement [on Frederick Hirsch - due 2011-11-15].

fjh: need to be considering algorithm agility going forward

hal: e.g. we might find another channel besides errors and timing

fjh: hal, you can incorporate material from pdatta message on countermeasures as well
... can anyone help with streaming encryption algorithm?

<pdatta> preventing reuse of content encryption key

<Ed_Simon> * Ed_Simon: signing off

<scantor> many stds use per-message keys, and already include the need for replay/nonce checks, so enforcing that per-key is a small addition

hal: when streaming something like a movie, don't care about integrity, more about encryption, so this seems to be a new requirement

brich: sign then encrypt
... cbc attack still works here

<scribe> ACTION: bal to discuss with magnus possible encryption algorithms suitable for streaming [recorded in http://www.w3.org/2011/11/08-xmlsec-minutes.html#action03]

<trackbot> Created ACTION-856 - Discuss with magnus possible encryption algorithms suitable for streaming [on Brian LaMacchia - due 2011-11-15].

pdatta: implementation needs to know it is streaming, could use GCM but choose to process without waiting until end

http://en.wikipedia.org/wiki/Galois/Counter_Mode

<scribe> ACTION: pdatta to ask regarding risk of use of GCM without checking tag during processing [recorded in http://www.w3.org/2011/11/08-xmlsec-minutes.html#action04]

<trackbot> Created ACTION-857 - Ask regarding risk of use of GCM without checking tag during processing [on Pratik Datta - due 2011-11-15].

XML Encryption 1.1 test cases and interop

http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0018.html

Please review and provide feedback on these test cases

<pdatta> would like other vendors to actually run their implementations on these test cases

XML Security 2.0

fjh: question about moving algorithms out of 2.0 for agility purposes, but might make it more confusing

pdatta: but this is signature not encryption

hal: typically don't add mandatory algorithm, but change algorithm in spec from optional to mandatory

fjh: so don't think we need to pull document apart for this, could be more work and more confusing than needed

pdatta: 2.0 is waiting for implementations

Action review

ACTION-238?

<trackbot> ACTION-238 -- Thomas Roessler to update the proposal associated with ACTION-222 and send to list. -- due 2011-09-30 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/238

ACTION-717?

<trackbot> ACTION-717 -- Pratik Datta to document the Performance improvements with 2.0 -- due 2010-11-09 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/717

ACTION-840?

<trackbot> ACTION-840 -- Pratik Datta to update XML Signature 1.1 and 2.0 with change in http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0006.html -- due 2011-10-11 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/840

ACTION-840: done

<trackbot> ACTION-840 Update XML Signature 1.1 and 2.0 with change in http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0006.html notes added

close ACTION-840

<trackbot> ACTION-840 Update XML Signature 1.1 and 2.0 with change in http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0006.html closed

ACTION-841?

<trackbot> ACTION-841 -- Pratik Datta to add link to canonical XML 2.0 samples into the spec -- due 2011-10-11 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/841

ACTION-847?

<trackbot> ACTION-847 -- Pratik Datta to propose update to 2.0 algorithm requirements to encourage authenticating mode -- due 2011-10-18 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/847

ACTION-848?

<trackbot> ACTION-848 -- Bruce Rich to contact OASIS ebXML community regarding large data issue and GCM -- due 2011-10-25 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/848

ACTION-850?

<trackbot> ACTION-850 -- Hal Lockhart to review XML Encryption 1.1 security considerations and propose changes in light of today's discussion -- due 2011-10-25 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/850

ACTION-851?

<trackbot> ACTION-851 -- Pratik Datta to propose text regarding KeyLength and PBKDF2, assuming we do not change the schemna -- due 2011-10-25 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/851

ACTION-853?

<trackbot> ACTION-853 -- Frederick Hirsch to add new security issue later this week -- due 2011-10-25 -- OPEN

<trackbot> http://www.w3.org/2008/xmlsec/track/actions/853

close ACTION-853

<trackbot> ACTION-853 Add new security issue later this week closed

ISSUE-230?

<trackbot> ISSUE-230 -- CBC attack on XML Encryption, http://www.nds.rub.de/research/publications/breaking-xml-encryption/ -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/230

Issues

ISSUE-229?

<trackbot> ISSUE-229 -- Mask generation function for RSA-OAEP as defined in 5.5.2 of XML Encryption 1.1 appears to be limited to MGF1 with SHA1 -- open

<trackbot> http://www.w3.org/2008/xmlsec/track/issues/229

fjh: believe we have dealt with this one, will double check

other issues remain relevant

Other Business

none

Adjourn

Summary of Action Items

[NEW] ACTION: bal to discuss with magnus possible encryption algorithms suitable for streaming [recorded in http://www.w3.org/2011/11/08-xmlsec-minutes.html#action03]
[NEW] ACTION: fjh to talk with thomas about encouraging implementation support for AES-GCM in existing algorithms [recorded in http://www.w3.org/2011/11/08-xmlsec-minutes.html#action01]
[NEW] ACTION: fjh to update XML Encryption 1.1 draft for AES-GCM mandatory to implement [recorded in http://www.w3.org/2011/11/08-xmlsec-minutes.html#action02]
[NEW] ACTION: pdatta to ask regarding risk of use of GCM without checking tag during processing [recorded in http://www.w3.org/2011/11/08-xmlsec-minutes.html#action04]
 
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2009-03-02 03:52:20 $