Required or recommended encryption algorithms

w3c / webpayments-crypto

Crypto discussions of the Web Payments Working Group

https://github.com/w3c/webpayments-crypto/wiki

Other

5 stars 7 forks source link

Required or recommended encryption algorithms #2

Open stpeter opened 6 years ago

stpeter commented 6 years ago

The encryption proposal does not specific which JOSE encryption algorithms are required or recommended. A list of algorithms can be found at https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms ...

adrianhopebailie commented 6 years ago

The many known-to-be-weak-or-compromised algos that are allowed is commonly cited as a weakness of JWT. I suggest we define a limited profile that are allowed in our use case.

This is explicitly allowed by RFC 7519 in the steps for validating a JWT:

Verify that the resulting JOSE Header includes only parameters and values whose syntax and semantics are both understood and supported or that are specified as being ignored when not understood.

msporny commented 6 years ago

The way we've done this in the Verifiable Claims WG is to define cryptography suites for Linked Data Signatures/Proofs to make it easier on developers. So, a developer would pick something like "RsaSignature2018" or "RsaXYZEncryption2018" and the spec for the crypto suite would specify a number of parameters to use in the JWS. Example for a signature (which also applies to encryption) here: https://w3c.github.io/vc-data-model/#proofs-aka-signatures

More on crypto suites here:

https://w3c-dvcg.github.io/ld-signatures/#signature-suites

stpeter commented 6 years ago

Given that the proposal uses JWE, it seems best to use the "recommended+" algorithms from Section 4.1 of RFC 7518, such as RSA-OAEP for encryption of the Content Encryption Key (CEK) and ECDH-ES for encryption of the content itself.

adrianhopebailie commented 6 years ago

The sample from @MasterKeyur in https://github.com/w3c/webpayments-crypto/blob/master/payment-encryption.md uses RSA-OAEP for key exchange and AES-GCM for the content encryption.

+1 to these as the initial set of supported algorithms in our JWE profile.

MasterKeyur commented 6 years ago

I appreciate the feedback. The idea was this to be starting point for payment request encryption spec. +1 with limited algorithm that are reviewed by security specialist as well as that are performant.

Also I did not use signatures specifically because we would need separate key pair for it.

I did not use ECDH-ES for content encryption as it does not generate MAC. For key pair generation we can look at ECDH.