[Openid-specs-ab] Changes to the JOSE use of the Concat KDF to add additional inputs

Axel.Nennker at telekom.de Axel.Nennker at telekom.de
Wed Aug 29 14:49:23 UTC 2012


How many bytes does the field output length in bits have?

Currently we have otherInfo being the ASCII label ("Encryption" or "Integrity") bytes.

What is the new otherInfo?

Could you please put this byte arrays into the log file too?

I tried with
[0, 0, 1, 0, 65, 49, 50, 56, 67, 66, 67, 43, 72, 83, 50, 53, 54, 69, 110, 99, 114, 121, 112, 116, 105, 111, 110]
This is four bytes for the keylength in bits (256), followed by the bytes for "A128CBC+HS256", followed by "Encryption"-bytes.
This does not produce CEK1 but:
[91, 54, 29, -109, 90, 39, 66, -120, 117, -91, -128, -60, 9, -117, -97, -119, -18, 55, 113, -31, -102, 70, 33, 9, 107, 117, -3, -6, -22, -23, 17, -22]
 
I tried with a two byte keylength in bits too. No success.

Axel



public void testConcatKdf256OtherInfo201208_A128CBC_HS256() throws Exception {
    Digest kdfDigest = new SHA256Digest();
    byte[] zBytes = { 4, (byte) 211, 31, (byte) 197, 84, (byte) 157, (byte) 252, (byte) 254, 11, 100, (byte) 157,
        (byte) 250, 63, (byte) 170, 106, (byte) 206, 107, 124, (byte) 212, 45, 111, 107, 9, (byte) 219, (byte) 200,
        (byte) 177, 0, (byte) 240, (byte) 143, (byte) 156, 44, (byte) 207 };
    int keylength = 32;
    int outputLengthInBits = keylength * 8;
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    baos.write((byte)(outputLengthInBits >> 24));
    baos.write((byte)(outputLengthInBits >> 16));
    baos.write((byte)(outputLengthInBits >> 8));
    baos.write((byte)outputLengthInBits);
//    baos.write(outputLengthInBits);
    String encStr = "A128CBC+HS256";
    baos.write(encStr.getBytes());
    final byte[] encryption = { 69, 110, 99, 114, 121, 112, 116, 105, 111, 110 };
    baos.write(encryption);
    byte[] otherInfo = baos.toByteArray();
    KDFConcatGenerator kdfConcatGenerator = new KDFConcatGenerator(kdfDigest, otherInfo);
    kdfConcatGenerator.init(new KDFParameters(zBytes, null));
    byte[] out = new byte[keylength];
    kdfConcatGenerator.generateBytes(out, 0, out.length);
    byte[] CEK1 = { 37, (byte)245, (byte)125, (byte)247, (byte)113, (byte)155, (byte)238, (byte)98, (byte)228, (byte)206, (byte)62, (byte)65, (byte)81, (byte)153, (byte)79, (byte)91 };
    String expectedB64 = Base64.encodeBytesNoBreaks(CEK1);
    assertEquals(expectedB64, Base64.encodeBytesNoBreaks(out));

  }

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
From: Mike Jones [mailto:Michael.Jones at microsoft.com] 
Sent: Wednesday, August 29, 2012 2:52 AM
To: Edmund Jay; Emmanuel Raviart; Brian Campbell; Nennker, Axel
Cc: openid-connect-interop at googlegroups.com; openid-specs-ab at lists.openid.net
Subject: Changes to the JOSE use of the Concat KDF to add additional inputs

Updated sample Concat KDF inputs and outputs are attached.  Previously the Concat inputs for each hash round were:
. Round number
. Content Master Key
. ASCII label ("Encryption" or "Integrity")

Now the hash inputs for each hash round are:
. Round number
. Content Master Key
. Output length in bits
. ASCII "enc" parameter value
. ASCII label ("Encryption" or "Integrity")

Note that the former "enc", "int", and "kdf" parameters are being combined into a single composite "enc" parameter.  The defined values for it will be "A128CBC+HS256", "A256CBC+HS512", "A128GCM", and "A256GCM" (no change for the latter two).  There's one example each for the first two composite algorithms.

Also note that the HMAC SHA-512 hash function is used in second case.  (Previously, HMAC SHA-256 was always used.)

Let me know if any of this is unclear, or if you want to provide other feedback, please let me know.  I'll be producing encryption examples using these values next.

It would be *great* if one or more of you could verify that you can reproduce these results.

                                                            Thanks again,
                                                            -- Mike



More information about the Openid-specs-ab mailing list