[Openid-specs-ab] Changes to the JOSE use of the Concat KDF to add additional inputs

Edmund Jay ejay at mgi1.com
Wed Aug 29 20:07:12 UTC 2012


Mike,

I have the same results as you.


-- Edmund




________________________________
From: Mike Jones <Michael.Jones at microsoft.com>
To: "Axel.Nennker at telekom.de" <Axel.Nennker at telekom.de>; "ejay at mgi1.com" 
<ejay at mgi1.com>; "emmanuel at raviart.com" <emmanuel at raviart.com>; 
"bcampbell at pingidentity.com" <bcampbell at pingidentity.com>
Cc: "openid-connect-interop at googlegroups.com" 
<openid-connect-interop at googlegroups.com>; "openid-specs-ab at lists.openid.net" 
<openid-specs-ab at lists.openid.net>
Sent: Wed, August 29, 2012 12:40:37 PM
Subject: RE: Changes to the JOSE use of the Concat KDF to add additional inputs

Thanks for looking at this, Axel.  As you surmised, the output length in bits is 
a 32-bit big-endian integer.  The hash input values, including the OtherInfo 
values, were actually already in the log file.  I've annotated the hash input 
values below, so that hopefully the process will be totally clear.

                Thanks again,
                -- Mike

Hash input when using CMK1 to generate CEK:
[0, 0, 0, 1, -- Round 1
4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 206,
107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 44, 207, -- 256 
bit CMK
0, 0, 0, 128, -- 128 bit CEK being generated
65, 49, 50, 56, 67, 66, 67, 43, 72, 83, 50, 53, 54, -- "A128CBC+HS256"
69, 110, 99, 114, 121, 112, 116, 105, 111, 110] -- "Encryption"

Hash input when using CMK1 to generate CIK:
[0, 0, 0, 1, -- Round 1
4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 206,
107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 44, 207, -- 256 
bit CMK
0, 0, 1, 0, -- 256 bit CIK being generated
65, 49, 50, 56, 67, 66, 67, 43, 72, 83, 50, 53, 54, -- "A128CBC+HS256"
73, 110, 116, 101, 103, 114, 105, 116, 121] -- "Integrity"

Hash input when using CMK2 to generate CEK:
[0, 0, 0, 1, -- Round 1
148, 116, 199, 126, 2, 117, 233, 76, 150, 149, 89, 193, 61, 34, 239, 226,
109, 71, 59, 160, 192, 140, 150, 235, 106, 204, 49, 176, 68, 119, 13, 34,
49, 19, 41, 69, 5, 20, 252, 145, 104, 129, 137, 138, 67, 23, 153, 83,
81, 234, 82, 247, 48, 211, 41, 130, 35, 124, 45, 156, 249, 7, 225, 168, -- 512 
bit CMK
0, 0, 1, 0, -- 256 bit CEK being generated
65, 50, 53, 54, 67, 66, 67, 43, 72, 83, 53, 49, 50, -- "A256CBC+HS512"
69, 110, 99, 114, 121, 112, 116, 105, 111, 110] -- "Encryption"

Hash input when using CMK2 to generate CIK:
[0, 0, 0, 1, -- Round 1
148, 116, 199, 126, 2, 117, 233, 76, 150, 149, 89, 193, 61, 34, 239, 226,
109, 71, 59, 160, 192, 140, 150, 235, 106, 204, 49, 176, 68, 119, 13, 34,
49, 19, 41, 69, 5, 20, 252, 145, 104, 129, 137, 138, 67, 23, 153, 83,
81, 234, 82, 247, 48, 211, 41, 130, 35, 124, 45, 156, 249, 7, 225, 168, -- 512 
bit CMK
0, 0, 2, 0, -- 512 bit CIK being generated
65, 50, 53, 54, 67, 66, 67, 43, 72, 83, 53, 49, 50, -- "A256CBC+HS512"
73, 110, 116, 101, 103, 114, 105, 116, 121] -- "Integrity"

-----Original Message-----
From: Axel.Nennker at telekom.de [mailto:Axel.Nennker at telekom.de] 
Sent: Wednesday, August 29, 2012 7:49 AM
To: Mike Jones; ejay at mgi1.com; emmanuel at raviart.com; bcampbell at pingidentity.com
Cc: openid-connect-interop at googlegroups.com; openid-specs-ab at lists.openid.net
Subject: RE: Changes to the JOSE use of the Concat KDF to add additional inputs

How many bytes does the field output length in bits have?

Currently we have otherInfo being the ASCII label ("Encryption" or "Integrity") 
bytes.

What is the new otherInfo?

Could you please put this byte arrays into the log file too?

I tried with
[0, 0, 1, 0, 65, 49, 50, 56, 67, 66, 67, 43, 72, 83, 50, 53, 54, 69, 110, 99, 
114, 121, 112, 116, 105, 111, 110] This is four bytes for the keylength in bits 
(256), followed by the bytes for "A128CBC+HS256", followed by 
"Encryption"-bytes.
This does not produce CEK1 but:
[91, 54, 29, -109, 90, 39, 66, -120, 117, -91, -128, -60, 9, -117, -97, -119, 
-18, 55, 113, -31, -102, 70, 33, 9, 107, 117, -3, -6, -22, -23, 17, -22]

I tried with a two byte keylength in bits too. No success.

Axel



public void testConcatKdf256OtherInfo201208_A128CBC_HS256() throws Exception {
    Digest kdfDigest = new SHA256Digest();
    byte[] zBytes = { 4, (byte) 211, 31, (byte) 197, 84, (byte) 157, (byte) 252, 
(byte) 254, 11, 100, (byte) 157,
        (byte) 250, 63, (byte) 170, 106, (byte) 206, 107, 124, (byte) 212, 45, 
111, 107, 9, (byte) 219, (byte) 200,
        (byte) 177, 0, (byte) 240, (byte) 143, (byte) 156, 44, (byte) 207 };
    int keylength = 32;
    int outputLengthInBits = keylength * 8;
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    baos.write((byte)(outputLengthInBits >> 24));
    baos.write((byte)(outputLengthInBits >> 16));
    baos.write((byte)(outputLengthInBits >> 8));
    baos.write((byte)outputLengthInBits);
//    baos.write(outputLengthInBits);
    String encStr = "A128CBC+HS256";
    baos.write(encStr.getBytes());
    final byte[] encryption = { 69, 110, 99, 114, 121, 112, 116, 105, 111, 110 
};
    baos.write(encryption);
    byte[] otherInfo = baos.toByteArray();
    KDFConcatGenerator kdfConcatGenerator = new KDFConcatGenerator(kdfDigest, 
otherInfo);
    kdfConcatGenerator.init(new KDFParameters(zBytes, null));
    byte[] out = new byte[keylength];
    kdfConcatGenerator.generateBytes(out, 0, out.length);
    byte[] CEK1 = { 37, (byte)245, (byte)125, (byte)247, (byte)113, (byte)155, 
(byte)238, (byte)98, (byte)228, (byte)206, (byte)62, (byte)65, (byte)81, 
(byte)153, (byte)79, (byte)91 };
    String expectedB64 = Base64.encodeBytesNoBreaks(CEK1);
    assertEquals(expectedB64, Base64.encodeBytesNoBreaks(out));

  }

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

From: Mike Jones [mailto:Michael.Jones at microsoft.com]
Sent: Wednesday, August 29, 2012 2:52 AM
To: Edmund Jay; Emmanuel Raviart; Brian Campbell; Nennker, Axel
Cc: openid-connect-interop at googlegroups.com; openid-specs-ab at lists.openid.net
Subject: Changes to the JOSE use of the Concat KDF to add additional inputs

Updated sample Concat KDF inputs and outputs are attached.  Previously the 
Concat inputs for each hash round were:
. Round number
. Content Master Key
. ASCII label ("Encryption" or "Integrity")

Now the hash inputs for each hash round are:
. Round number
. Content Master Key
. Output length in bits
. ASCII "enc" parameter value
. ASCII label ("Encryption" or "Integrity")

Note that the former "enc", "int", and "kdf" parameters are being combined into 
a single composite "enc" parameter.  The defined values for it will be 
"A128CBC+HS256", "A256CBC+HS512", "A128GCM", and "A256GCM" (no change for the 
latter two).  There's one example each for the first two composite algorithms.

Also note that the HMAC SHA-512 hash function is used in second case.  
(Previously, HMAC SHA-256 was always used.)

Let me know if any of this is unclear, or if you want to provide other feedback, 
please let me know.  I'll be producing encryption examples using these values 
next.

It would be *great* if one or more of you could verify that you can reproduce 
these results.

                                                            Thanks again,
                                                            -- Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120829/2ff63cdb/attachment.html>


More information about the Openid-specs-ab mailing list